From owner-freebsd-security Thu May 21 07:31:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA15728 for freebsd-security-outgoing; Thu, 21 May 1998 07:31:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gateman.zeus.leitch.com (gateman.zeus.leitch.com [204.187.61.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA15710 for ; Thu, 21 May 1998 07:31:24 -0700 (PDT) (envelope-from woods@tap.zeus.leitch.com) Received: from zeus.leitch.com (tap.zeus.leitch.com [204.187.61.10]) by gateman.zeus.leitch.com (8.8.5/8.7.3/1.0) with ESMTP id KAA29470 for ; Thu, 21 May 1998 10:31:07 -0400 (EDT) Received: from brain.zeus.leitch.com (brain.zeus.leitch.com [204.187.61.32]) by zeus.leitch.com (8.7.5/8.7.3/1.0) with ESMTP id KAA02527 for ; Thu, 21 May 1998 10:31:09 -0400 (EDT) Received: (from woods@localhost) by brain.zeus.leitch.com (8.8.8/8.8.8) id KAA17444; Thu, 21 May 1998 10:31:08 -0400 (EDT) (envelope-from woods@tap.zeus.leitch.com) Date: Thu, 21 May 1998 10:31:08 -0400 (EDT) Message-Id: <199805211431.KAA17444@brain.zeus.leitch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: woods@zeus.leitch.com (Greg A. Woods) To: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD In-Reply-To: Mark Newton's message of "Thu, May 21, 1998 11:19:29 +0930" regarding "Re: Virus on FreeBSD" id <199805210149.LAA25157@frenzy.ct> References: <199805210018.RAA04596@passer.osg.gov.bc.ca> <199805210149.LAA25157@frenzy.ct> X-Mailer: VM 6.45 under Emacs 20.2.1 Reply-To: freebsd-security@FreeBSD.ORG Organization: Planix, Inc.; Toronto, Ontario; Canada Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk [ On Thu, May 21, 1998 at 11:19:29 (+0930), Mark Newton wrote: ] > Subject: Re: Virus on FreeBSD > > LKMs open vast new vistas of potential for viruses, btw. I attended a > series of seminars given my Kirk some number of years ago, where he > said the decision to avoid expending development time on LKMs for 4.4BSD > was partly motivated by the security concerns raised by the ability to > move executable code from user-space (i.e.: the filesystem) into the > kernel. Mitnick's SunOS "tap" streams module is but one example :-) A "published" LKM that can do the most nasty things was in the Phrack newsletter issue #51. Anyone who's read that article and has even the tiniest amount of imagination would *NEVER* run LKMs on a production machine. Sure they're a great tool for doing OS developement and experimention at the lowest levels, but they're more dangerous in a production environment than not even having a root password in the first place (at least with the latter you *know* your security is blown). (And that's just one reason never to run SunOS-5 in production! ;-) I'd love to have a "virus" scanner that could detect the signature of a LKM module or the LKM loader in a kernel. Of course by "signature" here I mean something that would recognize the style of code necessary to perform this operation, not the specific sequence of bits in any given implementation. -- Greg A. Woods +1 416 443-1734 VE3TCP Planix, Inc. ; Secrets of the Weird To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message