Kernel modules

From: Hal Flynn (flynn@securityfocus.com)
Date: 03/06/03

  • Next message: MacDougall, Shane: "Solaris disk wipe utilitiy?"
    Date: Wed, 5 Mar 2003 16:06:13 -0700 (MST)
    From: Hal Flynn <flynn@securityfocus.com>
    To: focus-sun@securityfocus.com
    
    

    Hi folks,

    A friend and I were having a discussion a few weeks ago concerning
    loadable kernel modules and Solaris. Basically, we were in agreement that
    preventing the loading of malicious kernel modules was merely a step that,
    while not offering total security, was an excellent means of preventing
    kernel back doors as they're commonly used.

    I've been thinking it over more in the last few weeks, and I've reached a
    point at which I'm curious as to what other people responsible for the
    security of Solaris systems are doing to prevent, or at least limit the
    ability of users to load modules on a system.

    Obviously, when an attacker compromises administrative access, the game is
    essentially over. Theoretically, the attacker can patch the running
    kernel, creating a situation in which detection of compromise would at
    the very least be difficult. However, I think we're still in the arms
    race leading up to that, and for now the concern is the LKM.

    So, my question is, what are you doing to prevent the loading of kernel
    modules? Any clever tricks? Hacks?

    Cheers,

    Hal Flynn
    Symantec Corp.

    "....You guys are the Marine's doctors; There's no better in the business
    than a Navy Corpsman...."
      -- Lieutenant General Lewis B. "Chesty" Puller, U.S.M.C.


  • Next message: MacDougall, Shane: "Solaris disk wipe utilitiy?"