Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999-q4

Bugtraq Archives: Re: Announcement: Solaris loadable kernel mod

Re: Announcement: Solaris loadable kernel module backdoor

Subject: Re: Announcement: Solaris loadable kernel module backdoor
From: Ralf-Philipp Weinmann (weinmannRBG.INFORMATIK.TU-DARMSTADT.DE)
Date: Sun Dec 26 1999 - 11:01:33 CST

Next message: Pavel Machek: "strace can lie"
Previous message: Matt: "Fw: Re-release of Microsoft Security Bulletin MS99-046"
Next in thread: Pavel Kankovsky: "Re: Announcement: Solaris loadable kernel module backdoor"
Next in thread: Kragen Sitaker: "Re: Announcement: Solaris loadable kernel module backdoor"
Maybe reply: Ralf-Philipp Weinmann: "Re: Announcement: Solaris loadable kernel module backdoor"
Reply: Pavel Kankovsky: "Re: Announcement: Solaris loadable kernel module backdoor"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Keith Owens <kaosOCS.COM.AU> writes:

> On Tue, 21 Dec 1999 14:33:50 -0800,
> pedwardWEBCOM.COM wrote:
> >At boot, compile the list of modules that are 'known good' (for the sake
> >of argument, it's the /lib/modules/x.y.z), then write the list, with
> >MD5 checksums, to a write once /proc interface to kmod.
> >
> >kmod would check the MD5 sum before loading the requested module, if it didn't
> >match the in-kernel list, don't allow it.
>
> kmod does not load modules. It starts a kernel thread and invokes
> modprobe. modprobe runs /etc/modules.conf and the the dependency chain
> then loads anywhere between zero and n modules. All of this work is in
> user space and it is all outside kernel control.
>
However I'd like to point out that you could add call a routine to
compute the MD5 or SHA-1 hash of the data copied with copy_from_user()
in sys_init_module() and reject it if it doesn't match a precomputed
value (which has to be securely stored somewhere in kernel space for
each and every module that the is allowed to be loaded).
A scheme I'd prefer would be to have a trusted signing key in the kernel
and allow the user to write a signed list of modules and their
respective hash values to say /proc/securemodules. This allows for
utmost flexibility and security IMHO.

-rpw

--
Ralf-P. Weinmann (weinmannrbg.informatik.tu-darmstadt.de)
PGP key len/id/fingerprint: 2048/09AAEEAA1/46C772078ACB58DEF6EBF8030CBF1724
GPG key fingerprint: C66F E290 4B48 459B 9283  2A75 2236 8340 BCCD 38B5

Next message: Pavel Machek: "strace can lie"
Previous message: Matt: "Fw: Re-release of Microsoft Security Bulletin MS99-046"
Next in thread: Pavel Kankovsky: "Re: Announcement: Solaris loadable kernel module backdoor"
Next in thread: Kragen Sitaker: "Re: Announcement: Solaris loadable kernel module backdoor"
Maybe reply: Ralf-Philipp Weinmann: "Re: Announcement: Solaris loadable kernel module backdoor"
Reply: Pavel Kankovsky: "Re: Announcement: Solaris loadable kernel module backdoor"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Mon Dec 27 1999 - 13:18:30 CST