grsecurity forums


https://forums.grsecurity.net./

LKM Backdoor's

https://forums.grsecurity.net./viewtopic.php?f=1&t=375

Page 1 of 1

LKM Backdoor's

PostPosted: Tue Apr 08, 2003 6:57 am
by ameen
Hello,
I am curious to know if grsecurity patched kernels can prevent LKM backdoors like SuckIt from loading. The interesting thing about SuckIt is it is able to load even with kernel module loading support off. It does it by on the fly kernel patching..

More info here:
http://www.phrack.com/show.php?p=58&a=7

Your feedback would be great.

Thanks,
Ameen

PostPosted: Tue Apr 08, 2003 7:46 am
by spender
Read the configuration help for the Address Space Modification Protection section of grsecurity. There are features in there that will prevent modification of the kernel via an LKM or /dev/mem or /dev/kmem, or other methods that aren't in public use yet (we've beat them to the punch). In addition, two features of PaX will help prevent exploitation of overflows in the kernel. In addition, several locations within the kernel that are "nice" for an attacker have been made read-only.

-Brad

PostPosted: Tue Apr 08, 2003 1:16 pm
by fyrfalcon
yea what brad said... ^_^

PostPosted: Sun Nov 16, 2003 1:41 am
by Incognito
Hi sorry to bump an old thread, but where do I enable address space modification protection in the grsecurity section of the kernel configuration?

PostPosted: Sun Nov 16, 2003 1:44 am
by Incognito
sorry, question answered.

PostPosted: Sat Feb 21, 2004 7:24 pm
by letrout
Does this mean it's safe to use a modular kernel with grsecurity? Or just that it protects a monolithic kernel from on-the-fly patching? I'm making my new machine monolithic after another got compromised with Suckit/LKM. But I'd prefer to use a modular kernel, providing it can be done safely.

PostPosted: Mon Apr 12, 2004 9:00 am
by fwiffo
This is personal opinion, someone may argue, consider it so....

I don't think that a modular kernel is to be considered secure in any way, since only the idea that a user-space program can load something into the kernel without too much complain is already bad per-se...And with proper permission this can be done, and I would prevent that, making things more difficult is already a step forward, since a kernel-space backdoor is a really difficult to spot with normal use; In the other side the user-space backdoor are really easy to find.

At least this is what I think, and the way I see things. I use monolithic kernels in my systems since 2.2.x, even on desktop ones, I really don't like the idea of "modules" loaded on the fly :/
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/