Linux kernel security: LKRG 1.0 detects kernel exploits

LKRG is a kernel module that performs runtime integrity checking of the Linux kernel and detection of security vulnerability exploits against the kernel. For process credentials, LKRG attempts to detect exploits and take action before the kernel grants access based on unauthorized credentials. When something abnormal is detected, LKRG can log it, kill the offending process, or take other defensive measures, depending on configuration.

Why LKRG matters

The reality of Linux security is that kernel vulnerabilities emerge regularly, but patching production systems immediately isn't always possible. Rebooting into a new kernel means downtime. Live patching has limitations. Security teams face a gap between vulnerability disclosure and actual remediation, and attackers know this. LKRG was created to address this window of exposure by detecting exploitation attempts at runtime, regardless of whether the underlying vulnerability has been patched.

Traditional security approaches focus on prevention through patching or access control through mechanisms like SELinux. LKRG complements these by adding a detection layer that catches exploitation in progress. If an attacker leverages a kernel vulnerability to manipulate process credentials or modify kernel structures, LKRG identifies the unauthorized change and responds before the attacker can use those elevated privileges. This means even zero-day exploits that bypass other defenses can be stopped, as long as they follow common exploitation patterns. The net impact is meaningful risk reduction for systems where immediate patching isn't feasible, giving security teams time to remediate without leaving systems fully exposed.

Is LKRG right for your environment?

LKRG provides the most value for organizations that:

• Run Linux systems that cannot be immediately rebooted when kernel vulnerabilities are disclosed
• Need defense-in-depth beyond patching and access controls
• Operate in regulated environments requiring runtime security monitoring
• Want protection against zero-day kernel exploits
• Manage legacy systems alongside modern infrastructure

If patching delays are measured in days or weeks rather than hours, LKRG significantly reduces your exposure window.

What makes LKRG 1.0 different

The journey from 0.9.9 to 1.0 focused heavily on robustness, portability, and code quality rather than adding new features. We made this release conservative by design, focusing on making LKRG more stable.

The numbers tell the story: 144 files changed, 2,279 insertions, and 4,700 deletions. We removed over 2,400 lines of code while maintaining and improving functionality. The codebase is now significantly leaner.

Kernel compatibility

LKRG 1.0 has been tested with Linux kernels ranging from RHEL/CentOS 7's 3.10.0-1160 all the way up to Fedora's build of 6.17-rc4 (at release time, and beyond by now). This extensive range means LKRG can protect systems that realistically won't be immediately rebooted into new kernels whenever a vulnerability is discovered, which is precisely where LKRG provides the most value.

We now support x86-64, 32-bit x86, AArch64 (ARM64), and 32-bit ARM CPU architectures. Compatibility with Intel CET IBT and KCFI on x86_64 has been added, and Clang-built kernels (and LKRG) work in more cases, though GCC remains our officially supported compiler.

Performance improvements

Several architectural changes improve LKRG's runtime characteristics. Per-task shadow data lookups are now lockless (on recent kernels), and we overhauled locking of per-task shadow data with finer-grain locks. Many hooks have been switched from kretprobes to simple kprobes, improving both reliability and performance while reducing code duplication. Integrity violation checks are now wrapped in unlikely(), keeping hot paths clean of unnecessary cache clutter.

Previous benchmarks showed LKRG 0.8's overall performance impact at around 2.5%, based on geometric mean across 58 Phoronix Test Suite results. Version 1.0 should perform even better, but the variance across tests and use cases will remain high - some are not impacted at all, while others are impacted much more.

Other technical changes in 1.0

Credential handling updates

Linux 6.13+ changed how credential overrides work, requiring us to stop hooking override_creds() and revert_creds(). To compensate, we now check for credential pointer overwrites in additional locations throughout the kernel. On older kernels, this provides enhanced protection.

We also stopped tracking credentials we don't actually validate, removing unnecessary complexity, performance overhead, and approximately 1,500 lines of code. (We may reintroduce such tracking along with proper validation in later versions.)

Container compatibility

Support for OverlayFS ovl_tmpfile (introduced in Linux 6.10) resolves false positives that could occur when running containers on kernels 6.10 through 6.12.y. On 6.13+, OverlayFS hooking is unnecessary and disabled.

Bug fixes

Several race conditions have been eliminated, including issues involving SECCOMP_FILTER_FLAG_TSYNC, namespace validation, and LKRG sysctl changes. False positives related to seccomp mode corruption on newer kernels (5.17+ with SECCOMP_MODE_DEAD) have been resolved.

