Re: System call interposition/unprotecting the table

On Aug 14 2007 21:50, Andi Kleen wrote:
>Hajime Inoue <[email protected]> writes:
>
>> Just protecting the table does not stop rootkits.  A highly referenced
>> phrack article explains how to bypass the table. 
>
>During .23-pre for some time the kernel text was protected too (that
>would have likely stopped that particular attack), but it was
>removed because it caused too many problems.
>
>Ultimatively it is useless for security anyways because the page
>tables cannot be protected (because there are valid reasons to change
>them).

But with DEBUG_RODATA (does that also apply to .text?) enabled,
accidental writes to it should cause a fault rather than doing silent
changes, would not it?


	Jan
-- 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• References:
  • System call interposition/unprotecting the table
    • From: [email protected]
  • Re: System call interposition/unprotecting the table
    • From: Alan Cox <[email protected]>
  • Re: System call interposition/unprotecting the table
    • From: Hajime Inoue <[email protected]>
  • Re: System call interposition/unprotecting the table
    • From: Andi Kleen <[email protected]>

• Prev by Date: Re: Regression in 2.6.23-rc2-mm2, mounting cpusets causes a hang
• Next by Date: Re: vm86.c audit_syscall_exit() call trashes registers
• Previous by thread: Re: System call interposition/unprotecting the table
• Next by thread: Re: System call interposition/unprotecting the table
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]