Date: Fri, 17 Apr 2015 08:24:23 -0500 From: Nathan Dautenhahn <dautenh1@illinois.edu> To: Yuri <yuri@rawbw.com> Cc: freebsd-hackers@FreeBSD.org Subject: Re: Is it possible to check the running kernel signature? Message-ID: <20150417132423.GA65136@trypticon.cs.illinois.edu> In-Reply-To: <553074DE.4070106@rawbw.com> References: <553074DE.4070106@rawbw.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 16, 2015 at 07:50:06PM -0700, Yuri wrote: > I came across this horror story: > https://pbs.twimg.com/media/Bd7LUMYCMAAJcqJ.jpg > Three letter agencies subverted the BIOS manufacturers to produce > BIOSes that were/are able to inject the malicious code right into > the FreeBSD kernel during the final BIOS boot stage. This may well > be going on with the modern FreeBSD versions. > > The idea that comes to mind is the ability to verify that the > running kernel wasn't tampered with by comparing it with its disk > image copy. Same with the kernel modules. Kernel can be verified > through the memory mmapped to /dev/mem device. The challenge is that the SMM handler operates as firmware, operating at a higher privilege level than the kernel. However, the kernel could do some type of measurement after each invocation of the SMM handler to ensure that all malicious modifications are detected and patched. This does assume that the attacker doesn't interpose on the system in any other way than SMM interrupts (e.g. DMA). If you want to trust the kernel (which might not be that trustworthy where an attacker could inject surreptitious code more easily than BIOS in my opinion) then the kernel can just do a scan. If you don't trust the kernel you could use a thin hypervisor to measure the memory. Although there you have the practical challenges of measurement, keys, etc. I have been considering ideas along the direction of an isolated measurement component as a use case for the nested kernel (nestedkernel.org). Very interesting direction. ::nathan:: > > Is this idea feasible, and would it make sense to implement it? > > Yuri > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150417132423.GA65136>