In the latest release of test v2.25 – Core update 142, IPFire has introduced a new method to sign the Linux kernel module cryptographically. As a result of this, the attacker cannot execute an illegal action using a deployed third-party module into the IPFire kernel.
This new approach of kernel rootkit protection can completely restrict the activities of hidden rootkits on the system. Any modification to the kernel code now requires validation using a cryptographic signature to check its authenticity and integrity.
What is a Rootkit?
A rootkit is a type of malware containing various software that the attacker can deploy on the infected computer. It can be used to gain root access and perform any action remotely.
In the case of the kernel, rootkit mainly modifies the code to add functionality inside the operating system like changing system call behavior. They can also serve other purposes such as mining crypto or adding other file format support.
New Features In IPFire Against Rootkits
IPFire is an open-source software that helps to protect the network from external attacks like Denial-of-Service. Its powerful firewall engine and intrusion prevention system puts a high bet on the security.
And the new feature takes the security one level up to act against the hidden elements like rootkits. IPFire now uses a new protocol to authenticate every loading of a new driver or code into the kernel using signature matches.
If an attacker wants to give any malicious command to add even a single line code, he must require a signature key for validation. And to add a signature, he needs to rebuild and re-ship the whole kernel during the compile time of kernel.
Not even IPFire can modify the code because it throws the key away after compilation. Of course, this can also work against other invisible malware that targets the Linux system.