Re: [PATCH 2 of 4] ima: related Makefile compile order change and Readme

From: Andi Kleen (ak@private)
Date: Wed May 25 2005 - 09:57:19 PDT

Reiner Sailer <sailer@private> writes:

> +Some of our work shows that IMA is very useful to detect Rootkit
> +exploits that totally take over the software of a Linux system but
> +cannot hide themselves from contributing to the TPM aggregate and this
> +will be detectable from a non-corrupted platform. While the corrupted
> +system might not show the Rootkit, a remote party can securely
> +identify known bad or unknown software having been loaded into the
> +system.

A server has a buffer overflow and gets subverted by injecting code
and running it on the heap or stack. Then the injected
code uses some local memory syscall overflow exploit to patch its own
task_struct to have uid 0. From there it patches itself into /dev/kmem.
I dont see how your code could detect that, but it seems like
a common scenario.


This archive was generated by hypermail 2.1.3 : Wed May 25 2005 - 10:06:03 PDT