From: Daniel Souza <thehazard@gmail.com>
To: Lee Revell <rlrevell@joe-job.com>
Cc: Allison <fireflyblue@gmail.com>, linux-kernel@vger.kernel.org
Subject: Re: Kernel Rootkits
Date: Fri, 15 Apr 2005 12:40:05 -0700 [thread overview]
Message-ID: <e1e1d5f4050415124051ee6f79@mail.gmail.com> (raw)
In-Reply-To: <1113592915.23839.6.camel@mindpipe>
On 4/15/05, Lee Revell <rlrevell@joe-job.com> wrote:
> On Fri, 2005-04-15 at 11:40 -0700, Daniel Souza wrote:
> > A way to "protect" system calls is, after boot a trusted kernel image,
> > take a MD5 of the syscalls functions implementations (the opcodes that
> > are part of sys_read for example) and store it in a secure place.
>
> That's the problem, once the kernel is compromised there's no such thing
> as a secure place. Solving this problem requires things like "trusted
> computing" aka hardware support.
yes, hardware support like a floppy disk or a memory key with the
read-only switch turned on after a sucessful boot storing the
hashes... paranoia that works =) Or just print them, and when in
doubt if your kernel is patched, take another checksum of system calls
and compare to paper... =)
Ok, kidding apart, there's no way to safely protect the system against
memory patching. Maybe, some hardware lock that will keep a "code
segment block" of kernel memory as read-only and a separated segment
for data (as read-write), and after the boot and kernel load, this
lock is activated by a asm call or something like that. This stills
not functional, to not mention impossible. You can implement ways to
make kernel memory patching harder, like avoid any mechanism that can
give direct access to memory like /dev/mem, or /dev/kmem (or patch
them to avoid access to specific areas, because some applications like
Xorg uses direct memory access with that mechanisms to do they duty.)
In fact, avoid any mechanism that can be used by userspace processes
to read/write memory data above 0xc00000. This will also not avoid
kernelspace exploitation from programming bugs (like recent (?) VMA
problems, and ancient ptrace bugs that could lead to privilege
elevation). It's just a mechanism to help securing a system.
Or just try grsec =)
--
# (perl -e "while (1) { print "\x90"; }") | dd of=/dev/evil
next prev parent reply other threads:[~2005-04-15 19:40 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-15 18:15 Kernel Rootkits Allison
2005-04-15 18:33 ` Petr Baudis
2005-04-15 18:34 ` Daniel Souza
2005-04-15 18:36 ` Lee Revell
2005-04-15 18:37 ` Lennart Sorensen
2005-04-15 19:19 ` Andre Tomt
2005-04-15 18:40 ` Daniel Souza
2005-04-15 19:21 ` Lee Revell
2005-04-15 19:40 ` Daniel Souza [this message]
-- strict thread matches above, loose matches on Subject: below --
2005-04-15 19:15 Allison
2005-04-15 19:38 ` Daniel Souza
2005-04-15 17:33 Malita, Florin
2005-04-15 18:08 ` Lee Revell
2005-04-15 16:02 Allison
2005-04-15 17:16 ` Richard B. Johnson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e1e1d5f4050415124051ee6f79@mail.gmail.com \
--to=thehazard@gmail.com \
--cc=fireflyblue@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rlrevell@joe-job.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox