Image via WikipediaA new paper was presented in late March about using /dev/mem to inject and hide a rootkit (PDF), and the method has been getting some press, leading to a little concern. The first thing that you should understand is that this class of attack has been used before. We know how to protect against it.
If you read the paper, you'll find out two things:
- We need a way to write to /dev/mem as a regular user, and
- There's a kernel config which protects against this mechanism.
The kernel config also shows "CONFIG_STRICT_DEVMEM=y" -- meaning that this kind of attack wouldn't work even if we could write to /dev/mem.
In short, there's nothing for you to worry about.