[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LKM Trojan

To: silug-discuss@silug.org
Subject: Re: LKM Trojan
From: bja@Illinois.DynDNS.Org
Date: Wed, 16 Jun 2004 23:07:09 -0000 (GMT)
Importance: Normal
In-Reply-To: <1087348729.1608.31.camel@localhost>
Organization: Southern Illinois Linux Users Group
References: <061520041505.15890.6b51@mchsi.com> <4.3.2.7.2.20040615101948.00b9f148@mail.omnitec.net> <33165.192.168.1.240.1087317283.squirrel@Illinois.DynDNS.Org> <1087348729.1608.31.camel@localhost>
Reply-To: silug-discuss@silug.org
Sender: silug-discuss-owner@silug.org
User-Agent: SquirrelMail/1.4.2

> On Tue, 2004-06-15 at 11:34, bja@Illinois.DynDNS.Org wrote:
>
>> With the latest advancements in the linux kernel, I would not trust a
>> kernel or modules that existed during a breakin. The selinux hooks are a
>> rootkit author's dream, and I expect that these will become very common
>> as
>> 2.6 is deployed on more systems.
>>
>
> could you elaborate on this, please?

The about/mission statement from selinux.sourceforge.net says it all. I
quote:

"SELinux was created by the National Security Agency as an example of how
mandatory access controls that can confine the actions of any process,
including a superuser process, can be added into Linux. The focus of that
work has not been on system assurance or other security features such as
security auditing, although these elements are also important for a secure
system.

The security mechanisms implemented in the system provide flexible support
for a wide range of security policies. They make it possible to configure
the system to meet a wide range of security requirements. The release
includes a general-purpose security policy configuration designed to meet
a number of security objectives as an example of how this may be done. The
flexibility of the system allows the policy to be modified and extended to
customize the security policy as required for any given installation."

The first policy set rules. If an attacker manages root, the hooks put in
place for selinux modules or lsm modules by selinux/lsm allow an attacker
to confine knowledge of their existence from everything else. Policies are
flexible, I simply worry that with the code being there and a policy not
being set will lead to the bad guys setting one up for their own uses.

Think of how much more effective adore-ng would be if its preliminary
support for persistance across restarts or kernels would be if it could
guarantee that nothing else would see it. If a person has root, they are
no longer constrained by clever hacks to manipulate the UNIX security
model, they are given an API to break it.

To my knowledge, no 2.6 rootkits that take advantage of lsm/selinux are in
existence. I give this a couple months. The latest version of adore-ng
already works on 2.6. See the LKM discussion on not exporting symbols and
how adore-ng bypasses this already and uses the VFS layer. This is an old
hack because, IMO, selinux and 2.6 are not in widespread adoption.

I hope I am proved to be a paranoid fool in the future.

bja

>
> Thanks!
> --
> Travis Owens <openbook@linuxmds.com>
>
>
> -
> To unsubscribe, send email to majordomo@silug.org with
> "unsubscribe silug-discuss" in the body.
>

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.

References:
- LKM Trojan
  - From: hcrouch@mchsi.com
- Re: LKM Trojan
  - From: "L. V. Lammert" <lvl@omnitec.net>
- Re: LKM Trojan
  - From: bja@Illinois.DynDNS.Org
- Re: LKM Trojan
  - From: Travis Owens <openbook@linuxmds.com>

Prev by Date: Re: So, what steps do the normal folks take to secure themselves?
Next by Date: Re: Should gcc be usable by world ?
Prev by thread: Re: LKM Trojan
Next by thread: Re: LKM Trojan
Index(es):
- Date
- Thread