Hi,
I have an embedded Linux project that requires (by standards +
laws) that all code running in the system be verified against prestored
CRCs at a number of stages of execution.... (and they mean all code : both
kernel and userspace) to protect against memory issue and tampering. I
don't wish to debate the merits of these ideas, they are cast in stone,
what I want to know what is the best approach to doing this under Linux?
There is no swap in the system, and all process will be running with
mlockall().
For the kernel I'm going to add a kernel thread that loops over the text
segment verifying integrity.
For userspace I was initially going to use a userspace daemon that reads
via /proc/pid/mem interface and tests the text segments against what I
hope is in there.. but this seems to be a problem as I need to ptrace
attach the process (which starts sending SIGSTOPs around when the process
gets a signal) to get a /proc/pid/mem.
My other option is to implement my own kernel module to do the work, and
have a kernel thread running around.. I'd have to feed it the CRCs and
stuff at the start and let it go...
Could I remove the check that stops other processes reading /proc/pid/mem?
safely enough considering this system runs embedded with very little scope
for outside interference...
Thanks,
Dave.
--
David Airlie, Software Engineer
http://www.skynet.ie/~airlied / [email protected]
pam_smb / Linux DecStation / Linux VAX / ILUG person
On Thu, 2002-12-05 at 01:34, Dave Airlie wrote:
> kernel and userspace) to protect against memory issue and tampering. I
Well it wont protect you from tampering, there isnt really a way to do
that
> For the kernel I'm going to add a kernel thread that loops over the text
> segment verifying integrity.
Kernel module code lives outside that. You also have to make sure you
check the exception handlers area as part of your text.
> For userspace I was initially going to use a userspace daemon that reads
> via /proc/pid/mem interface and tests the text segments against what I
> hope is in there.. but this seems to be a problem as I need to ptrace
> attach the process (which starts sending SIGSTOPs around when the process
> gets a signal) to get a /proc/pid/mem.
You need to stop a process to do the check. You also need to audit its
mappings, check any trampolines on the stack, check any data which is
used for things like syscall numbering etc. Since there are function
pointers all over the place in the data segment it wont help you one
iota against tampering by competent bodies.
> My other option is to implement my own kernel module to do the work, and
> have a kernel thread running around.. I'd have to feed it the CRCs and
> stuff at the start and let it go...
That may be easier since you can then lock the mm, walk and verify it,
then unlock the mm.
>
> Could I remove the check that stops other processes reading /proc/pid/mem?
> safely enough considering this system runs embedded with very little scope
> for outside interference...
You need to be very careful or you may make your box less not more
secure. In addition you have to handle shared memory and memory mapped
i/o mmap spaces, which is another reason you have to lock all users of
that mm or stop them.
Alan
Hi!
> I have an embedded Linux project that requires (by standards +
> laws) that all code running in the system be verified against prestored
> CRCs at a number of stages of execution.... (and they mean all code : both
What kind of ninja mutant machine is that?
--
Pavel
Written on sharp zaurus, because my Velo1 broke. If you have Velo you don't need...