Re: System call interposition/unprotecting the table

From: Jan Engelhardt
Date: Tue Aug 14 2007 - 17:10:17 EST

Next message: William Cattey: "Re: vm86.c audit_syscall_exit() call trashes registers"
Previous message: Lee Schermerhorn: "Re: Regression in 2.6.23-rc2-mm2, mounting cpusets causes a hang"
In reply to: Andi Kleen: "Re: System call interposition/unprotecting the table"
Next in thread: Alan Cox: "Re: System call interposition/unprotecting the table"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Aug 14 2007 21:50, Andi Kleen wrote:
>Hajime Inoue <hinoue@xxxxxxxxxxxxxxxx> writes:
>
>> Just protecting the table does not stop rootkits. A highly referenced
>> phrack article explains how to bypass the table.
>
>During .23-pre for some time the kernel text was protected too (that
>would have likely stopped that particular attack), but it was
>removed because it caused too many problems.
>
>Ultimatively it is useless for security anyways because the page
>tables cannot be protected (because there are valid reasons to change
>them).

But with DEBUG_RODATA (does that also apply to .text?) enabled,
accidental writes to it should cause a fault rather than doing silent
changes, would not it?

Jan
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: William Cattey: "Re: vm86.c audit_syscall_exit() call trashes registers"
Previous message: Lee Schermerhorn: "Re: Regression in 2.6.23-rc2-mm2, mounting cpusets causes a hang"
In reply to: Andi Kleen: "Re: System call interposition/unprotecting the table"
Next in thread: Alan Cox: "Re: System call interposition/unprotecting the table"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]