|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Announcement: Solaris loadable kernel module backdoor
Subject: Re: Announcement: Solaris loadable kernel module backdoor
From: Kragen Sitaker (kragen
POBOX.COM)
Date: Mon Dec 27 1999 - 14:29:58 CST
- Next message: der Mouse: "Re: strace can lie"
- Previous message: der Mouse: "Re: Wmmon under FreeBSD"
- Maybe in reply to: plasmoid: "Announcement: Solaris loadable kernel module backdoor"
- Maybe reply: Kragen Sitaker: "Re: Announcement: Solaris loadable kernel module backdoor"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ralf-P. Weinmann writes:
> However I'd like to point out that you could add call a routine to
> compute the MD5 or SHA-1 hash of the data copied with copy_from_user()
> in sys_init_module() and reject it if it doesn't match a precomputed
> value (which has to be securely stored somewhere in kernel space for
> each and every module that the is allowed to be loaded).
However I'd like to point out that if modprobe is actually resolving
unresolved symbols in the module before it loads it, the MD5 or SHA-1
won't match, which is the case with Linux, according to a previous post
on this thread.
However I'd like to point out that you wouldn't win anything even if it
worked, without removing the numerous other ways root can subvert the
running kernel --- or, equivalently, all running processes (e.g. with
ptrace).
-- <kragen
- Next message: der Mouse: "Re: strace can lie"
- Previous message: der Mouse: "Re: Wmmon under FreeBSD"
- Maybe in reply to: plasmoid: "Announcement: Solaris loadable kernel module backdoor"
- Maybe reply: Kragen Sitaker: "Re: Announcement: Solaris loadable kernel module backdoor"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Mon Dec 27 1999 - 17:06:28 CST