Re: super root shell/mode/api

[Bodo Eggert]

On Tue, 19 May 2009, Andrea wrote:

> > If there is a malware with root privileges, this would be of no use. You are
> > 0wned.
> >
> > If there is a malware with user privileges, stopping these processes will
> > be enough.
> >
> > So why bother?
>
> That's exactly the problem a remote attacker or virus
> can gain root and you are completely powerless. You want
> to save data? The attacker just logs you out before you
> can run any command. You can't even backup or save
> data! You are owned. Yes.
>
> With this super shell/mode/menu in less then one second, you stop
> everything - a global SIGSTP - and gain control over your machine!

The problem is: You can only do the first step. The second step is 
prevented by the attacker replacing your super-root shell and the linux 
kernel with his specially crafted versions.

That's why you need a hypervisor or a virtual machine to do the job.

> You can save all memory, e.g. for controlling what happened
> or data recovery, sigstop without hurry all processes that seems
> a problem and so on.

You can't, since the attacker modified the "save memory" function to
exclude the malware and all your personal documents - or simply to
not work at all.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/