On 4/15/05, Lee Revell <[EMAIL PROTECTED]> wrote:
> On Fri, 2005-04-15 at 11:40 -0700, Daniel Souza wrote:
> > A way to "protect" system calls is, after boot a trusted kernel image,
> > take a MD5 of the syscalls functions implementations (the opcodes that
> > are part of sys_read for example) and
On 4/15/05, Allison <[EMAIL PROTECTED]> wrote:
> Isn't the kernel code segment marked read-only ? How can the module
> write into the function text in the kernel ? Shouldn't this cause some
> kind of protection fault ?
The kernel code segment is totally unacessible to userspace programs,
and to ke
On Fri, 2005-04-15 at 11:40 -0700, Daniel Souza wrote:
> A way to "protect" system calls is, after boot a trusted kernel image,
> take a MD5 of the syscalls functions implementations (the opcodes that
> are part of sys_read for example) and store it in a secure place.
That's the problem, once the
Lennart Sorensen wrote:
Well you could build a monilithic kernel with module loading turned off
entirely, but that doesn't prevent replacing libc which most programs
use to make those system calls.
As pointed out elsewhere, modules is not the only way to load kernel
code live. Modules is just a cl
Isn't the kernel code segment marked read-only ? How can the module
write into the function text in the kernel ? Shouldn't this cause some
kind of protection fault ?
thanks,
Allison
Lee Revell wrote:
> On Fri, 2005-04-15 at 18:15 +, Allison wrote:
> > Once these are loaded into the kernel, is
PS: suckit is not loaded as a kernel module. it uses interrupt gates
to allocate kernel memory and install itself in that memory block,
patching some syscalls and doing other stuffs.
A way to "protect" system calls is, after boot a trusted kernel image,
take a MD5 of the syscalls functions impleme
On Fri, Apr 15, 2005 at 06:15:37PM +, Allison wrote:
> I got the terminology mixed up. I guess what I really want to know is,
> what are the different types of exploits by which rootkits
> (specifically the ones that modify the kernel) can get installed on
> your system.(other than buffer overf
On Fri, 2005-04-15 at 18:15 +, Allison wrote:
> Once these are loaded into the kernel, is there no way the kernel
> functions can be protected ?
No. If the attacker can load arbitrary code into the kernel, game over.
Think about it.
Lee
-
To unsubscribe from this list: send the line "unsubs
Dear diary, on Fri, Apr 15, 2005 at 08:15:37PM CEST, I got a letter
where Allison <[EMAIL PROTECTED]> told me that...
> hi,
Hello,
> I got the terminology mixed up. I guess what I really want to know is,
> what are the different types of exploits by which rootkits
> (specifically the ones that mo
In fact, LKM's are not the unique way to make code run in kernel. In
fact, we can install a kernel rootkit even when LKM support is
disabled. For example, by patching the kernel memory, you can modify
the behavior of kernel on-the-fly without restart the machine, just
inserting code in the right me
hi,
I got the terminology mixed up. I guess what I really want to know is,
what are the different types of exploits by which rootkits
(specifically the ones that modify the kernel) can get installed on
your system.(other than buffer overflow and somebody stealing the root
password)
I know that Su
On Fri, 2005-04-15 at 13:33 -0400, Malita, Florin wrote:
> On Fri, 2005-04-15 at 13:16 -0400, Richard B. Johnson wrote:
> > I'm not sure there really are any "kernel" rootkits. You need to be
> > root to install a module and you need to be root to replace a kernel
> > with a new (possibly altered
On Fri, 2005-04-15 at 13:16 -0400, Richard B. Johnson wrote:
> I'm not sure there really are any "kernel" rootkits. You need to be
> root to install a module and you need to be root to replace a kernel
> with a new (possibly altered) one. If you are root, you don't
> need an exploit.
rootkit !=
On Fri, 15 Apr 2005, Allison wrote:
Hi,
I was curious about how kernel rootkits become a part of the kernel ?
One way I guess is by inserting a kernel module. And rootkits also
manage to hide themselves from rootkit detectors.
I'm not sure there really are any "kernel" rootkits. You need to be
roo
14 matches
Mail list logo
