[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Kernel security advice

Quoting campbellm@cia.com.au (campbellm@cia.com.au):

> I like using non-modular kernels to prevent LKMs


  In this paper, we will discuss way of abusing the Linux kernel
  (syscalls mostly) without help of module support or System.map at all,
  so that we assume that the reader will have a clue about what LKM is,
  how a LKM is loaded into kernel etc. If you are not sure, look at some
  documentation (paragraph 6. [1], [2], [3])

  Imagine a scenario of a poor man which needs to change some interesting
  linux syscall and LKM support is not compiled in. Imagine he have got a
  box, he got root but the admin is so paranoid and he (or tripwire) don't
  poor man's patched sshd and that box have not gcc/lib/.h
  needed for compiling of his favourite LKM rootkit. So there are
  some solutions, step by step and as an appendix, a full-featured
  linux-ia32 rootkit, an example/tool, which implements all the techinques
  described here.  [...]

Reply to: