RFC: sys_execve security kernel mod

• Previous message: Greg KH: "Re: Module Identifier"
• Next in thread: Greg KH: "Re: RFC: sys_execve security kernel mod"
• Reply: Greg KH: "Re: RFC: sys_execve security kernel mod"
• Reply: Jesse Pollard: "Re: RFC: sys_execve security kernel mod"
• Reply: Chris Wright: "Re: RFC: sys_execve security kernel mod"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey all:

A friend and I have written a Linux kernel module that replaces the
sys_execve() system call with a version that does binary summing on
administrator selected system binaries before it allows the exec() to
occur.

The idea is to stop script kiddies with rootkits... sort of an
in-kernel/realtime Tripwire. We wanted to release it in the hopes that it
is useful to people, but at the same time we wanted to get some peer review
going since this is a security-related module and neither of us are
hardcore kernel or security hackers (yet, anyway... :-)

The idea of storing a sum on a binary and comparing it on an exec() (or
even comparing it period) isn't new: an implementation for the 2.0.x
kernels appeared in the February 2001 edition of LinuxJournal. Our module,
which isn't based at all on that work, doesn't change as much about the
kernel as that implementation did, is portable across all platforms the
kernel supports, supports the 2.4-series kernel, has sysadmin-definable
actions, and will make your pot of coffee in the morning. :-)

There's more goodies and details in the README and writeup document
available as part of the tarball at

http://web.sigkill.com/exec-verify/

The module has been moderately tested with 2.4.18, but should probably work
down to the 2.4.14-ish range. The module IS beta (read the README for
details), but we haven't experienced a hard lock with the module since
development when the module wasn't completely finished.

If you have a few seconds and could take a look at it/try it out, and write
back to exec_verifyat_private with your comments and feedback so we can
work on a "real"/production release version, that'd be great!

If you think any other forums would be interested in helping to test, feel
free to post this message there as well.

Thanks in advance for your help!

Later,
Paul
    --------------------------------------------------------------------
    J. Paul Reed              preedat_private || web.sigkill.com/preed
    Nothing satisfies more than a post-coital omelet of your own design.
                           -- Will Farrell, Saturday Night Live, 5/18/02




_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Greg KH: "Re: RFC: sys_execve security kernel mod"
• Previous message: Greg KH: "Re: Module Identifier"
• Next in thread: Greg KH: "Re: RFC: sys_execve security kernel mod"
• Reply: Greg KH: "Re: RFC: sys_execve security kernel mod"
• Reply: Jesse Pollard: "Re: RFC: sys_execve security kernel mod"
• Reply: Chris Wright: "Re: RFC: sys_execve security kernel mod"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 20 2002 - 17:42:03 PDT