From owner-freebsd-security Mon May 25 08:18:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA04131 for freebsd-security-outgoing; Mon, 25 May 1998 08:18:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gateman.zeus.leitch.com (gateman.zeus.leitch.com [204.187.61.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA04119 for ; Mon, 25 May 1998 08:18:31 -0700 (PDT) (envelope-from woods@tap.zeus.leitch.com) Received: from zeus.leitch.com (tap.zeus.leitch.com [204.187.61.10]) by gateman.zeus.leitch.com (8.8.5/8.7.3/1.0) with ESMTP id LAA19262 for ; Mon, 25 May 1998 11:18:16 -0400 (EDT) Received: from brain.zeus.leitch.com (brain.zeus.leitch.com [204.187.61.32]) by zeus.leitch.com (8.7.5/8.7.3/1.0) with ESMTP id LAA26693 for ; Mon, 25 May 1998 11:18:27 -0400 (EDT) Received: (from woods@localhost) by brain.zeus.leitch.com (8.8.8/8.8.8) id LAA05684; Mon, 25 May 1998 11:18:27 -0400 (EDT) (envelope-from woods@tap.zeus.leitch.com) Date: Mon, 25 May 1998 11:18:27 -0400 (EDT) Message-Id: <199805251518.LAA05684@brain.zeus.leitch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: woods@zeus.leitch.com (Greg A. Woods) To: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD In-Reply-To: Nicholas Charles Brawn's message of "Fri, May 22, 1998 10:02:46 +1000" regarding "Re: Virus on FreeBSD" id References: <199805211431.KAA17444@brain.zeus.leitch.com> X-Mailer: VM 6.45 under Emacs 20.2.1 Reply-To: freebsd-security@FreeBSD.ORG Organization: Planix, Inc.; Toronto, Ontario; Canada Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk [ On Fri, May 22, 1998 at 10:02:46 (+1000), Nicholas Charles Brawn wrote: ] > Subject: Re: Virus on FreeBSD > > > I'd love to have a "virus" scanner that could detect the signature of a > > LKM module or the LKM loader in a kernel. Of course by "signature" here > > I mean something that would recognize the style of code necessary to > > perform this operation, not the specific sequence of bits in any given > > implementation. > > You may have a point here. Is there any way you could "sign" a module to > ensure it's authenticity? And on top of that build in an automatic > authentication system within the kernel that rejects lkm's that are not > signed? Perhaps this could be included so as to be performed at one of the > securelevels? I meant that the other way around. I don't think I'd trust such signatures. If the system has been cracked enough that someone is trying to load some untrusted module, then how can I trust the signature, no matter where I retrieve it from? I meant some way to detect the pattern of code in the *kernel* that is necessary to implement a module loader. I don't have my hopes up, of course, as this is indeed a very simple operation and not a whole lot different than any number of other operations an OS performs. Detecting the pattern of code of a loadable module in files might be a good thing too, as you could then scan for hidden instances of such modules. Of course any cracker worth their salt would at least obscure the contents of the file with some trivial "encryption" mechanism.... :-) -- Greg A. Woods +1 416 443-1734 VE3TCP Planix, Inc. ; Secrets of the Weird To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message