Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Linux kernel remote logging: approaches, challenges, implementation

Linux kernel remote logging: approaches, challenges, implementation

This talk is based on research conducted for our Linux Kernel Runtime Guard (LKRG) project, which is a Linux kernel module that performs runtime integrity checking of the kernel and detection of security vulnerability exploits against the kernel. Delivery, storage, and processing of LKRG security events to/on a remote system is a natural extension of LKRG's functionality. Remote logging is also valuable on its own, including for troubleshooting and post-mortem analyses of (non-)security incidents, where the system's local logs might be unavailable, incomplete, or tampered with. In this talk, I start by briefly examining pre-existing remote logging solutions and their suitability. Then I proceed to our own considerations and choices for transport and security protocols and software design, including many of the challenges and trade-offs encountered. Finally, I introduce and demonstrate the initial implementation in LKRG, released in time for the talk, as well as its integration in Rocky Linux via the Security SIG package.

This research and initial implementation have been sponsored by Binarly software supply chain security platform, whereas the public release, Rocky Linux integration, and this talk are due to my work at CIQ, the primary corporate sponsor of Rocky Linux.


March 01, 2024

More Decks by Openwall

Other Decks in Technology