The ExecShield patches
Posted Jul 22, 2005 12:39 UTC (Fri) by mingo
In reply to: The ExecShield patches
Parent article: Kernel Summit 2005: The ExecShield patches
signed modules (an upcoming feature) will prevent the loading of 'rouge' modules.
You are right in that the weakest link determines the strength of the chain, but this does not mean we should not strengthen other links even if we know that they are not the weakest link. Once that final link is strengthened too we'll see a sudden jump in strength.
so i agree that in isolation, restricting /dev/mem is like closing the door but leaving the window open. I'd like to reassure you that we are closing the windows too :)
on a sidenote, rootkits do prefer /dev/mem over module insertion, because it's "more stealth". And not only is it more stealth, it's also more robust: by checking the actual kernel image a rootkit can make it reasonably sure that it has the right kernel version - while with modules you either have the correct symbol map or you dont, and in the latter case the attacker can easily crash the system and raise attention. The most dangerous attackers prefer stealth over all - so that their unique methods stay hidden.
another sidenote is that if you cook your own kernel (which secure sites sometimes do), you can disable module support.
to post comments)