[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

How real root kits run. (was: Re: Root Kit Protection)

My thoughts on the matter, for what they're worth...  ("grain of salt",
etc., etc.)

If I were going to write a root-kit, I'd spend half an hour writing a
kernel module that would give up the real file on an open() or fopen(),
and run _my_ special program on execution.  

It would, of course, hide my files in space that I claim is free, and
name itself to the kernel as something innocent-looking, like 'mtrr' or

It's true this proposed program (and tripwire) would show corrupted,
non-hidden root-kits, but there are plenty it wouldn't show.  I think 
this might give a false sense of security to those who should have a 
healthy bit of paranoia -- especially those that think they need this
program.  That's the only downside to developing this program, IMO.

The real solution is a redesign of hardware that we usually use, but
that's offtopic here.

Ken Thompson's Turing Award speech gives some hints as to what's 
possible:  URL: http://www.acm.org/classics/sep95/

						- chad

( Is your system running your kernel?  Why do you think so?  Because
you asked the kernel the uname and the uptime?  Because you asked it 
to open a file for you, so you could checksum it? 

/proc/mind </dev/paranoia


Reply to: