Bugtraq mailing list archives
Re: Announcement: Solaris loadable kernel module backdoor
From: weinmann () RBG INFORMATIK TU-DARMSTADT DE (Ralf-Philipp Weinmann)
Date: Sun, 26 Dec 1999 18:01:33 +0100
Keith Owens <kaos () OCS COM AU> writes:
On Tue, 21 Dec 1999 14:33:50 -0800, pedward () WEBCOM COM wrote:At boot, compile the list of modules that are 'known good' (for the sake of argument, it's the /lib/modules/x.y.z), then write the list, with MD5 checksums, to a write once /proc interface to kmod. kmod would check the MD5 sum before loading the requested module, if it didn't match the in-kernel list, don't allow it.kmod does not load modules. It starts a kernel thread and invokes modprobe. modprobe runs /etc/modules.conf and the the dependency chain then loads anywhere between zero and n modules. All of this work is in user space and it is all outside kernel control.
However I'd like to point out that you could add call a routine to compute the MD5 or SHA-1 hash of the data copied with copy_from_user() in sys_init_module() and reject it if it doesn't match a precomputed value (which has to be securely stored somewhere in kernel space for each and every module that the is allowed to be loaded). A scheme I'd prefer would be to have a trusted signing key in the kernel and allow the user to write a signed list of modules and their respective hash values to say /proc/securemodules. This allows for utmost flexibility and security IMHO. -rpw -- Ralf-P. Weinmann (weinmann () rbg informatik tu-darmstadt de) PGP key len/id/fingerprint: 2048/09AAEEAA1/46C772078ACB58DEF6EBF8030CBF1724 GPG key fingerprint: C66F E290 4B48 459B 9283 2A75 2236 8340 BCCD 38B5
Current thread:
- Re: Announcement: Solaris loadable kernel module backdoor Ralf-Philipp Weinmann (Dec 26)
- Re: Announcement: Solaris loadable kernel module backdoor Pavel Kankovsky (Dec 28)
- <Possible follow-ups>
- Re: Announcement: Solaris loadable kernel module backdoor Kragen Sitaker (Dec 27)