kernel: disabling /dev/kmem and /dev/mem
There's a slide deck from Scale 7x 2009 titled: Undermining the Linux Kernel: Malicious Code Injection via /dev/mem that contained these 2 bullets.
Who needs this?
- X Server (Video Memory & Control Registers)
- DOSEmu
From everything I've found from search thus far it would appear that these 2 bullets are the front-runners for legitimate uses.
References
- Anthony Lineberry on /dev/mem Rootkits - LJ 8/2009 by Mick Bauer
- Who needs /dev/kmem?
It's worth noting that even if you disabled /dev/mem
and /dev/kmem
that memory can still be dumped; take a look at man proc
to reveal /proc/kcore
; it is the systems physical memory. A really good forensics toolkit rekall has a tool that does this already; it dumps the memory (and /boot
files) so that they can be analyzed.
As a matter of fact, Ubuntu by default disables /dev/kmem
:
There is no modern use of
/dev/kmem
any more beyond attackers using it to load kernel rootkits.CONFIG_DEVKMEM
is set to "n". While the/dev/kmem
device node still exists in Ubuntu 8.04 LTS through Ubuntu 9.04, it is not actually attached to anything in the kernel.
Ubuntu doesn't disable /dev/mem
because its needed by applications.
Some applications (Xorg) need direct access to the physical memory from user-space. The special file
/dev/mem
exists to provide this access. In the past, it was possible to view and change kernel memory from this file if an attacker had root access. TheCONFIG_STRICT_DEVMEM
kernel option was introduced to block non-device memory access (originally namedCONFIG_NONPROMISC_DEVMEM
).
How to disable /proc/kcore
?
Do not enable CONFIG_PROC_KCORE
when building the kernel.
How do you disable /dev/mem
?
Well, looking over man mem
gives us some details about how its created:
mknod -m 660 /dev/mem c 1 1
chown root:kmem /dev/mem
You should be able to just rm -rf /dev/mem
; you can disable during kernel build phase by not enabling CONFIG_STRICT_DEVMEM
.
How to disable /dev/kmem
?
Ensure that CONFIG_DEVKMEM
is not enabled upon kernel build.
How to prevent cold-boot attacks?
What if I was able to disable /proc/kcore
, /dev/mem
, /dev/kmem
and then used an encrypted swap partition or didn't use swap at all? Well, your memory could just be freezed and accessed that way. How do you prevent this attack? You encrypt your RAM; how do you encrypt your RAM? You can't. See TRESOR for details.