Is it possible to check the running kernel signature?

O'Connor, Daniel darius at dons.net.au
Fri Apr 17 04:06:19 UTC 2015


> On 17 Apr 2015, at 12:20, Yuri <yuri at rawbw.com> wrote:
> The idea that comes to mind is the ability to verify that the running kernel wasn't tampered with by comparing it with its disk image copy. Same with the kernel modules. Kernel can be verified through the memory mmapped to /dev/mem device.

> Is this idea feasible, and would it make sense to implement it?

If the kernel has been compromised then you can't trust it, since any userland program has to use the kernel to do its job it is impossible to validate the kernel because the kernel could just fake up anything it wants.

Also I think when the kernel is loaded it is modified for things like relocations (although I'm not sure) which would make it tricky to verify.

--
Daniel O'Connor
"The nice thing about standards is that there
are so many of them to choose from."
 -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C



More information about the freebsd-hackers mailing list