[1647] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Re: Malicious Linux modules

daemon@ATHENA.MIT.EDU (Andrea Mennucci)
Mon Oct 13 04:16:15 1997

From: mennucci@cibs.sns.it (Andrea Mennucci)
To: linux-security@redhat.com
Date: Sun, 12 Oct 1997 19:47:00 +0100 (DFT)
In-Reply-To: <199710091516.KAA19281@dancer.1stnet.com> from "Runar Jensen" at Oct 9, 97 10:16:32 am
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com


hwllo

> 
> In message <199710091142.HAA29040@mail.clark.net>, "Peter W" writes:
> 
> >> The implications should be obvious. Once a compromise has taken place,
>
> > Either of these situations would be "caught" by a properly configured
> > Tripwire.
>
> Once root access is gained, the module could very well be compiled and placed
> anywhere on the drive (like a home directory), loaded, and _then_ moved to
> /lib/modules. 


What about this (for very secure sites and/or paranoid)

1) a (patched and minimal) kernel on a diskette,
 with (patched and minimal) tripwire on it and the database.
 At boot time tripwire is executed (instead of init) and it
 fsck the disks, then it checksums (this may be done by contructing the 
 databases, not related to the all-mounted-filesystem, but to the single
 partitions) ; if the checksum is ok, the diskette is unmounted and 
 the ususal root partition is mounted as / (I do not beleive this can be 
 done right now) and tripwire execs init; otherwise 
 the console is queried for directions on what to do.
 If an intrusion is probable, rebooting is a safe way to know what has 
 happened

2) A family of patches or modules for kernel, I would call ``guardian''

guardian.modchksum
 this module is loaded with a chksum of current trusted modules
 When someone (even kerneld) asks to load a module, the module is
 chksummed and refused if it is not recognized
 
guardian.nowrite
 this module prohibits writing to a device.
 It can be used to protect /dev/hda (so that the MBR cannot be altered)
 or even the partition where /bin /etc are (in this case,
 maybee a ramdisk is created and mounted on tmp as first thing at boot time,
 and files like /etc/ldso.cache and /etc/mtab are linked in tmp; or
  I would suggest to write a module for the kernel called  ``ramfile''
 that is used to have certain files reside in ram)
 (The swap device needs probably to be protected somehow ?)
 When a system is properlly installed, even /usr could be locked.
 
guardian.notrm
 this module prohibits that any module called guardian* be unloaded
 (why not introduce a kernel password, that is asked when 
  you rmmod a guardian module?)
  
I believe this solution 2 is probably the best: you can have a fast
system, you install it, then you lock it tightly, and it
is as secure as the kernel is (and not as the weakest program you install)
 
I am not good enough to build this modules, less even to be sure they cannot
be bypassed

A.Mennucci

--
----------------------------------------------------------------------
Please refere to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post