Module name can be easily tampered
milabs opened this issue · 11 comments
Can you provide more clarification on this?
After malicious module loaded it could change its name which is actually stored in struct module structure.
What are your suggestions? This was done in a previous issue as a user was reporting false positives.
Having this whitelist based on just names not a good idea at all as any module can mimic to whitelisted one. No suggestions just some thoughts about this.
Thanks! I'll look into alternative solutions for the time being.
Let's discuss. How cat we detect modules, which legaly used netfilter hooks at the moment of "insmod tyton"? I mean automatically. If we try to read this list from kernel, we can't detect, which are illegal only by their names. I want to take part in solving this.
perhaps, read a list of modules for netfilter and iptables? Is it enough?
@dronito As mentioned above, names themselves won't do as a module may or may not be present and a malicious module could imitate a valid name
Sorry, i was inattentive
Nick, hi! Please, could we discuss with you some topic about network subsystem in Linux kernel? If you have time, please, tell, where i can write you?
Hi! Instead, the whitelist could be a list of legitimate hook function addresses (symbols "arptable_filter_hook", "iptable_filter_hook", "ip6table_filter_hook", etc.). Then any hook that is pointing somewhere else would be considered malicious.