On Thu, Jun 20, 2002 at 05:36:55PM -0700, J. Paul Reed wrote: > > Hey all: > > A friend and I have written a Linux kernel module that replaces the > sys_execve() system call with a version that does binary summing on > administrator selected system binaries before it allows the exec() to > occur. Sounds like the same idea as CryptoMark: http://www.immunix.org/cryptomark.html But it uses GPG keys to sign binaries. I also have a 2.4 version of the CryptoMark kernel code available at: http://linuxusb.bkbits.net:8080/cryptomark-2.4 which I think will work with the userspace tools available from the immunix.org site for the 2.2 version of CryptoMark. > The idea is to stop script kiddies with rootkits... sort of an > in-kernel/realtime Tripwire. We wanted to release it in the hopes that it > is useful to people, but at the same time we wanted to get some peer review > going since this is a security-related module and neither of us are > hardcore kernel or security hackers (yet, anyway... :-) It is a nice idea. Be careful of replacing syscalls, it's non-portable and extremely racy. I'd recommend using the LSM interface for your execve() hook, which removes all of those problems. > The idea of storing a sum on a binary and comparing it on an exec() (or > even comparing it period) isn't new: an implementation for the 2.0.x > kernels appeared in the February 2001 edition of LinuxJournal. Our module, > which isn't based at all on that work, doesn't change as much about the > kernel as that implementation did, is portable across all platforms the > kernel supports, supports the 2.4-series kernel, has sysadmin-definable > actions, and will make your pot of coffee in the morning. :-) > > There's more goodies and details in the README and writeup document > available as part of the tarball at > > http://web.sigkill.com/exec-verify/ > > The module has been moderately tested with 2.4.18, but should probably work > down to the 2.4.14-ish range. The module IS beta (read the README for > details), but we haven't experienced a hard lock with the module since > development when the module wasn't completely finished. > > If you have a few seconds and could take a look at it/try it out, and write > back to exec_verifyat_private with your comments and feedback so we can > work on a "real"/production release version, that'd be great! Code looks nice at first glance, I'll look it over some more later tonight. thanks, greg k-h _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Jun 20 2002 - 19:04:42 PDT