Re: System call interposition/unprotecting the table

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hajime Inoue <[email protected]> writes:

> Just protecting the table does not stop rootkits.  A highly referenced
> phrack article explains how to bypass the table. 

During .23-pre for some time the kernel text was protected too (that
would have likely stopped that particular attack), but it was
removed because it caused too many problems.

Ultimatively it is useless for security anyways because the page
tables cannot be protected (because there are valid reasons to change
them). If they're not protected any protection can be undone by
changing them or simply creating an alias mapping. Also the Linux
kernel has function pointers in read-write data structures which could
also be used to inject code.

So even with Alan's hypervisor support the whole thing would be still
quite holey.  The argument of raising the bar also doesn't seem very
convincing to me, because attackers reuse code too and it's enough
when someone publishes such code once, then they can cut'n'paste
it into any exploits forever.

In general the .data protection is only considered a debugging
feature. I don't know why Fedora enables it in their production
kernels.

BTW I tested your test case and it works for me on 2.6.23rc3 with
DEBUG_RODATA enabled on i386/PAE. Without DEBUG_RODATA it BUGs, 
but that's because the c_p_a interface is somewhat clumpsy
and expects balanced changes.

-Andi
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux