Re: An alternative method to check LKM backdoor/rootkit

From: Karsten W. Rohrbach (karstenat_private)
Date: Thu Apr 18 2002 - 06:16:45 PDT

Next message: Chris Anley: "Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure"

Previous message: Peter Gründl: "KPMG-2002012: (Re-submitted) Sambar Webserver Serverside Fileparse Bypass"
In reply to: Florian Weimer: "Re: An alternative method to check LKM backdoor/rootkit"
Next in thread: Wang Jian: "ç”å¤: An alternative method to check LKM bakdoor/rootki"
Next in thread: Philippe Bourgeois: "RE: An alternative method to check LKM backdoor/rootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Florian Weimer(Weimerat_private-Stuttgart.DE)@2002.04.18 00:04:39 +0000:
> I agree.  You can never be sure which kernel you are running.  An
> attacker could have placed a modified kernel on a swap device (which
> excludes this very area from being used as swap space), and tweaked
> the boot loader to load the modified kernel.
> 
> Using this approach, the modified kernel image can be made completely
> invisible easily, and it still survives reboot.  Such a modification
> is very hard to spot even during an offline analysis, and the
> checklists I've seen so far do not address this problem at all.

...which implies that the kernel sitting in the swap partition has a
loader hook to be loadable, thus it has a pattern that can be found.
this pattern should be sufficiently non-ambiguous enough, to recognize a
fake kernel from swapped pages.

a different approach i know from systems with increased security
standards is clearing the swap, block by block, in the shutdown sequence.
since linux provides swapoff(2) instrumentation this would be very easy to
implement in the init scripts. dd(1) and mkswap(8) are your friends ;-)

a different approach would be adding signature checks to the loader
that get executed every boot time. to sign a kernel for boot
"authorization", you must sign it with an encrypted key, requiring
authentication to the signing system first (pgp style). to circumvent
this, one must have to install a new loader (lilo, grub, whatever) which
might be disallowed at run time thorugh kernel instrumentation. imagine
a kernel option "hda=allow-sec0mod" or similar. using this setup, also
the loader itself can be checked by itself at boot time for integrity
reasons.

just a few thoughts,...

regards,
/k

-- 
> Love does not make the world go around, just up and down a bit.
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE  DF22 3340 4F4E 2964 BF46
My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/
Please do not remove my address from To: and Cc: fields in mailing lists. 10x

application/pgp-signature attachment: stored

Next message: Chris Anley: "Re: Microsoft IIS 5.0 CodeBrws.asp Source Disclosure"
Previous message: Peter Gründl: "KPMG-2002012: (Re-submitted) Sambar Webserver Serverside Fileparse Bypass"
In reply to: Florian Weimer: "Re: An alternative method to check LKM backdoor/rootkit"
Next in thread: Wang Jian: "ç”å¤: An alternative method to check LKM bakdoor/rootki"
Next in thread: Philippe Bourgeois: "RE: An alternative method to check LKM backdoor/rootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 18 2002 - 14:21:11 PDT