[Linux-aus] Stand up for Linux. Stop Microsoft killing Desktop Linux.

Adam Nielsen a.nielsen at shikadi.net
Sat Sep 24 10:39:45 EST 2011 

> Having root not be able to damage the system doesn't seem plausible unless you
> define root to be something very different to the "do anything anywhere"
> definition that usually applies.
>
> Modifying the kernel and dynamic loader to not support unsigned binaries is
> possible.  But then you have to deal with all manner of interpreters.  It
> might be possible to have a usable system where Perl doesn't execute arbitrary
> code (execution of code on stdin being disabled and signature checks on files
> on disk).  But it doesn't seem possible to do that with /bin/sh.

This is going to go a little off topic, but I'm not so worried about 
preventing root from doing bad things, I'm more interested in preventing root 
from doing something that makes disinfection difficult.  The rootkit in 
question replaced /bin/ls and a bunch of other system commands with 
compromised versions, so that running one of those files would immediately 
reinstall the whole rootkit.

Now granted I haven't thought this through in every minor detail, but if there 
were signatures being verified from the new-BIOS down, then a compromised 
kernel wouldn't run, compromised modules wouldn't load, and compromised 
commands wouldn't reinstall any infection.

Scripts of course would still run, but I think it would be much easier if you 
could boot to single-user mode (where you can be certain there is no malicious 
code running), clean up your initscripts then reboot to go back to your normal 
system minus any live infection.

It is true then that /bin/ls could be replaced with a Perl script which would 
pass any signature check (assuming the Perl binary hadn't been tampered with), 
but you could solve this by performing signature checks on crucial binaries 
early in the boot process.  Doing this now isn't a guarantee because any 
program that performs this check could be modified to pass rogue binaries, but 
if it had to be signed then it wouldn't be possible to modify or bypass.

Now you can tell me what I'm missing ;-)

Cheers,
Adam.

More information about the linux-aus mailing list