[go: up one dir, main page]
|
|
Log in / Subscribe / Register

System calls and rootkits

System calls and rootkits

Posted Sep 13, 2008 8:05 UTC (Sat) by geertj (guest, #4116)
Parent article: System calls and rootkits

> Without some kind of hardware enforcement (e.g. Trusted Platform Module) or locked-down virtualization, Linux is defenseless against attacks that run as root

SELinux is another technique that can protect against attacks that run as root.

to post comments

System calls and rootkits

Posted Sep 14, 2008 16:35 UTC (Sun) by spender (guest, #23067) [Link] (3 responses)

Yea, it worked great against that exploit I wrote that disabled SELinux.

Sorry, but once you compromise the kernel, SELinux is useless.

-Brad

System calls and rootkits

Posted Sep 22, 2008 11:40 UTC (Mon) by robbe (guest, #16131) [Link] (2 responses)

> that exploit I wrote that disabled SELinux.

URL?

> Sorry, but once you compromise the kernel, SELinux is useless.

Nobody will argue that. Not that your parent post talks about "running as
root", not "in the kernel".

System calls and rootkits

Posted Sep 22, 2008 20:49 UTC (Mon) by nix (subscriber, #2304) [Link] (1 responses)

If you're root there are a simply enormous number of ways to compromise
the kernel or DoS the box to its knees. Maybe SELinux will eventually be
able to plug them all but it's not there yet.

(I saw one product for Solaris many years ago whose salesman claimed that
it protected the box from denials of service under 'all conditions',
specifically including conditions requiring physical access. I disproved
this bizarreclaim in the obvious way: pulling the plug.)

System calls and rootkits

Posted Jul 22, 2010 0:25 UTC (Thu) by petermag (guest, #7550) [Link]

If u have implement any rootkits, u will know that the best way to do it IS NOT hook at the syscall level (eg, because "sys_read" can be used for so many purposes). Instead, it is much better to do it at the lower level (eg, VFS layer). But if u can hook the syscall table, and so can u unpatch the patch that Arjan has put in to protect the syscall table. And likewise, many other techniques like making the ".text" region read-executable only, is really a joke - because u can easily undo it if u are a rootkit. Eg, ftrace have to make the region writeable momentarily and then switching it back to readonly - exactly the same sequence of steps can be executed by the rootkit kernel module as well. In general "rootkit" means that the system is alreayd 0wned (or compromised). Comments?


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds