Won't stop rootkits
Posted Jul 15, 2004 14:47 UTC (Thu) by spender
Parent article: Cryptographic signatures on kernel modules
This code won't stop rootkits. The protections it has set up for /dev/mem and /dev/kmem can be easily disabled by modifying the kernel through DMA. An attacker need only access some device on their system capable of DMA and (ab)use it to write to portions of kernel memory that are denied through /dev/mem and /dev/kmem.
Redhat: please stop releasing half-baked solutions and promoting them as complete ones. You're a mockery of real security researchers, who work much harder than you and provide the code that you "adapt" and repackage and gain all the fame for.
I expect in the near future a small application to be written that uses DMA to remove the checks inserted into the code that handles reading/writing of /dev/mem and mmaping of /dev/mem and /dev/kmem (reading/writing /dev/kmem has a return -EPERM at the beginning of the function, so it couldn't be NOP'd out to reveal the clean function). This application will simply be run before the normal rootkit is installed, without modification.
As an aside, where are the people asking about Redhat's attack model for their SELinux policies in Fedora? Before with "strict" policies, things broke, so they were replaced with "relaxed" policies. Now people are happy, because "it works." Is it really working, or are people just saying "it works" to mean "it's not breaking my system." It's amazing how they can tout these features without ever saying what it's supposed to protect against!
Of course, Redhat would never tell you this.. ($$ and attention before real security)
to post comments)