Re: New release of Solaris secuirity module Papillo
From: Konrad Rieck (email@example.com)
From: Konrad Rieck <firstname.lastname@example.org> To: Focus Sun <email@example.com> Date: 23 Apr 2003 00:28:49 +0200
On Tue, 2003-04-22 at 17:36, Dave Aitel wrote:
> Good work, once again. In fact, there are probably many really cool
> projects that could benefit from being built on your work - for example,
> a kernel rootkit detection tool...
Thanks, but I'd like to add my .02 EUR that also refer to Hal's post
titled "Kernel modules" on 2003-03-06.
I am one of those odd academic people, who try to split the state of a
running system into "clean" and "compromised". Once a remote intruder
has gained super-user privileges, he's able to unload, uninstall, tweak
or reconfigure the system's security components unless there is profound
and trustful separation between local (physical access) and remote. For
simplicity I am referring to a remote intruder.
Trusted Solaris or the secure level implementation of some *BSDs weaken
the super-user privileges in order to try to solve some aspects of this
But in my opinion, a simple loadable kernel module should never be used
to detect effects of a compromise, e.g. loading of trojaned modules,
installation of rootkits, interception of syscalls, etc... unless there
is some kind of un-removable and trustful authentication that guarantees
an remote intruder is unable to manipulate the module's functionality.
I am still looking for such authentication methods and implementations
that are able to guarantee the above security, but I know that
obfuscation and blind hardening aren't solutions, because there are
people who in deed patch static kernel images or inject modules into
/dev/kmem. There are more bad tricks out there than good ones.
Sorry for wandering of the (Sun) point...
With best regards,
-- Konrad Rieck <firstname.lastname@example.org> - http://people.roqe.org/kr PGP: 5803 E58E D1BF 9A29 AFCA 51B3 A725 EA18 ABA7 A6A3
- application/pgp-signature attachment: This is a digitally signed message part