Message-ID: <426013DD.6050905@tomt.net>
Date: Fri, 15 Apr 2005 21:19:57 +0200
From: Andre Tomt <andre@tomt.net>
User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
MIME-Version: 1.0
To: Lennart Sorensen <lsorense@csclub.uwaterloo.ca>
Cc: Allison <fireflyblue@gmail.com>, linux-kernel@vger.kernel.org
Subject: Re: Kernel Rootkits
References: <17d79880504151115744c47bd@mail.gmail.com> <20050415183738.GR17865@csclub.uwaterloo.ca>
In-Reply-To: <20050415183738.GR17865@csclub.uwaterloo.ca>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1014
Lines: 26

Lennart Sorensen wrote:
> Well you could build a monilithic kernel with module loading turned off
> entirely, but that doesn't prevent replacing libc which most programs
> use to make those system calls.

As pointed out elsewhere, modules is not the only way to load kernel 
code live. Modules is just a cleaner interface for it. Rootkits capable 
of loading their kernel code without involving the module system has 
existed for ages.

> Could make the filesystem readonly,
> that would prevent writing a module to load into the kernel, and
> replacing libc as long as you make it imposible to remount the
> filesystem at all.

Don't hold your breath - code can be inserted without involving actual 
files. It just makes things less persistent.

-- 
Cheers,
Andr? Tomt
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/