How real root kits run. (was: Re: Root Kit Protection)

To: debian-devel@lists.debian.org
Subject: How real root kits run. (was: Re: Root Kit Protection)
From: Chad Miller <cmiller@optilinkcomm.net>
Date: Thu, 17 Feb 2000 01:02:55 -0500
Message-id: <20000217010255.A20696@optilinkcomm.net>

My thoughts on the matter, for what they're worth...  ("grain of salt",
etc., etc.)

If I were going to write a root-kit, I'd spend half an hour writing a
kernel module that would give up the real file on an open() or fopen(),
and run _my_ special program on execution.  

It would, of course, hide my files in space that I claim is free, and
name itself to the kernel as something innocent-looking, like 'mtrr' or
'apm'.

It's true this proposed program (and tripwire) would show corrupted,
non-hidden root-kits, but there are plenty it wouldn't show.  I think 
this might give a false sense of security to those who should have a 
healthy bit of paranoia -- especially those that think they need this
program.  That's the only downside to developing this program, IMO.

The real solution is a redesign of hardware that we usually use, but
that's offtopic here.

Ken Thompson's Turing Award speech gives some hints as to what's 
possible:  URL: http://www.acm.org/classics/sep95/

						- chad



( Is your system running your kernel?  Why do you think so?  Because
you asked the kernel the uname and the uptime?  Because you asked it 
to open a file for you, so you could checksum it? 

/proc/mind </dev/paranoia

)

Reply to:

Follow-Ups:
- Re: How real root kits run. (was: Re: Root Kit Protection)
  - From: Ethan Benson <erbenson@alaska.net>
- Re: How real root kits run. (was: Re: Root Kit Protection)
  - From: Michael Vogt <mvogt@acm.org>

Prev by Date: Re: ITP: gnome-pilot
Next by Date: Re: /usr/local again
Previous by thread: Re: ITP: locale-th
Next by thread: Re: How real root kits run. (was: Re: Root Kit Protection)
Index(es):
- Date
- Thread