LKM Backdoor's

Discuss and suggest new grsecurity features

LKM Backdoor's

Postby ameen » Tue Apr 08, 2003 6:57 am

Hello,
I am curious to know if grsecurity patched kernels can prevent LKM backdoors like SuckIt from loading. The interesting thing about SuckIt is it is able to load even with kernel module loading support off. It does it by on the fly kernel patching..

More info here:
http://www.phrack.com/show.php?p=58&a=7

Your feedback would be great.

Thanks,
Ameen
ameen
 
Posts: 10
Joined: Sat Oct 12, 2002 9:22 pm

Postby spender » Tue Apr 08, 2003 7:46 am

Read the configuration help for the Address Space Modification Protection section of grsecurity. There are features in there that will prevent modification of the kernel via an LKM or /dev/mem or /dev/kmem, or other methods that aren't in public use yet (we've beat them to the punch). In addition, two features of PaX will help prevent exploitation of overflows in the kernel. In addition, several locations within the kernel that are "nice" for an attacker have been made read-only.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby fyrfalcon » Tue Apr 08, 2003 1:16 pm

yea what brad said... ^_^
fyrfalcon
 

Postby Incognito » Sun Nov 16, 2003 1:41 am

Hi sorry to bump an old thread, but where do I enable address space modification protection in the grsecurity section of the kernel configuration?
Incognito
 
Posts: 11
Joined: Sat May 10, 2003 7:53 pm

Postby Incognito » Sun Nov 16, 2003 1:44 am

sorry, question answered.
Incognito
 
Posts: 11
Joined: Sat May 10, 2003 7:53 pm

Postby letrout » Sat Feb 21, 2004 7:24 pm

Does this mean it's safe to use a modular kernel with grsecurity? Or just that it protects a monolithic kernel from on-the-fly patching? I'm making my new machine monolithic after another got compromised with Suckit/LKM. But I'd prefer to use a modular kernel, providing it can be done safely.
letrout
 
Posts: 14
Joined: Thu Feb 19, 2004 3:48 pm

Postby fwiffo » Mon Apr 12, 2004 9:00 am

This is personal opinion, someone may argue, consider it so....

I don't think that a modular kernel is to be considered secure in any way, since only the idea that a user-space program can load something into the kernel without too much complain is already bad per-se...And with proper permission this can be done, and I would prevent that, making things more difficult is already a step forward, since a kernel-space backdoor is a really difficult to spot with normal use; In the other side the user-space backdoor are really easy to find.

At least this is what I think, and the way I see things. I use monolithic kernels in my systems since 2.2.x, even on desktop ones, I really don't like the idea of "modules" loaded on the fly :/
fwiffo
 
Posts: 10
Joined: Fri Mar 12, 2004 6:50 pm


Return to grsecurity development

cron