kernel: disabling /dev/kmem and /dev/mem

There's a slide deck from Scale 7x 2009 titled: Undermining the Linux Kernel: Malicious Code Injection via /dev/mem that contained these 2 bullets.

Who needs this?

  • X Server (Video Memory & Control Registers)
  • DOSEmu

From everything I've found from search thus far it would appear that these 2 bullets are the front-runners for legitimate uses.

References

  • Anthony Lineberry on /dev/mem Rootkits - LJ 8/2009 by Mick Bauer
  • Who needs /dev/kmem?

It's worth noting that even if you disabled /dev/mem and /dev/kmem that memory can still be dumped; take a look at man proc to reveal /proc/kcore; it is the systems physical memory. A really good forensics toolkit rekall has a tool that does this already; it dumps the memory (and /boot files) so that they can be analyzed.

As a matter of fact, Ubuntu by default disables /dev/kmem:

There is no modern use of /dev/kmem any more beyond attackers using it to load kernel rootkits. CONFIG_DEVKMEM is set to "n". While the /dev/kmem device node still exists in Ubuntu 8.04 LTS through Ubuntu 9.04, it is not actually attached to anything in the kernel.

Ubuntu doesn't disable /dev/mem because its needed by applications.

Some applications (Xorg) need direct access to the physical memory from user-space. The special file /dev/mem exists to provide this access. In the past, it was possible to view and change kernel memory from this file if an attacker had root access. The CONFIG_STRICT_DEVMEM kernel option was introduced to block non-device memory access (originally named CONFIG_NONPROMISC_DEVMEM).

How to disable /proc/kcore?

Do not enable CONFIG_PROC_KCORE when building the kernel.

How do you disable /dev/mem?

Well, looking over man mem gives us some details about how its created:

mknod -m 660 /dev/mem c 1 1
chown root:kmem /dev/mem

You should be able to just rm -rf /dev/mem; you can disable during kernel build phase by not enabling CONFIG_STRICT_DEVMEM.

How to disable /dev/kmem?

Ensure that CONFIG_DEVKMEM is not enabled upon kernel build.

How to prevent cold-boot attacks?

What if I was able to disable /proc/kcore, /dev/mem, /dev/kmem and then used an encrypted swap partition or didn't use swap at all? Well, your memory could just be freezed and accessed that way. How do you prevent this attack? You encrypt your RAM; how do you encrypt your RAM? You can't. See TRESOR for details.