Experimenting with a firewall I compiled a monolithic kernel with masquerading and without loadable module support so as to make it impossible to subvert the kernel by a malicious module. I wondered about this too, but dont you need root-rights in order to load a kernel modul ?
Not always =) Also once you load a module (like say NARK, a kernel level rootkit for Linux) the sysadmin is f**ked, it's almost impossible to find you've been taken over and recovery basically involves shutdown and a reinstall. Getting rid of kernel module support is a good security addition (it helps quite a bit). -Kurt
If I remember correctly, there was something quite a while ago: You could "/sbin/ifconfig xyz" as a normal user, and the kernel would trigger the loading of a module called "xyz.o" (using kerneld at this time). It wasn't really a security issue since the modules must be located under /lib/modules to get autoloaded by modprobe, but it could lead to a DOS in some cases. It was fixed in 2.0.34. The responsible code is practically the same today (see line 348, /usr/src/linux/net/core/dev.c). Removing loadable module support from the kernel doesn't really improve the security of the host for two reasons: 1) An attacker could easily install a kit'ed kernel and wait for its boot, regardless of kmod configured or not. 2) If you did configure loadable module support into the kernel, an attacker must be root to put the module in place or even load it. If this is the case then goto 1). With the exception of cryptographical methods ( -> key length), increasing the attack difficulty level (also wrt time expense) doesn't contribute much to security. Thanks, Roman. -- _ _ | Roman Drahtmüller "The best way to pay for a | CC University of Freiburg lovely moment is to enjoy it." | email: draht@uni-freiburg.de - Richard Bach | - -