From owner-freebsd-security  Fri May 22 01:24:31 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id BAA06480
          for freebsd-security-outgoing; Fri, 22 May 1998 01:24:31 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from firewall.ftf.dk (root@mail.ftf.dk [129.142.64.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA06470
          for <freebsd-security@FreeBSD.ORG>; Fri, 22 May 1998 01:24:24 -0700 (PDT)
          (envelope-from regnauld@deepo.prosa.dk)
Received: from mail.prosa.dk ([192.168.100.2]) by firewall.ftf.dk (8.7.6/8.7.3) with ESMTP id MAA17560; Fri, 22 May 1998 12:25:02 +0200
Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10])
	by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id KAA22076;
	Fri, 22 May 1998 10:49:12 +0200 (CEST)
Received: (from regnauld@localhost)
	by deepo.prosa.dk (8.8.7/8.8.5/prosa-1.1) id KAA17475;
	Fri, 22 May 1998 10:23:23 +0200 (CEST)
Message-ID: <19980522102323.48197@deepo.prosa.dk>
Date: Fri, 22 May 1998 10:23:23 +0200
From: Philippe Regnauld <regnauld@deepo.prosa.dk>
To: Nicholas Charles Brawn <ncb05@uow.edu.au>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Virus on FreeBSD
References: <199805211431.KAA17444@brain.zeus.leitch.com> <Pine.SOL.3.96.980522100017.17145A-100000@banshee.cs.uow.edu.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Mailer: Mutt 0.88e
In-Reply-To: <Pine.SOL.3.96.980522100017.17145A-100000@banshee.cs.uow.edu.au>; from Nicholas Charles Brawn on Fri, May 22, 1998 at 10:02:46AM +1000
X-Operating-System: FreeBSD 2.2.5-STABLE i386
Organization: PROSA
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

Nicholas Charles Brawn writes:
> > 
> > I'd love to have a "virus" scanner that could detect the signature of a
> > LKM module or the LKM loader in a kernel.  Of course by "signature" here
> > I mean something that would recognize the style of code necessary to
> > perform this operation, not the specific sequence of bits in any given
> > implementation.
> 
> You may have a point here. Is there any way you could "sign" a module to
> ensure it's authenticity? And on top of that build in an automatic
> authentication system within the kernel that rejects lkm's that are not
> signed? Perhaps this could be included so as to be performed at one of the
> securelevels?

	Hey, great idea, let's call it Active-LKM.
	:-)

-- 
 -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]-
     «Pluto placed his bad dog at the entrance of Hades to keep the dead
      IN and the living  OUT!  The archetypical corporate firewall?»
                                                       - S. Kelly Bootle

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message