Re: [patch] Add basic sanity checks to the syscall execution patch

[Andi Kleen]

First such checkers already exist -- they are called root kit checkers.
There are various around. 
Usually operate from user space. You could run them in a cron job.

> well at least in the case of Linux we have a fairly good tally of what 
> kernel code is supposed to be executable at some given moment after 
> bootup, and can lock that list down permanently until the next reboot, 
> and give the list to the checker to verify every now and then? Such a 

Doing it in a hypervisor implicitely like Alan proposed would seem much 
stronger and also somewhat cleaner than doing it delayed.

> verification pass certainly wouldnt be cheap though: all kernel 
> pagetables have to be scanned and verified, plus all known code (a few 
> megabytes typically), and the key CPU data structures.

The issue is that a lot of non key data structures all over the memory
have function pointers (or pointers to function pointers) too.
So if you protect syscall table they are just going to patch some dentry
instead. Still if it's reasonable clean it might be still useful to
raise the bar a bit, but I'm not sure a checker qualifies for that.

-Andi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/