Re: super root shell/mode/api

From: Bodo Eggert
Date: Sat May 23 2009 - 09:24:13 EST


On Tue, 19 May 2009, Andrea wrote:

If there is a malware with root privileges, this would be of no use. You are
0wned.

If there is a malware with user privileges, stopping these processes will
be enough.

So why bother?

That's exactly the problem a remote attacker or virus
can gain root and you are completely powerless. You want
to save data? The attacker just logs you out before you
can run any command. You can't even backup or save
data! You are owned. Yes.

With this super shell/mode/menu in less then one second, you stop
everything - a global SIGSTP - and gain control over your machine!

The problem is: You can only do the first step. The second step is prevented by the attacker replacing your super-root shell and the linux kernel with his specially crafted versions.

That's why you need a hypervisor or a virtual machine to do the job.

You can save all memory, e.g. for controlling what happened
or data recovery, sigstop without hurry all processes that seems
a problem and so on.

You can't, since the attacker modified the "save memory" function to
exclude the malware and all your personal documents - or simply to
not work at all.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/