Hi Julien, Julien Valroff schrieb am Sun 23. Mar, 11:52 (+0100): > Le dimanche 23 mars 2008 à 02:02 +0100, Jörg Sommer a écrit : > About your ideas: > > > * Use /boot/config-$(uname -r) to verify module support is enabled. > This file could very easily be modified by a hacker - I wouldn't trust > it.
Yes, if you see it this way. But what about a check that signals a
warning if a module is loaded that didn't were built. Something like:
list_of_loaded_modules=$(lsmod)
list_of_build_modules=$(cat /boot/config-2.6.25-rc3)
if $list_of_loaded_modules \setminus $list_of_build_modules != \emptyset
then
warn Watch out, there's a module in your kernel, that I've not build.
fi
But this test fails with third party modules, e.g. lirc, nvidia, …
Another source of built modules might be the directory /lib/modules. If a
modules is loaded and the binary is not available this sounds remarkable.
> What do you think about using /proc/config.gz instead which is read-only
> and enabled by default in Debian kernel?
I didn't know this. Yes, this might be a more trustfully source. But it
can get changed by an attacker, too. But I would say all these tests are
useful to tell, if there is something uncommon, than there is no
attacker.
> > * grep in /proc/kallsyms for modules
> >
> > % diff <(grep -o '\[.*\]$' /proc/kallsyms |sort -u | tr -d '[]') \
> > <(lsmod |sed '1d;s/ .*//' |sort)
>
> I am not sure to understand what this aims at. Can you please explain?
In kallsyms the source of the code is added at the end of line:
% grep '\[.*\]$' /proc/kallsyms | head -n2
00000000 a nls_iso8859-1.c [nls_iso8859_1]
ea1ea000 t uni2char [nls_iso8859_1]
So, this is a second /proc/modules. Maybe an attacker modifies
/proc/modules, but forgets about kallsyms. Both commands should give
every time the same list of modules.
% lsmod |sed '1d;s/ .*//' |sort |md5sum -
790642dc41b3f2e326986596c4da1622 -
% grep -o '\[.*\]$' /proc/kallsyms |sort -u | tr -d '[]' | md5sum -
790642dc41b3f2e326986596c4da1622 -
Salut, Jörg.
--
Niveau sieht nur von unten aus wie Arroganz.
signature.asc
Description: Digital signature http://en.wikipedia.org/wiki/OpenPGP
