A new paper was presented in late March
about using /dev/mem to inject and hide a rootkit (PDF), and the method has been
getting some press, leading to a
little concern. The first thing that you should understand is that this class of attack
has been used before. We know how to protect against it.
If you read the paper, you'll find out two things:
- We need a way to write to /dev/mem as a regular user, and
- There's a kernel config which protects against this mechanism.
For Ubuntu Jaunty, the permissions on /dev/mem are read-write by root and read by the kmem group. We can't write to /dev/mem without having root access, and there are many other ways to get a rootkit in undetected if we have that level of auth.
The kernel config also shows "CONFIG_STRICT_DEVMEM=y" -- meaning that this kind of attack wouldn't work
even if we could write to /dev/mem.
In short, there's nothing for you to worry about.
Image via Wikipedia![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_un-9CBlA2jd3rqPDWSF701HO8U_Xs8C5WIvGAyDSAVPhKtr0kLgKnkGa2_5ORSzSvOlu0ELIakoT7JOYUGvFY0K6z_ijjSAak3V1B89fIpTE_lQVkAsKpyCX4B8nayK8NnB-bGDqQw-0NDjvp9wZ4=s0-d)
No comments:
Post a Comment