mailing list archives
Re: Announcement: Solaris loadable kernel module backdoor
From: peak () ARGO TROJA MFF CUNI CZ (Pavel Kankovsky)
Date: Wed, 29 Dec 1999 00:57:55 +0100
On Sun, 26 Dec 1999, Ralf-Philipp Weinmann wrote:
However I'd like to point out that you could add call a routine to
compute the MD5 or SHA-1 hash of the data copied with copy_from_user()
in sys_init_module() and reject it if it doesn't match a precomputed
value (which has to be securely stored somewhere in kernel space for
each and every module that the is allowed to be loaded).
A scheme I'd prefer would be to have a trusted signing key in the kernel
and allow the user to write a signed list of modules and their
respective hash values to say /proc/securemodules. This allows for
utmost flexibility and security IMHO.
Rant on. Let's ignore the fact the whole idea this thread is based on is
fundamentaly flawed because cryptography should be used only as the last
resort when all available physical and logical means of protection are
insufficient (or way too expensive). Networks and kernel guts are two
different things. In this particular case, it would be better to start
with modifications guaranteeing the total control over the system is not
offered on a silver plate to any visitor. Rant off (maybe).
It will not work anyway unless the kernel relocates the code itself.
Linux does NOT do it, it is insmod's job to do the relocation before it
uploads the code to the kernel. Therefore there is no way you could use
cryptography to make sure you load the certified modules and nothing
else. At least unless 1. you lobotomize the idea of kernel modules to
make it possible to precompute relocated checksums or 2. bloat the kernel
with insmod's code (on the other hand, we assume it has already been
bloated with all that crypto therefore it probably would not make much
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."