Friday, April 17, 2009

Do you need to worry about the new /dev/mem rootkit problem?

WubiImage via Wikipedia
A new paper was presented in late March about using /dev/mem to inject and hide a rootkit (PDF), and the method has been getting some press, leading to a concern. The first thing that you should understand is that this class of attack has been used before. We know how to protect against it.

If you read the paper, you'll find out two things:
  1. We need a way to write to /dev/mem as a regular user, and
  2. There's a kernel config which protects against this mechanism.
For Ubuntu Jaunty, the permissions on /dev/mem are read-write by root and read by  the kmem group. We can't write to /dev/mem without having root access, and there are many other ways to get a rootkit in undetected if we have that level of auth.

The kernel config also shows "CONFIG_STRICT_DEVMEM=y" -- meaning that this kind of attack wouldn't work even if we could write to /dev/mem.

In short, there's nothing for you to worry about.


Post a Comment

Other I' Been to Ubuntu Stories