Date: Mon, 25 May 1998 11:18:27 -0400 (EDT) From: woods@zeus.leitch.com (Greg A. Woods) To: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD Message-ID: <199805251518.LAA05684@brain.zeus.leitch.com> In-Reply-To: Nicholas Charles Brawn's message of "Fri, May 22, 1998 10:02:46 %2B1000" regarding "Re: Virus on FreeBSD" id <Pine.SOL.3.96.980522100017.17145A-100000@banshee.cs.uow.edu.au> References: <199805211431.KAA17444@brain.zeus.leitch.com> <Pine.SOL.3.96.980522100017.17145A-100000@banshee.cs.uow.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
[ On Fri, May 22, 1998 at 10:02:46 (+1000), Nicholas Charles Brawn wrote: ] > Subject: Re: Virus on FreeBSD > > > I'd love to have a "virus" scanner that could detect the signature of a > > LKM module or the LKM loader in a kernel. Of course by "signature" here > > I mean something that would recognize the style of code necessary to > > perform this operation, not the specific sequence of bits in any given > > implementation. > > You may have a point here. Is there any way you could "sign" a module to > ensure it's authenticity? And on top of that build in an automatic > authentication system within the kernel that rejects lkm's that are not > signed? Perhaps this could be included so as to be performed at one of the > securelevels? I meant that the other way around. I don't think I'd trust such signatures. If the system has been cracked enough that someone is trying to load some untrusted module, then how can I trust the signature, no matter where I retrieve it from? I meant some way to detect the pattern of code in the *kernel* that is necessary to implement a module loader. I don't have my hopes up, of course, as this is indeed a very simple operation and not a whole lot different than any number of other operations an OS performs. Detecting the pattern of code of a loadable module in files might be a good thing too, as you could then scan for hidden instances of such modules. Of course any cracker worth their salt would at least obscure the contents of the file with some trivial "encryption" mechanism.... :-) -- Greg A. Woods +1 416 443-1734 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805251518.LAA05684>