Hunting for Rootkits
Posted Mar 3, 2007 9:49 UTC (Sat) by danshearer
In reply to: Hunting for Rootkits
Parent article: Hunting for Rootkits
Some reasonable points, but you can reduce exposure a lot by never mounting executables rw except when you are going to update them, which is a lot easier than all this. And with VMs the update is quite possible external. So the internal system never gets a chance to compromise its binaries. I fact it may not even have permission to do so. You can enforce the same thing on a real machine with various mechanisms such as immutable bits.
RO policies can be circumvented, but it does substantially narrow the possibilities for an attacker.
to post comments)