Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: yes, its t0rn again

From: Aaron <aaron () DARKLANDS ORG>
Date: Sat, 6 Jan 2001 01:17:59 -0800
On 01.01.04 at 14:29, Helmut Springer wrote:

[...]
# if you're playing rough you won't have modules support in the kernel
# (as long as you can't make sure modules can't be tampered) and a
# read only boot media checking the system from a read only core
# system on startup.
#
# yes, that somewhat makes system maintenance a pain.  the price to
# pay.

Not only could removing module support make system maintenance a pain, but
it isn't sufficient to stop the kernel from being modified after startup.
Silvio Cesare wrote a paper in Nov '98 that discusses how to do this
via direct writes to /dev/*mem:

  Runtime Kernel kmem Patching
  http://www.big.net.au/~silvio/runtime-kernel-kmem-patching.txt


Aaron
Previous By Date Next
Previous By Thread Next

Current thread: