Re: [linux-security] Malicious Linux modules (fwd)
Chel van Gennip (linux@vangennip.nl)
Sat, 11 Oct 1997 16:32:55 +0000 (WET)
Olaf Titz <olaf@bigred.inka.de> wrote:
>> Loading modules lets potentially untrustworthy code into your trusted
>> environment so the modules need checked first. A possible approach is
>> to use code signing so the kernel can check that the code really was
>> compiled by you.
>
>Modules operate on _the same_ trust level as the kernel itself. If a
>hacker can install a malicious module, he can as well install a
>malicious kernel. (I.e. this attack is neither new nor a special Linux
>risk, it just makes patching the kernel easier.)
>
>So it is futile for the kernel to check module integrity - you need a
>_higher_ trust level. "Higher trust level than the kernel" implies
>media the kernel couldn't physically write to after the attack. I.e.
>boot from a floppy and re-install everything from trusted media (CD,
>backup tapes), check file signatures against separately stored media,
>etc.
I think RPM is usefull here, RPM is able to verify installed files against
their origial checksum/signature. One of the basics of security is
"provability". To improve security these checks on signature could be
done at regular intervals. All added software should be packed in RPM's
too. A complete security check can be quite time consuming. The test:
"check for all files if
they belong to a trusted package" cane be done
with RPM too, but maybe it is easier to create a sepearte test for
this one. A medium without modification possibilities (like ROM or CD-Rom)
or a trusted server should be used to store the signatures or a master
signature over the files containing the signatures.
Chel