Re: New release of Solaris secuirity module Papillo

From: Konrad Rieck (kr@roqe.org)
Date: 04/23/03

  • Next message: Paul Greene: ".exrc file security risks"
    From: Konrad Rieck <kr@roqe.org>
    To: Focus Sun <focus-sun@securityfocus.com>
    Date: 23 Apr 2003 00:28:49 +0200
    

    Hi,

    On Tue, 2003-04-22 at 17:36, Dave Aitel wrote:
    > Good work, once again. In fact, there are probably many really cool
    > projects that could benefit from being built on your work - for example,
    > a kernel rootkit detection tool...

    Thanks, but I'd like to add my .02 EUR that also refer to Hal's post
    titled "Kernel modules" on 2003-03-06.

    I am one of those odd academic people, who try to split the state of a
    running system into "clean" and "compromised". Once a remote intruder
    has gained super-user privileges, he's able to unload, uninstall, tweak
    or reconfigure the system's security components unless there is profound
    and trustful separation between local (physical access) and remote. For
    simplicity I am referring to a remote intruder.

    Trusted Solaris or the secure level implementation of some *BSDs weaken
    the super-user privileges in order to try to solve some aspects of this
    general problem.

    But in my opinion, a simple loadable kernel module should never be used
    to detect effects of a compromise, e.g. loading of trojaned modules,
    installation of rootkits, interception of syscalls, etc... unless there
    is some kind of un-removable and trustful authentication that guarantees
    an remote intruder is unable to manipulate the module's functionality.

    I am still looking for such authentication methods and implementations
    that are able to guarantee the above security, but I know that
    obfuscation and blind hardening aren't solutions, because there are
    people who in deed patch static kernel images or inject modules into
    /dev/kmem. There are more bad tricks out there than good ones.

    Sorry for wandering of the (Sun) point...

    With best regards,
    Konrad Rieck
                    

    -- 
     Konrad Rieck <kr@roqe.org> - http://people.roqe.org/kr 
     PGP: 5803 E58E D1BF 9A29 AFCA 51B3 A725 EA18 ABA7 A6A3 
    
    



  • Next message: Paul Greene: ".exrc file security risks"