Date: Thu, 21 May 1998 10:31:08 -0400 (EDT) From: woods@zeus.leitch.com (Greg A. Woods) To: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD Message-ID: <199805211431.KAA17444@brain.zeus.leitch.com> In-Reply-To: Mark Newton's message of "Thu, May 21, 1998 11:19:29 %2B0930" regarding "Re: Virus on FreeBSD" id <199805210149.LAA25157@frenzy.ct> References: <199805210018.RAA04596@passer.osg.gov.bc.ca> <199805210149.LAA25157@frenzy.ct>
next in thread | previous in thread | raw e-mail | index | archive | help
[ On Thu, May 21, 1998 at 11:19:29 (+0930), Mark Newton wrote: ] > Subject: Re: Virus on FreeBSD > > LKMs open vast new vistas of potential for viruses, btw. I attended a > series of seminars given my Kirk some number of years ago, where he > said the decision to avoid expending development time on LKMs for 4.4BSD > was partly motivated by the security concerns raised by the ability to > move executable code from user-space (i.e.: the filesystem) into the > kernel. Mitnick's SunOS "tap" streams module is but one example :-) A "published" LKM that can do the most nasty things was in the Phrack newsletter issue #51. Anyone who's read that article and has even the tiniest amount of imagination would *NEVER* run LKMs on a production machine. Sure they're a great tool for doing OS developement and experimention at the lowest levels, but they're more dangerous in a production environment than not even having a root password in the first place (at least with the latter you *know* your security is blown). (And that's just one reason never to run SunOS-5 in production! ;-) I'd love to have a "virus" scanner that could detect the signature of a LKM module or the LKM loader in a kernel. Of course by "signature" here I mean something that would recognize the style of code necessary to perform this operation, not the specific sequence of bits in any given implementation. -- Greg A. Woods +1 416 443-1734 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805211431.KAA17444>