[ale] Monolithic vs Modularised Kernels

Chris Ricker kaboom at gatech.edu
Wed Jul 9 13:49:27 EDT 2003


On Wed, 9 Jul 2003, Jason Day wrote:

> On Wed, Jul 09, 2003 at 10:34:40AM -0400, John Wells wrote:
> > Hmmm...to load modules into the kernel, you have to be root.  So, if a
> > 1337 h4X0r is able to load a module, you're probably already pretty
> > screwed.
> > 
> > Or am I missing something?
> 
> Yes.  If an attacker can load a custom kernel module, and if he's good
> enough, he can make it much harder for you to realize you've been owned.
> A kernel module can prevent things like netstat or even ls from finding
> an installed rootkit.

Right, but even if you disable module support in the kernel, it's still
possible to get the equivalent functionality of loading an LKM simply by
directly accessing /dev/kmem and friends. Not only that, but there are r00t
kits circulating to do exactly this for the same sorts of process hiding,
etc. functionality that r00t kits used to load heroin, knark, and similar
LKMs for. Disabling LKMs simply makes life more inconvenient for the admins,
w/o significantly increasing security.

There are performance advantages both ways for using / not using LKMs. You
get the performance benefit of being able to unload LKMs you don't need (not
using your floppy? Get 70k or so back of non-swappable kernel memory by
unloading it). On the other hand, modules also sometimes use more memory
than non-modular versions, so if it's a module you always need, you might 
save a little memory by compiling it in monolithically.

later,
chris
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list