Protection against kernel level exploits

N

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
2,047
1,368
Most users here through various techniques ( sandboxing, SRP, disabling active content ) have little chance of being hit by malware unless either their whitelisting or sandboxing approach has an exploitable bug or a kernel level exploit is used.

Is there anything to be done to avoid kernel level exploits ? I’d expect no, for Linux there seem to be some modules that make it harder but of course no hard guarantees can be given by these modules
 
  • Like
Reactions: HarborFront, shmu26, oldschool and 2 others
notabot said:
Most users here through various techniques ( sandboxing, SRP, disabling active content ) have little chance of being hit by malware unless either their whitelisting or sandboxing approach has an exploitable bug or a kernel level exploit is used.

Is there anything to be done to avoid kernel level exploits ? I’d expect no, for Linux there seem to be some modules that make it harder but of course no hard guarantees can be given by these modules
Click to expand...
I assume, that you do not intentionally run/open the suspicious programs/content and do not ignore security alerts. If not, then the below suggestions (and others) will be pretty much useless.
  1. Windows & software updates.
  2. Reducing the attack surface (disabled SMB protocols & unneeded services, etc.).
  3. Standard User Account.
  4. Default-deny setup.
You can think about kernel exploits as about the HIV disease, which exploits the human immune system. The most efficient solution is a reasonable prophylaxis.
You can try other solutions like hardening the system processes, but this will be a painful way just like the HIV disease treatment.
 
  • Like
Reactions: HarborFront, shmu26, ForgottenSeer 72227 and 4 others
Andy Ful said:
I assume, that you do not intentionally run/open the suspicious programs/content and do not ignore security alerts. If not, then the below suggestions (and others) will be pretty much useless.
  1. Windows & software updates.
  2. Reducing the attack surface (disabled SMB protocols & unneeded services, etc.).
  3. Standard User Account.
  4. Default-deny setup.
You can think about kernel exploits as about the HIV disease, which exploits the human immune system. The most efficient solution is a reasonable prophylaxis.
You can try other solutions like hardening the system processes, but this will be a painful way just like the HIV disease treatment.
Click to expand...

Thanks - I’m more interested into explicitly protecting the kernel from exploits. For all all practical purposes assume the user runs the suspicious program
 
  • Like
Reactions: shmu26, oldschool and shukla44
FrankN209 said:
Doesn't programs like MemProtect and Pumpernickel = FIDES run at the kernel level?
Click to expand...
They run as kernel mode drivers, but that doesn't mean they are protecting the kernel any more than other security programs do.

Windows 10 now has something called "memory integrity", which you might or might not be successful in enabling. It depends on your hardware and software configuration. It is supposed to protect against some kernel exploits.

Basically, kernel exploits are hard to stop, once they start. For instance, sandboxing will not necessarily stop them. Advanced anti-exe or SRP or HIPS setups have a better chance at stopping them at some point.

But if you prevent the initial infection, then a kernel exploit can't happen. Good general security practices are what you need, and that includes running a modern and updated operating system.
 
  • Like
Reactions: oldschool, HarborFront, XhenEd and 1 other person
shmu26 said:
They run as kernel mode drivers, but that doesn't mean they are protecting the kernel any more than other security programs do.

Windows 10 now has something called "memory integrity", which you might or might not be successful in enabling. It depends on your hardware and software configuration. It is supposed to protect against some kernel exploits.

Basically, kernel exploits are hard to stop, once they start. For instance, sandboxing will not necessarily stop them. Advanced anti-exe or SRP or HIPS setups have a better chance at stopping them at some point.

But if you prevent the initial infection, then a kernel exploit can't happen. Good general security practices are what you need, and that includes running a modern and updated operating system.
Click to expand...

I doubt SRP, anti exe or hips offer decent protection for kernel exploits
 
  • Like
Reactions: oldschool
Umbra said:
Kernel or not, all malware need an entry point. Cover it and you are good, of course the said protection must be able to block the type of files used.
Click to expand...

Agreed that attack surface reduction is a good idea , including among other things for reducing entry points for kernel exploits - this doesn’t make it an explicit kernel exploit prevention mechanism though
 
  • Like
Reactions: oldschool and Deleted member 178
notabot said:
I doubt SRP, anti exe or hips offer decent protection for kernel exploits
Click to expand...
More correctly, they offer a certain degree of what is called "post-exploit" protection. In order for the malware to actually utilize the exploit, it will typically try to run a lol bin, or drop an executable, or at least access the internet. When these things happen, advanced security programs can help. As for the last mentioned action, a good firewall helps, too.

But I understand that you are looking for a silver bullet against kernel exploits. I wish you good luck. :)
 
  • Like
Reactions: oldschool and Deleted member 178
shmu26 said:
More correctly, they offer a certain degree of what is called "post-exploit" protection. In order for the malware to actually utilize the exploit, it will typically try to run a lol bin, or drop an executable, or at least access the internet. When these things happen, advanced security programs can help. As for the last mentioned action, a good firewall helps, too.

But I understand that you are looking for a silver bullet against kernel exploits. I wish you good luck. :)
Click to expand...

I’m not looking for a silver bullet but at the moment it looks like there’s almost nothing to protect against these.

Eg for malware there’s no silver bullet but an AV helps and explicitly tries to detect & contain them
For application exploits Hitman Pro explicitly tries to protect, it’s not a silver bullet but it offers some protection against the application exploit attack vector

For kernel exploits there’s (almost) nothing that that explicitly tries to protect against the kernel exploit attack vector
 
notabot said:
I’m not looking for a silver bullet but at the moment it looks like there’s almost nothing to protect against these.

Eg for malware there’s no silver bullet but an AV helps and explicitly tries to detect & contain them
For application exploits Hitman Pro explicitly tries to protect, it’s not a silver bullet but it offers some protection against the application exploit attack vector

For kernel exploits there’s (almost) nothing that that explicitly tries to protect against the kernel exploit attack vector
Click to expand...
Yup. I agree completely. That's the sad truth.
 

You may also like...