Re: How to get full pathname from an inode?

From: Valdis.Kletnieksat_private
Date: Thu Jul 24 2003 - 13:23:37 PDT

  • Next message: Jesse Pollard: "Re: How to get full pathname from an inode?"

    On Thu, 24 Jul 2003 13:26:02 EDT, Omen Wild <Omen.Wildat_private>  said:
    
    > Think of it as a kind of runtime TripWire.  I realize there are a bunch
    > of issues dealing with database integrity and kernel integrity, but we
    > are not quite ready to talk about how we have solved those yet.  In a
    > couple weeks we will go public with the project and that part will make
    > sense.
    
    This may not add as much security as you might think.
    
    Let's analyze the basic concept here - you're trying to protect against
    modification of binaries.  Now there's two basic possibilities:
    
    1) There is no channel/hole/backdoor for the attacker to modify the binary
    before use.  In this case, the check is pointless. For example, if the attacker
    can't modify /bin/login, checksumming the binary doesn't matter.
    
    2) The attacker has a way to modify the binary - exploiting some SUID binary, a
    hole in /proc, scribbling a block on /dev/hda, whatever.  The check is then
    somewhat useful for catching modified binaries before use.
    
    However - if the attacker is able to identify that your system is in use, it's
    simple enough to launch the binary and exploit the race condition - you are
    doing a check *at execve() time* - and there's no real guarantee that the pages
    you checksummed are *STILL* the pages that actually get executed...
    
    There's also a rather nasty race condition in the time between when the binary
    itself gets started by exec(), and the runtime loader resolves all the shared
    libraries and you actually get to main().....
    
    
    
    
    

    _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module



    This archive was generated by hypermail 2b30 : Thu Jul 24 2003 - 19:29:23 PDT