[1649] in linux-security and linux-alert archive
[linux-security] Re: Re: Re: Malicious Linux modules
daemon@ATHENA.MIT.EDU (Jason Uhlenkott)
Tue Oct 14 15:43:02 1997
Date: Mon, 13 Oct 1997 21:38:14 -0800
From: Jason Uhlenkott <jasonuhl@usa.net>
To: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
Andrea Mennucci wrote:
> What about this (for very secure sites and/or paranoid)
>
[section about a secure setup deleted -- REW]
This is just a crazy idea, but what about a trojan flash bios? That
would be nasty.
Most (all?) motherboards with flashable bioses have a jumper that lets
you boot from a non-flashable rom, to recover in case you ever mis-flash
and make the system unbootable.
[mod: My motherboard has a "lower 8k" that can be write protected by
that jumper. This small BIOS has just enough power to boot a floppy,
to allow you to flash the rest of the BIOS. This indeed implies that
most of the flash BIOS is writable at all times..... -- REW]
1. Power down.
2. Set the flash bios recovery jumper.
3. Get a boot floppy from a trusted, uncompromised machine (or your own
machine before it was compromised), with a copy of your flash bios.
Boot from the floppy and re-flash.
4. Power down.
5. Set the jumper back.
6. Before your machine was compromised, you should have made a floppy
with a kernel, the necessary stuff to get booted up, the tripwire
binary, and a clean copy of /var/spool/tripwire/tw.db_hostname. If not,
it's time to "rm -rf /". If so, boot from this floppy.
7. Mount your hard drive partition(s) noexec,nodev.
8. Use the tripwire binary and database on your floppy, and check your
hard drive partition(s).
9. If everything is in order, boot your system normally again.
The module guardian idea really just adds another level of security
through obscurity. If the intruder can get root then they can write to
/proc/kcore, and if they're clever enough they could patch the guardian
code out of the running kernel.
--
----------------------------------------------------------------------
Please refere to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null