From owner-freebsd-security Thu May 21 17:03:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA03960 for freebsd-security-outgoing; Thu, 21 May 1998 17:03:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from wumpus.its.uow.edu.au (wumpus.its.uow.edu.au [130.130.68.12]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA03885 for ; Thu, 21 May 1998 17:02:51 -0700 (PDT) (envelope-from ncb05@uow.edu.au) Received: from banshee.cs.uow.edu.au (ncb05@banshee.cs.uow.edu.au [130.130.188.1]) by wumpus.its.uow.edu.au (8.9.0.Beta5/8.9.0.Beta5) with SMTP id KAA25995 for ; Fri, 22 May 1998 10:02:46 +1000 (EST) Date: Fri, 22 May 1998 10:02:46 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD In-Reply-To: <199805211431.KAA17444@brain.zeus.leitch.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Thu, 21 May 1998, Greg A. Woods wrote: > [ On Thu, May 21, 1998 at 11:19:29 (+0930), Mark Newton wrote: ] > > Subject: Re: Virus on FreeBSD > > > > LKMs open vast new vistas of potential for viruses, btw. I attended a > > series of seminars given my Kirk some number of years ago, where he > > said the decision to avoid expending development time on LKMs for 4.4BSD > > was partly motivated by the security concerns raised by the ability to > > move executable code from user-space (i.e.: the filesystem) into the > > kernel. Mitnick's SunOS "tap" streams module is but one example :-) > > A "published" LKM that can do the most nasty things was in the Phrack > newsletter issue #51. > > Anyone who's read that article and has even the tiniest amount of > imagination would *NEVER* run LKMs on a production machine. Sure > they're a great tool for doing OS developement and experimention at the > lowest levels, but they're more dangerous in a production environment > than not even having a root password in the first place (at least with > the latter you *know* your security is blown). > > (And that's just one reason never to run SunOS-5 in production! ;-) > > I'd love to have a "virus" scanner that could detect the signature of a > LKM module or the LKM loader in a kernel. Of course by "signature" here > I mean something that would recognize the style of code necessary to > perform this operation, not the specific sequence of bits in any given > implementation. You may have a point here. Is there any way you could "sign" a module to ensure it's authenticity? And on top of that build in an automatic authentication system within the kernel that rejects lkm's that are not signed? Perhaps this could be included so as to be performed at one of the securelevels? > > -- > Greg A. Woods > > +1 416 443-1734 VE3TCP > Planix, Inc. ; Secrets of the Weird > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > Nick -- Email: ncb05@uow.edu.au - DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A http://rabble.uow.edu.au/~nick - public key available on request. Nicholas Brawn - Computer Science Undergraduate, University of Wollongong. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message