[NCLUG] RFC: sys_execve security kernel mod

J. Paul Reed preed at sigkill.com
Thu Jun 20 13:46:53 MDT 2002 

Hey all:

A friend and I have written a Linux kernel module that replaces the
sys_execve() system call with a version that does binary summing on
administrator selected system binaries before it allows the exec() to
occur.

The idea is to stop script kiddies with rootkits... sort of an
in-kernel/realtime Tripwire. We wanted to release it in the hopes that it
is useful to people, but at the same time we wanted to get some peer review
going since this is a security-related module and neither of us are
hardcore kernel or security hackers (yet, anyway... :-)

The idea of storing a sum on a binary and comparing it on an exec() (or
even comparing it period) isn't new: an implementation for the 2.0.x
kernels appeared in the February 2001 edition of LinuxJournal. Our module,
which isn't based at all on that work, doesn't change as much about the
kernel as that implementation did, is portable across all platforms the
kernel supports, supports the 2.4-series kernel, has sysadmin-definable
actions, and will make your pot of coffee in the morning. :-)

There's more goodies and details in the README and writeup document
available as part of the tarball at

http://web.sigkill.com/exec-verify/

The module has been moderately tested with 2.4.18, but should probably work
down to the 2.4.14-ish range. The module IS beta (read the README for
details), but we haven't experienced a hard lock with the module since
development when the module wasn't completely finished.

If you have a few seconds and could take a look at it/try it out, and write
back to exec_verify at sigkill.com with your comments and feedback so we can
work on a "real"/production release version, that'd be great!

If you think any other forums would be interested in helping to test, feel
free to post this message there as well.

Thanks in advance for your help!

Later,
Paul
    --------------------------------------------------------------------
    J. Paul Reed              preed at sigkill.com || web.sigkill.com/preed
    Nothing satisfies more than a post-coital omelet of your own design.
                           -- Will Farrell, Saturday Night Live, 5/18/02

More information about the NCLUG mailing list