Hello,
I am curious to know if grsecurity patched kernels can prevent LKM backdoors like SuckIt from loading. The interesting thing about SuckIt is it is able to load even with kernel module loading support off. It does it by on the fly kernel patching..
More info here:
http://www.phrack.com/show.php?p=58&a=7
Your feedback would be great.
Thanks,
Ameen
LKM Backdoor's
7 posts
• Page 1 of 1
by spender » Tue Apr 08, 2003 7:46 am
Read the configuration help for the Address Space Modification Protection section of grsecurity. There are features in there that will prevent modification of the kernel via an LKM or /dev/mem or /dev/kmem, or other methods that aren't in public use yet (we've beat them to the punch). In addition, two features of PaX will help prevent exploitation of overflows in the kernel. In addition, several locations within the kernel that are "nice" for an attacker have been made read-only.
-Brad
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
by letrout » Sat Feb 21, 2004 7:24 pm
Does this mean it's safe to use a modular kernel with grsecurity? Or just that it protects a monolithic kernel from on-the-fly patching? I'm making my new machine monolithic after another got compromised with Suckit/LKM. But I'd prefer to use a modular kernel, providing it can be done safely.
- letrout
- Posts: 14
- Joined: Thu Feb 19, 2004 3:48 pm
by fwiffo » Mon Apr 12, 2004 9:00 am
This is personal opinion, someone may argue, consider it so....
I don't think that a modular kernel is to be considered secure in any way, since only the idea that a user-space program can load something into the kernel without too much complain is already bad per-se...And with proper permission this can be done, and I would prevent that, making things more difficult is already a step forward, since a kernel-space backdoor is a really difficult to spot with normal use; In the other side the user-space backdoor are really easy to find.
At least this is what I think, and the way I see things. I use monolithic kernels in my systems since 2.2.x, even on desktop ones, I really don't like the idea of "modules" loaded on the fly :/
I don't think that a modular kernel is to be considered secure in any way, since only the idea that a user-space program can load something into the kernel without too much complain is already bad per-se...And with proper permission this can be done, and I would prevent that, making things more difficult is already a step forward, since a kernel-space backdoor is a really difficult to spot with normal use; In the other side the user-space backdoor are really easy to find.
At least this is what I think, and the way I see things. I use monolithic kernels in my systems since 2.2.x, even on desktop ones, I really don't like the idea of "modules" loaded on the fly :/
- fwiffo
- Posts: 10
- Joined: Fri Mar 12, 2004 6:50 pm
7 posts
• Page 1 of 1