[Asterisk-Dev] Re: digium drivers compiled into kernel (no module)

Michael Sandee ms at zeelandnet.nl
Wed Jan 5 07:40:59 MST 2005 

Hi,

>3) Security - At one stage, it seemed (and maybe still is) all the rage
>for 'hackers' to use kernel modules as part of their r00t kit. This
>kernel module was designed to do various things including hiding their
>processes, the fact the system had been hacked, various netstat type
>details, etc... By not compiling support for modules, the idea was that
>any 'hacker' wouldn't be able to conceal their tracks quite so easily.
>(At the least they would need to reboot to a kernel which included
>module loading ability, which in itself would trigger alarms). It is
>probably possible to directly edit the running in-memory kernel, and
>therefore achieve the same thing, but I assume this is 'harder' than
>insmod my_module.
>  
>
I agree with the intent of doing this, however, simply not having module 
support in the kernel will not prevent rootkits from being loaded. The 
most popular one, suckit (which exists in many variations) uses 
/dev/kmem for example. Newer (private) incarnations can't simply be 
detected by insert_rootkit_detection_toolkit.

However patches exist for hardening the Linux kernel, such as the very 
popular Grsecurity [www.grsecurity.net] which prevent loading such 
rootkits via /dev/mem or /dev/kmem (if configured to do so at compile 
time). Frameworks such as SELinux can also do this, but require you to 
use the entire access control system, which is not really flexible for 
everyday use (I know I'll probably step on a toe or two).

A part of Grsecurity is PaX, which also has some functions for 
protecting the kernel code itself, through non-executable kernel pages 
and kernel stack randomisation. (Think about the whole hype around AMD64 
NX/EM64T XD and Windows XP, but on steroids, if it doesn't mean anything 
to you) This prevents (some) kernel level exploits which are ofcourse 
highly critical, because executing code in ring0 is fully priviledged.

So, to make a long story short, if used with an additional hardening 
environment, no module support in the kernel really decreases the 
ability of a full compromise, although you can never be 100% sure. 
That's why it might be a good thing... imho.

Sorry for posting all this offtopic info, but I am sure some (most?) of 
you might find it useful.

Regards,

Michael

More information about the asterisk-dev mailing list