Protection against kernel level exploits

[notabot]

Most users here through various techniques ( sandboxing, SRP, disabling active content ) have little chance of being hit by malware unless either their whitelisting or sandboxing approach has an exploitable bug or a kernel level exploit is used.

Is there anything to be done to avoid kernel level exploits ? I’d expect no, for Linux there seem to be some modules that make it harder but of course no hard guarantees can be given by these modules

 

[Andy Ful]

Most users here through various techniques ( sandboxing, SRP, disabling active content ) have little chance of being hit by malware unless either their whitelisting or sandboxing approach has an exploitable bug or a kernel level exploit is used.

Is there anything to be done to avoid kernel level exploits ? I’d expect no, for Linux there seem to be some modules that make it harder but of course no hard guarantees can be given by these modules

I assume, that you do not intentionally run/open the suspicious programs/content and do not ignore security alerts. If not, then the below suggestions (and others) will be pretty much useless.

1. Windows & software updates.
2. Reducing the attack surface (disabled SMB protocols & unneeded services, etc.).
3. Standard User Account.
4. Default-deny setup.

You can think about kernel exploits as about the HIV disease, which exploits the human immune system. The most efficient solution is a reasonable prophylaxis.
You can try other solutions like hardening the system processes, but this will be a painful way just like the HIV disease treatment.

 

[notabot]

I assume, that you do not intentionally run/open the suspicious programs/content and do not ignore security alerts. If not, then the below suggestions (and others) will be pretty much useless.

1. Windows & software updates.
2. Reducing the attack surface (disabled SMB protocols & unneeded services, etc.).
3. Standard User Account.
4. Default-deny setup.

You can think about kernel exploits as about the HIV disease, which exploits the human immune system. The most efficient solution is a reasonable prophylaxis.
You can try other solutions like hardening the system processes, but this will be a painful way just like the HIV disease treatment.

Thanks - I’m more interested into explicitly protecting the kernel from exploits. For all all practical purposes assume the user runs the suspicious program

 

[FrankN209]

Doesn't programs like MemProtect and Pumpernickel = FIDES run at the kernel level?

 

[notabot]

Doesn't programs like MemProtect and Pumpernickel = FIDES run at the kernel level?

Thanks I was not aware of these

 

[oldschool]

@Andy Ful!

 

[shmu26]

@Andy Ful!

+1

 

[shmu26]

Doesn't programs like MemProtect and Pumpernickel = FIDES run at the kernel level?

They run as kernel mode drivers, but that doesn't mean they are protecting the kernel any more than other security programs do.

Windows 10 now has something called "memory integrity", which you might or might not be successful in enabling. It depends on your hardware and software configuration. It is supposed to protect against some kernel exploits.

Basically, kernel exploits are hard to stop, once they start. For instance, sandboxing will not necessarily stop them. Advanced anti-exe or SRP or HIPS setups have a better chance at stopping them at some point.

But if you prevent the initial infection, then a kernel exploit can't happen. Good general security practices are what you need, and that includes running a modern and updated operating system.

 

[notabot]

They run as kernel mode drivers, but that doesn't mean they are protecting the kernel any more than other security programs do.

Windows 10 now has something called "memory integrity", which you might or might not be successful in enabling. It depends on your hardware and software configuration. It is supposed to protect against some kernel exploits.

Basically, kernel exploits are hard to stop, once they start. For instance, sandboxing will not necessarily stop them. Advanced anti-exe or SRP or HIPS setups have a better chance at stopping them at some point.

But if you prevent the initial infection, then a kernel exploit can't happen. Good general security practices are what you need, and that includes running a modern and updated operating system.

I doubt SRP, anti exe or hips offer decent protection for kernel exploits

 

[Deleted member 178]

I doubt SRP, anti exe or hips offer decent protection for kernel exploits

Kernel or not, all malware need an entry point. Cover it and you are good, of course the said protection must be able to block the type of files used.

 

[notabot]

Kernel or not, all malware need an entry point. Cover it and you are good, of course the said protection must be able to block the type of files used.

Agreed that attack surface reduction is a good idea , including among other things for reducing entry points for kernel exploits - this doesn’t make it an explicit kernel exploit prevention mechanism though

 

[shmu26]

I doubt SRP, anti exe or hips offer decent protection for kernel exploits

More correctly, they offer a certain degree of what is called "post-exploit" protection. In order for the malware to actually utilize the exploit, it will typically try to run a lol bin, or drop an executable, or at least access the internet. When these things happen, advanced security programs can help. As for the last mentioned action, a good firewall helps, too.

But I understand that you are looking for a silver bullet against kernel exploits. I wish you good luck.

 

[notabot]

More correctly, they offer a certain degree of what is called "post-exploit" protection. In order for the malware to actually utilize the exploit, it will typically try to run a lol bin, or drop an executable, or at least access the internet. When these things happen, advanced security programs can help. As for the last mentioned action, a good firewall helps, too.

But I understand that you are looking for a silver bullet against kernel exploits. I wish you good luck.

I’m not looking for a silver bullet but at the moment it looks like there’s almost nothing to protect against these.

Eg for malware there’s no silver bullet but an AV helps and explicitly tries to detect & contain them
For application exploits Hitman Pro explicitly tries to protect, it’s not a silver bullet but it offers some protection against the application exploit attack vector

For kernel exploits there’s (almost) nothing that that explicitly tries to protect against the kernel exploit attack vector

 

[shmu26]

I’m not looking for a silver bullet but at the moment it looks like there’s almost nothing to protect against these.

Eg for malware there’s no silver bullet but an AV helps and explicitly tries to detect & contain them
For application exploits Hitman Pro explicitly tries to protect, it’s not a silver bullet but it offers some protection against the application exploit attack vector

For kernel exploits there’s (almost) nothing that that explicitly tries to protect against the kernel exploit attack vector

Yup. I agree completely. That's the sad truth.