Re: New release of Solaris secuirity module Papillo
From: Konrad Rieck (kr@roqe.org)
Date: 04/23/03
- Previous message: Dave Aitel: "Re: New release of Solaris secuirity module Papillon"
- In reply to: Dave Aitel: "Re: New release of Solaris secuirity module Papillon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Konrad Rieck <kr@roqe.org> To: Focus Sun <focus-sun@securityfocus.com> Date: 23 Apr 2003 00:28:49 +0200
Hi,
On Tue, 2003-04-22 at 17:36, Dave Aitel wrote:
> Good work, once again. In fact, there are probably many really cool
> projects that could benefit from being built on your work - for example,
> a kernel rootkit detection tool...
Thanks, but I'd like to add my .02 EUR that also refer to Hal's post
titled "Kernel modules" on 2003-03-06.
I am one of those odd academic people, who try to split the state of a
running system into "clean" and "compromised". Once a remote intruder
has gained super-user privileges, he's able to unload, uninstall, tweak
or reconfigure the system's security components unless there is profound
and trustful separation between local (physical access) and remote. For
simplicity I am referring to a remote intruder.
Trusted Solaris or the secure level implementation of some *BSDs weaken
the super-user privileges in order to try to solve some aspects of this
general problem.
But in my opinion, a simple loadable kernel module should never be used
to detect effects of a compromise, e.g. loading of trojaned modules,
installation of rootkits, interception of syscalls, etc... unless there
is some kind of un-removable and trustful authentication that guarantees
an remote intruder is unable to manipulate the module's functionality.
I am still looking for such authentication methods and implementations
that are able to guarantee the above security, but I know that
obfuscation and blind hardening aren't solutions, because there are
people who in deed patch static kernel images or inject modules into
/dev/kmem. There are more bad tricks out there than good ones.
Sorry for wandering of the (Sun) point...
With best regards,
Konrad Rieck
-- Konrad Rieck <kr@roqe.org> - http://people.roqe.org/kr PGP: 5803 E58E D1BF 9A29 AFCA 51B3 A725 EA18 ABA7 A6A3
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Dave Aitel: "Re: New release of Solaris secuirity module Papillon"
- In reply to: Dave Aitel: "Re: New release of Solaris secuirity module Papillon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
