[Gllug] Time Travel on Linux

Daniel P. Berrange dan at berrange.com
Sun Oct 23 22:20:08 UTC 2005


On Sun, Oct 23, 2005 at 10:51:15PM +0100, Richard Jones wrote:
> On Sun, Oct 23, 2005 at 05:13:17PM +0100, Daniel P. Berrange wrote:
> > Creating a new kernel space version of it would be pretty much
> > impossible with a stock kernel, since sys_call_table is no longer
> > exported to modules (a good thing BTW, since its primary use was
> > letting rootkits override various system calls ;-) 
> 
> Surely this is only a small hurdle for a rootkit - after all, they can
> still poke any address in memory?

Yeah, /dev/kmem is a nasty hole and really ought to be put out to
sleep with the fishes too. From what I read the X server is the only
user space app that really has justifiable call to use /dev/kmem 
these days, and it sounds like there are medium term plans to remove
this need. So once you remove this holes, with SELinux protecting
all calls into kernel space from userland, and finally GPG signing of
kernel modules to prevent untrusted modules being loaded, things are a 
hella of a lot harder for rootkits.

Dan.
-- 
|=-            GPG key: http://www.berrange.com/~dan/gpgkey.txt       -=|
|=-       Perl modules: http://search.cpan.org/~danberr/              -=|
|=-           Projects: http://freshmeat.net/~danielpb/               -=|
|=-   berrange at redhat.com  -  Daniel Berrange  -  dan at berrange.com    -=|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20051023/5d82270e/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list