For the curious, here is the paper describing rootkit injection via /dev/mem [PDF]
. As expected, there's not a whole lot that's truly new, though there are some clever techniques for getting the kernel to allocate memory for the injected code. The authors note that, indeed, the STRICT_DEVMEM
configuration option will block this attack. "Until recently there was no protection inside the kernel main-
line, although SELinux has limited seeks above the first megabyte of memory
for a few years. Users of RHEL and other distributions have been safe for
some time now.
to post comments)