L.S. Experimenting with a firewall I compiled a monolithic kernel with masquerading and without loadable module support so as to make it impossible to subvert the kernel by a malicious module. But alas, the special masq modules for irc and ftp and so forth are only made and available as modules :( This is handy, especially a modified ftp module that snoops passwords would work for whatever-your-color-of-hat to do his thing. So this brings security but partially hast the functionality of a disconnected system.:) Is there a way to not make them a module but put them into my kernel? BB, Arjen -- Sell what you use, use what you sell.
At 10:16 31.05.00 +0200, you wrote: Hi !
Experimenting with a firewall I compiled a monolithic kernel with masquerading and without loadable module support so as to make it impossible to subvert the kernel by a malicious module. I wondered about this too, but dont you need root-rights in order to load a kernel modul ?
MfG Matthias Hans-Bredow-Institut Heimhuder Str. 21 20148 Hamburg Fax: 040 / 450 217 77 http://www.hans-bredow-institut.de PGP-Public Key available
Experimenting with a firewall I compiled a monolithic kernel with masquerading and without loadable module support so as to make it impossible to subvert the kernel by a malicious module. I wondered about this too, but dont you need root-rights in order to load a kernel modul ?
Not always =) Also once you load a module (like say NARK, a kernel level rootkit for Linux) the sysadmin is f**ked, it's almost impossible to find you've been taken over and recovery basically involves shutdown and a reinstall. Getting rid of kernel module support is a good security addition (it helps quite a bit).
MfG Matthias
-Kurt
It seems that Kurt got a message that I haven't received (yet, though it's about 5 hours now after he sent it) Kurt Seifried wrote:
Experimenting with a firewall I compiled a monolithic kernel with masquerading and without loadable module support so as to make it impossible to subvert the kernel by a malicious module. I wondered about this too, but dont you need root-rights in order to load a kernel modul ?
Not always =) Also once you load a module (like say NARK, a kernel level
MfG Matthias
-Kurt
Root rights are obtaineable saidly. (Buffer overflow in a setuid root program)) Or sniffed from a telnet session from a _very_ ignorant sysadmin etc. BB, Arjen -- Sell what you use, use what you sell.
Experimenting with a firewall I compiled a monolithic kernel with masquerading and without loadable module support so as to make it impossible to subvert the kernel by a malicious module. I wondered about this too, but dont you need root-rights in order to load a kernel modul ?
Not always =) Also once you load a module (like say NARK, a kernel level rootkit for Linux) the sysadmin is f**ked, it's almost impossible to find you've been taken over and recovery basically involves shutdown and a reinstall. Getting rid of kernel module support is a good security addition (it helps quite a bit). -Kurt
If I remember correctly, there was something quite a while ago: You could "/sbin/ifconfig xyz" as a normal user, and the kernel would trigger the loading of a module called "xyz.o" (using kerneld at this time). It wasn't really a security issue since the modules must be located under /lib/modules to get autoloaded by modprobe, but it could lead to a DOS in some cases. It was fixed in 2.0.34. The responsible code is practically the same today (see line 348, /usr/src/linux/net/core/dev.c). Removing loadable module support from the kernel doesn't really improve the security of the host for two reasons: 1) An attacker could easily install a kit'ed kernel and wait for its boot, regardless of kmod configured or not. 2) If you did configure loadable module support into the kernel, an attacker must be root to put the module in place or even load it. If this is the case then goto 1). With the exception of cryptographical methods ( -> key length), increasing the attack difficulty level (also wrt time expense) doesn't contribute much to security. Thanks, Roman. -- _ _ | Roman Drahtmüller "The best way to pay for a | CC University of Freiburg lovely moment is to enjoy it." | email: draht@uni-freiburg.de - Richard Bach | - -
Roman Drahtmueller wrote:
Experimenting with a firewall I compiled a monolithic kernel with masquerading and without loadable module support so as to make it
Removing loadable module support from the kernel doesn't really improve the security of the host for two reasons:
1) An attacker could easily install a kit'ed kernel and wait for its boot, regardless of kmod configured or not.
Offcourse to be secure (in this case after a break in) it would not be the only measure taken. Tripwire for one takes care of detecting changes for files. This does not work for files that have an unexamined name, like a loadable module that is listed as whoeverreadsthisisastupidsomething. But /etc/lilo.conf and /boot/vmlinuz would be two of them. Also the kernel would be made on another machine. A compiler would even not be present. And if modprobe is out how about insmod, does this work from any directory or only lib modules
2) If you did configure loadable module support into the kernel, an attacker must be root to put the module in place or even load it. If this is the case then goto 1).
Obtaining root rights is the first goal, keeping them second and nosing on the disk and network the third. Installing a DoS slave another. First line of defense is not getting cracked, second line is early detection and lessening the damage by hardening the lot.
With the exception of cryptographical methods ( -> key length), increasing the attack difficulty level (also wrt time expense) doesn't contribute much to security.
I cannot see the reasoning for this statement, to me increasing the difficulties means that the amount of people that have the time, means and motivation to crack my system decreases steeply. Which increases security or should we say integrity of the system. BB, Arjen -- Sell what you use, use what you sell.
participants (4)
-
Arjen Runsink
-
Kurt Seifried
-
Matthias Krawen
-
Roman Drahtmueller