LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

A rootkit dissected

A rootkit dissected

Posted Nov 22, 2012 14:04 UTC (Thu) by epa (subscriber, #39769)
Parent article: A rootkit dissected

It would save everyone a lot of trouble if the kernel had built-in functions for hiding files and processes and other rootkitty things. It wouldn't make anyone less secure: if you can get as far as loading a kernel module to call these functions, then the machine is already compromised. But it would save everyone some time writing and debugging these things and help to emphasize the important point: that what matters is not the existence of a rootkit, but the vulnerabilities that allow you to get root and modify the kernel in the first place.

(Log in to post comments)

A rootkit dissected

Posted Nov 22, 2012 15:11 UTC (Thu) by dtalen (subscriber, #86448) [Link]

Because kernel developers should spend their time making life easier for rootkit developers. Right...

Sarcasm aside, there aren't many legitimate uses for APIs that do "rootkitty things." You're right that the existence of these doesn't necessarily make the kernel less secure, but it would make a statement that kernel developers even care about doing something for malware developers, which is a bad message to send.

A rootkit dissected

Posted Nov 22, 2012 15:46 UTC (Thu) by spender (subscriber, #23067) [Link]

Linux already has it -- it's called LSM.

-Brad

A rootkit dissected

Posted Nov 22, 2012 22:57 UTC (Thu) by BenHutchings (subscriber, #37955) [Link]

That doesn't help, as LSMs can't be loadable modules.

A rootkit dissected

Posted Nov 22, 2012 23:33 UTC (Thu) by PaXTeam (subscriber, #24616) [Link]

is the stable 3.2 series maintainer seriously saying that general kernel modules can't (ab)use the LSM interfaces? for real? ;)

A rootkit dissected

Posted Nov 23, 2012 1:18 UTC (Fri) by BenHutchings (subscriber, #37955) [Link]

Kernel modules can use, abuse or bypass any interface, exported or not. But run-time installable LSMs would be so much more convenient to the rookit author.

A rootkit dissected

Posted Nov 23, 2012 1:25 UTC (Fri) by PaXTeam (subscriber, #24616) [Link]

and what exactly prevents a normal module from posing as an LSM? nothing? ;)

A rootkit dissected

Posted Nov 24, 2012 0:12 UTC (Sat) by dpquigl (subscriber, #52852) [Link]

You're right absolutely nothing and with this proposed patch by the TOMOYO developer[1] It will become even easier.

[1]http://www.spinics.net/linux/fedora/linux-security-module...

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds