Hi guys , we are working on developing a defense for system call table modification attack root kit by writing a new Linux security module . Any ideas of what can be our security policy? How can we protect system call table from changing ?

Uh? Aren't you the one starting this project? I mean, shouldn't you then be the one to define your projects parameters in the first place?..


- What were the methods to subvert the SCT in kernel 2.4?
- What were the methods to curb the same in kernel 2.6?
- What were the methods to subvert the same in kernel 2.6 found after?
- What has changed to that respect in kernel 3.n?

ya I checked , in 2.4 kernel the SCT was exported and later to 2.6 Linux , its no more exported.
So to attack it they are directly modifying the system call function pointer to the malicious user written function.
To achieve this they need to make the page containing system call table writable. So i was thinking if i could intercept the system call which makes the page writable, we can stop this.
sample code used to make page writable.
int set_addr_rw(long unsigned int _addr)
{
unsigned int level;
pte_t *pte = lookup_address(_addr, &level);

if (pte->pte &~ _PAGE_RW) pte->pte |= _PAGE_RW;
}

Questions :

1. By intercepting any system call , can we achieve the above ?
2. If the page containing the system call table has some other dynamic content of kernel ,by making it not writable it can affect some other functionality ?

Regards,
Prabhuraj