[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [linux-security] Malicious Linux modules (fwd)
At 05:04 PM 10/9/97 +0200, Ira Abramov wrote:
>
>int init_module(void)
>{
> original_getdents = sys_call_table[SYS_getdents];
> sys_call_table[SYS_getdents] = hacked_getdents;
>
> original_kill = sys_call_table[SYS_kill];
> sys_call_table[SYS_kill] = hacked_kill;
>
> original_read = sys_call_table[SYS_read];
> sys_call_table[SYS_read] = hacked_read;
>
> original_query_module = sys_call_table[SYS_query_module];
> sys_call_table[SYS_query_module] = hacked_query_module;
>
> return(0);
>}
>
Well, judging by this code portion, the easiest way to eliminate the
possiblity of such abusive behaviour is to modify the kernel so it will not
use sys_call_table at all. I.e: when the kernel receives a signal it is
forwarded to the corresponding handler by using a switch() statement,
rather than an array of pointers to function. That way, it will be
impossible to alter the handlers, at least with such ease.
I'm not an expert at the Linux kernel architecture, so don't flame me if
this idea cannot be implemented for some reason.
Shlomi Fish
-----------------------------------------------------------------------------
Shlomi Fish Smart Link Ltd.
Home E-mail: shlomif@ibm.net Work E-mail: shlomi@slink.co.il
Home Page: http://www.slink.co.il/~shlomi
"If I had not been insane already, I would have long ago driven myself mad."
The Enemy and how I Helped to Fight it.
-----------------------------------------------------------------------------