Date: Fri, 5 Oct 2001 11:00:35 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: Rasputin <rasputin@submonkey.net> Cc: security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20011005110034.A310@blossom.cjclark.org> In-Reply-To: <20011005100832.A547@shikima.mine.nu>; from rasputin@submonkey.net on Fri, Oct 05, 2001 at 10:08:32AM %2B0100 References: <20011004023034.U8391@blossom.cjclark.org> <20011004173535.0A2DE3B19D@gemini.nersc.gov> <20011005100832.A547@shikima.mine.nu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 05, 2001 at 10:08:32AM +0100, Rasputin wrote:
> * Eli Dart <dart@nersc.gov> [011004 19:30]:
> >
> > In reply to "Crist J. Clark" <cristjc@earthlink.net> :
> >
> > [snip]
> >
> > > Have fun. Unless there is outpouring from people who love the idea,
> > > I'm not going to commit these to FreeBSD.
> >
> > Please consider this as part of an outpouring of support from people
> > who love the idea.
>
> "me too".
>
> Isn't this fairly common among the other BSDs as well?
>
> An alternative to securelevel is sometimes useful,
> and KLDs are a fairly well-known attack method against *BSD.
>
> I don't see any harm in adding it as an option - it's doesn't have to
> (definitely shouldn't be) the default, of course.
The potential harm, and the reason I hesitated before doing it and
still hesitate to add it to the code base, is that it may give a false
sense of security. It blocks the kldload(2) syscall. That's it. This
prevents someone from using the convenient KLD interface to hook code
into the running kernel, it does not,
- Stop someone from modifying the running kernel (through
/dev/mem), or
- Stop someome from putting a modified kernel (like one that allows
KLDs, eep!) on your hard drive and rebooting the box.
Both of these can potentially be stopped by the proper use of
securelevel(8) (with all of its faults, it's still better). That's
what people who really want to lock down their box should be doing,
not this.
But as I said originally, this may stop a script kiddie or
two... until someone with a clue writes them a script that loads the
kernel modifications via /dev/mem instead of kldload(8).
--
Crist J. Clark cjclark@alum.mit.edu
cjclark@jhu.edu
cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011005110034.A310>