User: Password:
Subscribe / Log in / New account

Won't stop rootkits

Won't stop rootkits

Posted Jul 15, 2004 14:47 UTC (Thu) by spender (subscriber, #23067)
Parent article: Cryptographic signatures on kernel modules

This code won't stop rootkits. The protections it has set up for /dev/mem and /dev/kmem can be easily disabled by modifying the kernel through DMA. An attacker need only access some device on their system capable of DMA and (ab)use it to write to portions of kernel memory that are denied through /dev/mem and /dev/kmem.

Redhat: please stop releasing half-baked solutions and promoting them as complete ones. You're a mockery of real security researchers, who work much harder than you and provide the code that you "adapt" and repackage and gain all the fame for.

I expect in the near future a small application to be written that uses DMA to remove the checks inserted into the code that handles reading/writing of /dev/mem and mmaping of /dev/mem and /dev/kmem (reading/writing /dev/kmem has a return -EPERM at the beginning of the function, so it couldn't be NOP'd out to reveal the clean function). This application will simply be run before the normal rootkit is installed, without modification.

As an aside, where are the people asking about Redhat's attack model for their SELinux policies in Fedora? Before with "strict" policies, things broke, so they were replaced with "relaxed" policies. Now people are happy, because "it works." Is it really working, or are people just saying "it works" to mean "it's not breaking my system." It's amazing how they can tout these features without ever saying what it's supposed to protect against!

Of course, Redhat would never tell you this.. ($$ and attention before real security)

(Log in to post comments)

Won't stop rootkits

Posted Jul 15, 2004 17:43 UTC (Thu) by scripter (subscriber, #2654) [Link]

I think your criticism is misdirected. Users require that first, the system must be usable, and second, secure. SELinux made their systems unusable, and if RedHat had left it enabled by default, they would have alienated a lot of users.

Integrating SELinux (even if not enabled by default) was a first step toward people using the system, working out problems, writing rule sets, etc. Without reasonable first steps, we would NEVER get to a secure state of security.

As for signed executables -- of course it's not a be-all end-all security solution. NOTHING IS. But it raises the bar, and that _is_ worthwhile.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds