Linux Kernel Hardening: LKM Exploitation
"Exploring the security of Loadable Kernel Modules and how to harden the Linux kernel against runtime injection."
Linux Kernel Hardening and LKM Security
Loadable Kernel Modules (LKMs) allow the Linux kernel to be extended at runtime. While powerful, they provide a significant attack surface for rootkits and kernel-level persistence.
1. The LKM Lifecycle
Understanding how insmod and rmmod interact with the kernel symbol table.
2. Syscall Hooking
How attackers use LKMs to hijack the system call table to hide processes and files.
3. Defense Mechanisms
- Kernel Module Signing: Ensuring only trusted modules are loaded.
- sysctl Hardening: Disabling module loading after boot.
# Disable module loading
sysctl -w kernel.modules_disabled=1