Re: System call interposition/unprotecting the table

From: Jan Engelhardt
Date: Tue Aug 14 2007 - 17:10:17 EST



On Aug 14 2007 21:50, Andi Kleen wrote:
>Hajime Inoue <hinoue@xxxxxxxxxxxxxxxx> writes:
>
>> Just protecting the table does not stop rootkits. A highly referenced
>> phrack article explains how to bypass the table.
>
>During .23-pre for some time the kernel text was protected too (that
>would have likely stopped that particular attack), but it was
>removed because it caused too many problems.
>
>Ultimatively it is useless for security anyways because the page
>tables cannot be protected (because there are valid reasons to change
>them).

But with DEBUG_RODATA (does that also apply to .text?) enabled,
accidental writes to it should cause a fault rather than doing silent
changes, would not it?


Jan
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/