Module name can be easily tampered #23
Comments
|
Can you provide more clarification on this? |
|
After malicious module loaded it could change its name which is actually stored in |
|
What are your suggestions? This was done in a previous issue as a user was reporting false positives. |
|
Having this whitelist based on just names not a good idea at all as any module can mimic to whitelisted one. No suggestions just some thoughts about this. |
|
Thanks! I'll look into alternative solutions for the time being. |
|
Let's discuss. How cat we detect modules, which legaly used netfilter hooks at the moment of "insmod tyton"? I mean automatically. If we try to read this list from kernel, we can't detect, which are illegal only by their names. I want to take part in solving this. |
|
perhaps, read a list of modules for netfilter and iptables? Is it enough? |
|
@dronito As mentioned above, names themselves won't do as a module may or may not be present and a malicious module could imitate a valid name |
|
Sorry, i was inattentive |
|
Nick, hi! Please, could we discuss with you some topic about network subsystem in Linux kernel? If you have time, please, tell, where i can write you? |
|
Hi! Instead, the whitelist could be a list of legitimate hook function addresses (symbols "arptable_filter_hook", "iptable_filter_hook", "ip6table_filter_hook", etc.). Then any hook that is pointing somewhere else would be considered malicious. |
tyton/src/netfilter_hooks.c
Line 12 in ef291a9
The text was updated successfully, but these errors were encountered: