Feature Highlights: Kernel Rootkit Protection in Core Update 142

by Michael Tremer, March 17, 2020

Do you like what you are reading? Subscribe to our newsletter and don't miss out on the latest...   Join Now

Another exciting feature is landing in Core Update 142: Improved Kernel Rootkit Protection using code signing. This way, IPFire will protect itself against attackers trying to load third-party kernel modules.

What is a Rootkit?

A rootkit simply is malware for the kernel.

It dynamically modifies the code the kernel is running, just like any other kernel module. It can add or change functionality of the lowest layer of the operating system. Normal kernel modules might add support for another file system format, or a piece of hardware.

But what happens when that code does not do anything good?

What is the danger?

Since we are working on the kernel level, there is nothing that cannot be done. One of the most common things a rootkit does is changing the behaviour of syscalls. A syscall is a command sent to the kernel when a userspace program wants to perform a certain action.

For example, opening a file from disk. Obviously not every program implements a filesystem driver. That is why we have the kernel perform such low-level tasks.

When a program now asks the kernel to open a certain file, it sends a syscall to the kernel with the filename and some other information. The kernel then finds the right blocks on disk and sends them to the program. But what if an attacker wants to give us content from another file than we have requested? There is no way to find out, because Rootkits normally go undetected.

If we know exactly what we have to expect in that file we wanted to open, we will of course notice. But what if that file was a library? We are now running code inside of our program that we cannot verify.

We might run a deliberately vulnerable version of a library an attacker knows they can exploit over the network. We might write our data to a file that an attacker is receiving a copy of. We might mine cryptocurrency inside of our program without knowing or we simply might run code that tries to infect or exploit other systems.

Who might attack me?

Rootkits are extremely dangerous because they are so hard to detect. Everyone who wants to break into a network and wants to remain undetected would prefer this method.

And since a firewall is of course the best target because so much valuable information flows through it, we must to our best to not being infected in the first place.

Kernel Module Signinig

In IPFire 2.25 - Core Update 142, we are now cryptographically signing all kernel modules. That means every time a driver for a network adapter, a filesystem driver or other kernel module is loaded into the kernel, it is checked that this signature matches.

The signature is added during compile time of the kernel and after we are done with that, we throw the key away.

Nobody needs it any more. Nobody - not even we - have now the ability to change the kernel any more. The only way to change a line of code somewhere is to rebuild and re-ship the whole kernel.

An attacker can no longer build their rootkit source against an IPFire kernel and successfully load it onto a production system.

It is easy and very effective.

Thanks to everyone who helped delivering this feature to IPFire. If you want to support those people, please donate.