How can you write to the kernel memory?












1















During boot the kernel is loaded into memory and also in-memory filesystems like /proc or /sys are created.
How can you change values in those filesystems? Or how could you change the dmesg output, for instance by removing or adding lines?
There are some protections in place to prevent writing to kernel memory due to security reasons. Can those be disabled? Ideally nothing should need to run on the system running the kernel itself. Can DMA be used to write kernel memory? Are there other options?






kernel linux-kernel memory







share|improve this question







New contributor




user477 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • The Linux kernel is open source. I suggest if you want to do those things, you change the source and recompile. Much easier. But maybe you're asking this because you're seeing something weird, or have weird constraints. Could you give a little background?

    – derobert
    6 hours ago











  • It should be used to protect against reconnaissance even when the system has been totally subverted. There is some stuff in memory which I'd like to prevent from being read or overwrite it with custom values. Examples are mac addresses, dmesg, kernel command line and more. Ideally it should work without recompiling the kernel. I think for VMs the hypervisor could do that to some extend but most relevant stuff happens on bare metal. I came across pcileech: github.com/ufrisk/pcileech and similar DMA attacks which looked promising for this approach. But maybe there are some more options.

    – user477
    5 hours ago













  • That's non-trivial, maybe impossible. If totally subverted includes hardware, what stops someone from installing custom DIMMs that just happen to have radios that transmit their contents? (Well, fully encrypted memory, of course, which is offered on some newer CPUs). And what protects against a custom CPU being installed? Etc.

    – derobert
    5 hours ago











  • Sorry, with fully subverted I mean software level including the kernel. I assume physical security.

    – user477
    5 hours ago











  • In that case, the kernel (for example) needs to be able to write to the dmesg ring buffer, or it can't log messages. A subverted kernel would thus be able to as well. Or, probably more importantly, it could simply not write to it, hiding messages that would otherwise reveal the subversion. (You could of course protect lines from before it was subverted simply by copying them to another machine; most syslog implementations can log to a remote machine, for example).

    – derobert
    4 hours ago
















1















During boot the kernel is loaded into memory and also in-memory filesystems like /proc or /sys are created.
How can you change values in those filesystems? Or how could you change the dmesg output, for instance by removing or adding lines?
There are some protections in place to prevent writing to kernel memory due to security reasons. Can those be disabled? Ideally nothing should need to run on the system running the kernel itself. Can DMA be used to write kernel memory? Are there other options?






kernel linux-kernel memory







share|improve this question







New contributor




user477 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • The Linux kernel is open source. I suggest if you want to do those things, you change the source and recompile. Much easier. But maybe you're asking this because you're seeing something weird, or have weird constraints. Could you give a little background?

    – derobert
    6 hours ago











  • It should be used to protect against reconnaissance even when the system has been totally subverted. There is some stuff in memory which I'd like to prevent from being read or overwrite it with custom values. Examples are mac addresses, dmesg, kernel command line and more. Ideally it should work without recompiling the kernel. I think for VMs the hypervisor could do that to some extend but most relevant stuff happens on bare metal. I came across pcileech: github.com/ufrisk/pcileech and similar DMA attacks which looked promising for this approach. But maybe there are some more options.

    – user477
    5 hours ago













  • That's non-trivial, maybe impossible. If totally subverted includes hardware, what stops someone from installing custom DIMMs that just happen to have radios that transmit their contents? (Well, fully encrypted memory, of course, which is offered on some newer CPUs). And what protects against a custom CPU being installed? Etc.

    – derobert
    5 hours ago











  • Sorry, with fully subverted I mean software level including the kernel. I assume physical security.

    – user477
    5 hours ago











  • In that case, the kernel (for example) needs to be able to write to the dmesg ring buffer, or it can't log messages. A subverted kernel would thus be able to as well. Or, probably more importantly, it could simply not write to it, hiding messages that would otherwise reveal the subversion. (You could of course protect lines from before it was subverted simply by copying them to another machine; most syslog implementations can log to a remote machine, for example).

    – derobert
    4 hours ago














1












1








1








During boot the kernel is loaded into memory and also in-memory filesystems like /proc or /sys are created.
How can you change values in those filesystems? Or how could you change the dmesg output, for instance by removing or adding lines?
There are some protections in place to prevent writing to kernel memory due to security reasons. Can those be disabled? Ideally nothing should need to run on the system running the kernel itself. Can DMA be used to write kernel memory? Are there other options?






kernel linux-kernel memory







share|improve this question







New contributor




user477 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












During boot the kernel is loaded into memory and also in-memory filesystems like /proc or /sys are created.
How can you change values in those filesystems? Or how could you change the dmesg output, for instance by removing or adding lines?
There are some protections in place to prevent writing to kernel memory due to security reasons. Can those be disabled? Ideally nothing should need to run on the system running the kernel itself. Can DMA be used to write kernel memory? Are there other options?






kernel linux-kernel memory




kernel linux-kernel memory






share|improve this question







New contributor




user477 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




user477 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




user477 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 6 hours ago









user477user477

61




61




New contributor




user477 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





user477 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






user477 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.













  • The Linux kernel is open source. I suggest if you want to do those things, you change the source and recompile. Much easier. But maybe you're asking this because you're seeing something weird, or have weird constraints. Could you give a little background?

    – derobert
    6 hours ago











  • It should be used to protect against reconnaissance even when the system has been totally subverted. There is some stuff in memory which I'd like to prevent from being read or overwrite it with custom values. Examples are mac addresses, dmesg, kernel command line and more. Ideally it should work without recompiling the kernel. I think for VMs the hypervisor could do that to some extend but most relevant stuff happens on bare metal. I came across pcileech: github.com/ufrisk/pcileech and similar DMA attacks which looked promising for this approach. But maybe there are some more options.

