Re: Process verification while running

Alan Cox (alan@lxorguk.ukuu.org.uk)
05 Dec 2002 18:03:00 +0000


On Thu, 2002-12-05 at 01:34, Dave Airlie wrote:
> kernel and userspace) to protect against memory issue and tampering. I

Well it wont protect you from tampering, there isnt really a way to do
that

> For the kernel I'm going to add a kernel thread that loops over the text
> segment verifying integrity.

Kernel module code lives outside that. You also have to make sure you
check the exception handlers area as part of your text.

> For userspace I was initially going to use a userspace daemon that reads
> via /proc/pid/mem interface and tests the text segments against what I
> hope is in there.. but this seems to be a problem as I need to ptrace
> attach the process (which starts sending SIGSTOPs around when the process
> gets a signal) to get a /proc/pid/mem.

You need to stop a process to do the check. You also need to audit its
mappings, check any trampolines on the stack, check any data which is
used for things like syscall numbering etc. Since there are function
pointers all over the place in the data segment it wont help you one
iota against tampering by competent bodies.

> My other option is to implement my own kernel module to do the work, and
> have a kernel thread running around.. I'd have to feed it the CRCs and
> stuff at the start and let it go...

That may be easier since you can then lock the mm, walk and verify it,
then unlock the mm.
>
> Could I remove the check that stops other processes reading /proc/pid/mem?
> safely enough considering this system runs embedded with very little scope
> for outside interference...

You need to be very careful or you may make your box less not more
secure. In addition you have to handle shared memory and memory mapped
i/o mmap spaces, which is another reason you have to lock all users of
that mm or stop them.

Alan

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/