Bugtraq mailing list archives

Re: Announcement: Solaris loadable kernel module backdoor

From: kragen () POBOX COM (Kragen Sitaker)
Date: Mon, 27 Dec 1999 15:29:58 -0500


Ralf-P. Weinmann writes:

However I'd like to point out that you could add call a routine to
compute the MD5 or SHA-1 hash of the data copied with copy_from_user()
in sys_init_module() and reject it if it doesn't match a precomputed
value (which has to be securely stored somewhere in kernel space for
each and every module that the is allowed to be loaded).


However I'd like to point out that if modprobe is actually resolving
unresolved symbols in the module before it loads it, the MD5 or SHA-1
won't match, which is the case with Linux, according to a previous post
on this thread.

However I'd like to point out that you wouldn't win anything even if it
worked, without removing the numerous other ways root can subvert the
running kernel --- or, equivalently, all running processes (e.g.  with
ptrace).

--
<kragen () pobox com>       Kragen Sitaker     <http://www.pobox.com/~kragen/>
The Internet stock bubble didn't burst on 1999-11-08.  Hurrah!
<URL:http://www.pobox.com/~kragen/bubble.html>

Current thread:

Re: Announcement: Solaris loadable kernel module backdoor Ralf-Philipp Weinmann (Dec 26)
- Re: Announcement: Solaris loadable kernel module backdoor Pavel Kankovsky (Dec 28)
- <Possible follow-ups>
- Re: Announcement: Solaris loadable kernel module backdoor Kragen Sitaker (Dec 27)