Re: Another hook

From: sarnoldat_private
Date: Thu Jun 14 2001 - 16:22:55 PDT

  • Next message: David Wagner: "Re: permissive vs. restrictive issue and solutions..."

    On Thu, Jun 14, 2001 at 04:15:18PM -0700, Titus D. Winters wrote:
    > Why not?  If someone finds a way to defeat a module, doesn't it help
    > if they can't be sure the module is what is actually running in the
    > first place?
    
    This is of dubious security value. Small-time crackers are liable to try
    script after script after script... Big-time crackers are liable to know
    what modules are inplace on their target systems with or without the
    module lying about its presence.
    
    > And if the blackhats already are doing it (which I'll look into, in
    > case this proposal is torpedoed) then we aren't really providing any
    > extra power to the bad guys.
    
    The Bad Guys do it in the hopes that an admin will try the obvious few
    things that come to mind when feeling suspicious; seeing normal
    responses from the several ways the admin can think of to check for
    loaded modules, most admins will just go away.
    
    This is very different from what we have to provide (as module
    implementors), which is strong security no matter what the attacker
    thinks the box looks like.
    
    However, the ability may be convenient for honeypot builders. And they
    are free to use the methods in phrack (or of their own devising :) to
    hide their modules as best they can.
    
    Honestly, I wouldn't worry about it too much. :)
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Thu Jun 14 2001 - 16:29:34 PDT