lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 1 May 2008 15:46:52 -0400 From: Yan <rottled@...il.com> To: linux-kernel@...r.kernel.org Subject: Comprehensive list of kernel self-modifications? Hello, I have been working on verifying kernel integrity and am trying to differentiate between vmlinux image on disk and the kernel loaded into memory. I understand that the kernel modifies itself (on x86 at least) during at least a few points: 1. It applies alternative instructions with apply_alternatives() from check_bugs(). The locations of all alternatives are found between __alt_instructions and __alt_instructions__end. 2. It also applies what looks to be relocation. I see the list of reloc addresses at the end of vmlinux image and it appears that relocate_kernel in relocate_kernel.S applies the relocations. I can't tell how it knows where the list of addresses that need relocations is found. Nothing that I found points to that area, and the on- disk data seems to live what gets mapped to as BSS when its running. 3. After manual inspection of all the relocs and alternatives, theres still about 120 bytes different. The data looks like groups of 3bytes+address tuples. Most of this was found via trial and error, so I'm sure there are other cases of self-modification. Can anyone point me to a comprehensive list of everywhere that a kernel can change its own text? Or if anyone knows off the top of their head, that would be helpful too. P.S. Please CC to me as I am not subscribed to the list. Thank you in advance, Yan -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists