Re: Kernel needs [was: SCO]

  • From: Steve Baker <ice@xxxxxxxxxxxxxxxxx>
  • To: technocracy@xxxxxxxxxxxxxxxxx
  • Date: Fri, 14 Jul 2000 16:14:24 -0500

Neil Doane <caine@xxxxxxxxxxxxxxxx> writes:
> * Steve Baker (ice@xxxxxxxxxxxxxxxxx) on [07-14-00 13:33] did utter:
> > really, once you get down to it, a good VM, memory protection, filesystems,
> > networking and the like are all that really belong in the kernel 
>
> I'm curious as to what people here think about integrated kernel-level 
> security features like SecureBSD's MDA hash check-before-execute features or
> the myriad kernel-level features of things like the Linux Intrusion
> Detection System (www.lids.org) (send security alerts through network 
> (mail/remote syslog/http POST) directly from kernel, or limiting access 
> to raw devices or io ports to only pre-specified processes.)   I mean,
> SecureBSD has a database of the checksums of every binary on its system
> floating around in memory (I guess) and LIDS is implementing its own MTA 
> _inside the kernel_ (among other things).  
>
> Is this going overboard or not?  Opinions?

  A tad, some of these things are useful, but the problem is in just how
easy it is to circumvent these protections.  Just because something is in
the kernel doesn't mean it's invulnerable.  For instance, this MDA hash
check-before-execute thing, lets examine how to circumvent it shall we?

  1) Get root, this is the hardest part.  Remember, just because an
     executable is trusted, doesn't make it secure.
  2) Open /dev/mem and find the kernel memory where our MDA hash table is
     located.  This is frightenly easy.
  3) Bugger with the table so our exploited bins are the ones that will run
     and the normal bins won't.
  4) Install the rootkit.  Plant your flag, you own the box.  Our work is
     done.

  And thats just through userspace, never mind loading a module (which can
be done through /dev/mem too, so much for turning module loading off).  Now
you can try to make that memory read-only, but if they've got root, sorry to
say, you can't stop em.  The only thing these security measures accomplish
is in stopping the lazy hacker (maybe).  I beleive we've already discussed
how polished and easy-to-use rootkits can be.  I should also point out that
this check-before-exec thing may impact system security negatively, in that
it may make an admin even less security conscious.

  This is not to say that there shouldn't be more security in the kernel, I
believe that it's intolerable that we're still waiting for ACL's for
instance.  Things that have been proven to keep hackers from getting root
are good, things that attempt to limit what root can do are inherently
flawed.

                                                                - Steve

Other related posts: