Re: [RFC][PATCH] Randomize kernel base address on boot
From: Olivier Galibert
Date: Fri May 27 2011 - 18:02:01 EST
On Fri, May 27, 2011 at 08:17:24PM +0200, Ingo Molnar wrote:
> - A root exploit will still not give away the location of the
> kernel (assuming module loading has been disabled after bootup),
> so a rootkit cannot be installed 'silently' on the system, into
> RAM only, evading most offline-storage-checking tools.
>
> With static linking this is not possible: reading the kernel image
> as root trivially exposes the kernel's location.
There's something I don't get there. If you managed to escalate your
priviledges enough that you have physical ram access, there's a
billion things you can do to find the kernel, including vector
tracing, pattern matching, looking at the page tables, etc.
What am I missing?
OG.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/