Continuous integration

Our CI testing now additionally covers Fedora with the latest mainline kernels, Ubuntu 24.04 through 25.10, on top of many older versions of Ubuntu starting with 18.04 that we continue to automatically test every LKRG change on. We also have automatic build tests for OpenSUSE, CentOS Stream 9, Enterprise Linux 8 (on Rocky Linux and AlmaLinux). We even repaired our CentOS 7 build tests to survive its end-of-life and GitHub's deprecation changes.

Getting LKRG

LKRG 1.0 packages are available through multiple channels:

• Rocky Linux SIG/Security repository: Also compatible with AlmaLinux 8/9 and RHEL 8/9
• ALT Linux, Arch Linux, Gentoo, and NixOS: Community-maintained packages
• Rocky Linux from CIQ - Hardened (RLC-H): LKRG enabled by default, signed for UEFI Secure Boot

Source code and installation instructions are available at lkrg.org.

Proven effectiveness

Vulnerability exploit mitigation

LKRG's exploit detection capabilities have been repeatedly validated against real-world vulnerability exploits. In testing on vulnerable distribution kernels, then-current versions of LKRG successfully detected exploits of:

• CVE-2014-9322 (BadIRET)
• CVE-2017-5123 (waitid(2) missing access_ok)
• CVE-2017-6074 (use-after-free in DCCP protocol)
• CVE-2021-3490 (eBPF)
• CVE-2022-0492 (container escape via cgroups v1 release_agent feature)
• CVE-2024-1086 (nf_tables: use-after-free vulnerability in the nft_verdict_init() function)
• 2024 “ExploitGSM” (“New Linux LPE via GSMIOC_SETCONF_DLCI”, exact CVEs unclear)

These aren't theoretical detections. LKRG catches the actual exploitation techniques used by publicly available proof-of-concept exploits for these CVEs.

Rootkit detection excellence

Independent academic research validates LKRG's effectiveness. Juho Junnila's Master's Thesis "Effectiveness of Linux Rootkit Detection Tools" (University of Oulu, 2020) compared LKRG against AIDE, OSSEC, Rootkit Hunter, and Chkrootkit. When loaded before the rootkit, LKRG detected 8 out of 9 kernel rootkits tested. (The one undetected artifact isn’t strictly a rootkit.)

No other tested tool came close to LKRG's effectiveness at detecting kernel rootkits. The combination of AIDE and LKRG proved most effective overall, detecting 14 out of 15 rootkits spanning both user and kernel space.

The security model

LKRG is intentionally bypassable by design. We've always been transparent about this. However, bypassing LKRG requires more complicated and less reliable exploits. This raises the bar for attackers significantly.

LKRG provides security through diversity, similar to running an uncommon OS kernel but without the usability drawbacks. It complements rather than replaces other security mechanisms like SELinux or AppArmor by adding other kinds of checks at the kernel level.

For systems that cannot be promptly rebooted into new kernels whenever vulnerabilities are discovered, LKRG provides meaningful protection against both known and unknown kernel exploits that don't specifically target LKRG.

Acknowledgments

This release reflects contributions from Sultan Alsawaf and Vitaly Chikunov alongside my own work. Adam 'pi3' Zabrocki, LKRG's original author, remained actively involved throughout this release cycle, reviewing changes and ensuring we maintained the project's integrity.

CIQ's support made many improvements possible, including the per-task shadow data locking overhaul and numerous bug findings and fixes.

Looking forward

With 1.0 behind us, we can consider lifting our informal freeze on new defenses. Future work may include evolution toward even greater maturity, improved self-protection, and potentially detection and prevention of userspace attacks once the kernel-level foundation is sufficiently stable.

LKRG 1.0 represents what we believe a mature, production-ready runtime security module should be: effective against real threats, minimal in overhead, and extensively tested across the kernel versions that matter to production environments.

---

Solar Designer is the founder of Openwall and a senior principal security engineer at CIQ. LKRG is an independent project created by Adam 'pi3' Zabrocki and co-maintained by Solar Designer, supported at various times by Binarly and CIQ.

---

Get started with LKRG 1.0:

• Download LKRG from the official project site
• Browse the source on GitHub
• Read the 1.0 release notes for full technical details

For enterprise deployments: Organizations running Rocky Linux can access LKRG through the SIG/Security repository. For production environments requiring vendor support and Secure Boot integration, Rocky Linux from CIQ - Hardened includes LKRG pre-configured and fully supported.

Have questions? Join the lkrg-users mailing list to connect with the development team and community. For enterprise support inquiries, contact CIQ.

---

Related Resources:

• How LKRG works deep dive
• Nullcon Berlin 2025 Presentation: LKRG 1.0
• Linux Kernel Remote Logging with LKRG
• LKRG in a Nutshell (2020)