lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 7 Sep 2008 14:53:31 +0200 From: Pavel Machek <pavel@...e.cz> To: Ingo Molnar <mingo@...e.hu> Cc: Willy Tarreau <w@....eu>, Benjamin Herrenschmidt <benh@...nel.crashing.org>, pageexec@...email.hu, Andi Kleen <andi@...stfloor.org>, Arjan van de Ven <arjan@...radead.org>, linux-kernel@...r.kernel.org, tglx@...x.de, hpa@...or.com Subject: Re: [patch] Add basic sanity checks to the syscall execution patch On Sat 2008-09-06 17:45:51, Ingo Molnar wrote: > > * Willy Tarreau <w@....eu> wrote: > > > Then they will simply proceed like this : > > - patch /boot/vmlinuz > > - sync > > - crash system > > > > => user says "oh crap" and presses the reset button. Patched kernel boots. > > Game over. Patching vmlinuz for known targetted distros is even easier > > because the attacker just has to embed binary changes for the most > > common distro kernels. > > a reboot often raises attention. But yes, in terms of end user boxes, > probably not. Anyway, my points were about transparent rootkits > installed on a running system without anyone noticing - obviously if the > attacker can modify the kernel image and the user does not mind a reboot > it's game over. Well, install a rootkit in /boot/vmlinuz, sync, then wait for user to reboot its system? Even well-kept servers are rebooted from time to time. I agree -- the only way to win is not to play this game. -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists