[GLLUG] monilithic kernel (debian 3.0) and ethernet devices

Melson, Paul PMelson@sequoianet.com
Thu, 21 Mar 2002 15:55:00 -0500 

Neither.  It's just the way things are for the time being.  Since a
rootkit implies that root (or whatever analogous user account) has been
compromised, I think you'd find that most operating systems have this
"problem" in one form or another.  If you can modify the kernel or
kernel resources, you can do pretty much whatever you want.  After all,
if you can't trust the kernel, who can you trust?

I'd be interested to find out if anyone (like Ben Pfaff) has read any
research on untrusted code verification for kernels.  There are some
neat papers out there (http://citeseer.nj.nec.com/50371.html) on PCC,
but that relies on the kernel to verify untrusted application code.
There is also a lot of research (and new products) that deal with MAC
and managing system calls *to* the kernel, but nothing that deals with
the behavior of the kernel itself.   I can't conceive of how or why you
would implement something like that for a kernel.  It's my understanding
that read-only media is the best, or at least the easiest, way to secure
the kernel and the code it depends on.

PaulM

-----Original Message-----
From: djf2 [mailto:djf2@danu.ili.net]
Sent: Thursday, March 21, 2002 3:13 PM
Cc: linux-user@egr.msu.edu
Subject: Re: [GLLUG] monilithic kernel (debian 3.0) and ethernet devices


On 21 Mar 2002, Ben Pfaff wrote:

> >      I know at least one reason that people do it is because a rogue
> > module can make it awfully hard to tell if you've been rooted.
> > [...]
> 
> According to Alan Cox, IIRC, many rootkits now can modify the
> kernel by hand with an included linker whether modules are
> enabled or not, so that the "security" that this provides is
> really just a false feeling.

     damn!  Is this considered a 'feature' or a 'bug'?  Still...I'd
guess
leaveing modules enabled would still leave you open to getting them
overwritten, wouldn't it?

--
"Is that sound you're hearing the trumpeting of St. Peter's angels
 or the screams of Memnoch's tortured souls?"
Don Flynn        djf2@ili.net                   Sayge@IRC 

_______________________________________________
linux-user mailing list
linux-user@egr.msu.edu
http://www.egr.msu.edu/mailman/listinfo/linux-user