From owner-freebsd-advocacy  Thu Mar 23 17:45:33 2000
Delivered-To: freebsd-advocacy@freebsd.org
Received: from orion.ac.hmc.edu (Orion.AC.HMC.Edu [134.173.32.20])
	by hub.freebsd.org (Postfix) with ESMTP id 3809A37B506
	for <advocacy@FreeBSD.ORG>; Thu, 23 Mar 2000 17:45:30 -0800 (PST)
	(envelope-from brdavis@orion.ac.hmc.edu)
Received: (from brdavis@localhost)
	by orion.ac.hmc.edu (8.8.8/8.8.8) id RAA29070;
	Thu, 23 Mar 2000 17:45:22 -0800 (PST)
Date: Thu, 23 Mar 2000 17:45:21 -0800
From: Brooks Davis <brooks@one-eyed-alien.net>
To: Olaf Hoyer <ohoyer@fbwi.fh-wilhelmshaven.de>
Cc: advocacy@FreeBSD.ORG
Subject: Re: New article
Message-ID: <20000323174521.A25459@orion.ac.hmc.edu>
References: <200003231326.IAA24776@blackhelicopters.org> <38DA7A60.B7C23121@newsguy.com> <38DA950C.D4DCE9CC@softweyr.com> <38DAB25B.E2BBC400@newsguy.com> <4.1.20000324022914.00cbed30@mail.rz.fh-wilhelmshaven.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0pre4i
In-Reply-To: <4.1.20000324022914.00cbed30@mail.rz.fh-wilhelmshaven.de>; from ohoyer@fbwi.fh-wilhelmshaven.de on Fri, Mar 24, 2000 at 02:33:30AM +0100
Sender: owner-freebsd-advocacy@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, Mar 24, 2000 at 02:33:30AM +0100, Olaf Hoyer wrote:
> Question: Is a loadable kernel module not a potential security risk?
> 
> I mean, if some module (which runs on a deeper, priviliged mode) has some
> malicous code in it, or simply is buggy, and is loaded during runtime, it
> could cause a box to simply crash.
> 
> Imagine some attacker exchanging some kernel module against own code, and
> causing that module to be loaded (say, some driver for access to certain
> filesystems, or zip drive etc...), or waiting for the module to be loaded
> (say, for regular, scheduled activities like backups or batch jobs or so)
> 
> Wouldn't it be safer, from a technical point of  view, to allow as less
> than possible kernel modules, thus enhancing stability and uptime?

The short answer is yes.  The longer answer is not if you do things
right.  First, the kernel controls the ability to load modules once it
is running so you can tell it to not allow the loading of any more
modules.  I think you can currently compile this in or set the
securelevel sufficiently high to get this behavior today.  Second, the
plan is the allow you to create a kernel image which contains all the
modules you need in a single bundle.  This gives you a static
configuration even in a modular system.  There's quite a bit of work to
be done to get there, but that's my understanding of the final goal.

-- Brooks

-- 
Any statement of the form "X is the one, true Y" is FALSE.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-advocacy" in the body of the message