    – user477
    5 hours ago













  • That's non-trivial, maybe impossible. If totally subverted includes hardware, what stops someone from installing custom DIMMs that just happen to have radios that transmit their contents? (Well, fully encrypted memory, of course, which is offered on some newer CPUs). And what protects against a custom CPU being installed? Etc.

    – derobert
    5 hours ago











  • Sorry, with fully subverted I mean software level including the kernel. I assume physical security.

    – user477
    5 hours ago











  • In that case, the kernel (for example) needs to be able to write to the dmesg ring buffer, or it can't log messages. A subverted kernel would thus be able to as well. Or, probably more importantly, it could simply not write to it, hiding messages that would otherwise reveal the subversion. (You could of course protect lines from before it was subverted simply by copying them to another machine; most syslog implementations can log to a remote machine, for example).

    – derobert
    4 hours ago



















  • The Linux kernel is open source. I suggest if you want to do those things, you change the source and recompile. Much easier. But maybe you're asking this because you're seeing something weird, or have weird constraints. Could you give a little background?

    – derobert
    6 hours ago











  • It should be used to protect against reconnaissance even when the system has been totally subverted. There is some stuff in memory which I'd like to prevent from being read or overwrite it with custom values. Examples are mac addresses, dmesg, kernel command line and more. Ideally it should work without recompiling the kernel. I think for VMs the hypervisor could do that to some extend but most relevant stuff happens on bare metal. I came across pcileech: github.com/ufrisk/pcileech and similar DMA attacks which looked promising for this approach. But maybe there are some more options.

    – user477
    5 hours ago













  • That's non-trivial, maybe impossible. If totally subverted includes hardware, what stops someone from installing custom DIMMs that just happen to have radios that transmit their contents? (Well, fully encrypted memory, of course, which is offered on some newer CPUs). And what protects against a custom CPU being installed? Etc.

    – derobert
    5 hours ago











  • Sorry, with fully subverted I mean software level including the kernel. I assume physical security.

    – user477
    5 hours ago











  • In that case, the kernel (for example) needs to be able to write to the dmesg ring buffer, or it can't log messages. A subverted kernel would thus be able to as well. Or, probably more importantly, it could simply not write to it, hiding messages that would otherwise reveal the subversion. (You could of course protect lines from before it was subverted simply by copying them to another machine; most syslog implementations can log to a remote machine, for example).

    – derobert
    4 hours ago

















The Linux kernel is open source. I suggest if you want to do those things, you change the source and recompile. Much easier. But maybe you're asking this because you're seeing something weird, or have weird constraints. Could you give a little background?

– derobert
6 hours ago





The Linux kernel is open source. I suggest if you want to do those things, you change the source and recompile. Much easier. But maybe you're asking this because you're seeing something weird, or have weird constraints. Could you give a little background?

– derobert
6 hours ago













It should be used to protect against reconnaissance even when the system has been totally subverted. There is some stuff in memory which I'd like to prevent from being read or overwrite it with custom values. Examples are mac addresses, dmesg, kernel command line and more. Ideally it should work without recompiling the kernel. I think for VMs the hypervisor could do that to some extend but most relevant stuff happens on bare metal. I came across pcileech: github.com/ufrisk/pcileech and similar DMA attacks which looked promising for this approach. But maybe there are some more options.

– user477
5 hours ago







It should be used to protect against reconnaissance even when the system has been totally subverted. There is some stuff in memory which I'd like to prevent from being read or overwrite it with custom values. Examples are mac addresses, dmesg, kernel command line and more. Ideally it should work without recompiling the kernel. I think for VMs the hypervisor could do that to some extend but most relevant stuff happens on bare metal. I came across pcileech: github.com/ufrisk/pcileech and similar DMA attacks which looked promising for this approach. But maybe there are some more options.

– user477
5 hours ago















That's non-trivial, maybe impossible. If totally subverted includes hardware, what stops someone from installing custom DIMMs that just happen to have radios that transmit their contents? (Well, fully encrypted memory, of course, which is offered on some newer CPUs). And what protects against a custom CPU being installed? Etc.

– derobert
5 hours ago





That's non-trivial, maybe impossible. If totally subverted includes hardware, what stops someone from installing custom DIMMs that just happen to have radios that transmit their contents? (Well, fully encrypted memory, of course, which is offered on some newer CPUs). And what protects against a custom CPU being installed? Etc.

– derobert
5 hours ago













Sorry, with fully subverted I mean software level including the kernel. I assume physical security.

– user477
5 hours ago





Sorry, with fully subverted I mean software level including the kernel. I assume physical security.

– user477
5 hours ago













In that case, the kernel (for example) needs to be able to write to the dmesg ring buffer, or it can't log messages. A subverted kernel would thus be able to as well. Or, probably more importantly, it could simply not write to it, hiding messages that would otherwise reveal the subversion. (You could of course protect lines from before it was subverted simply by copying them to another machine; most syslog implementations can log to a remote machine, for example).

– derobert
4 hours ago





In that case, the kernel (for example) needs to be able to write to the dmesg ring buffer, or it can't log messages. A subverted kernel would thus be able to as well. Or, probably more importantly, it could simply not write to it, hiding messages that would otherwise reveal the subversion. (You could of course protect lines from before it was subverted simply by copying them to another machine; most syslog implementations can log to a remote machine, for example).

– derobert
4 hours ago










0






active

oldest

votes











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});






user477 is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f495353%2fhow-can-you-write-to-the-kernel-memory%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes








user477 is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















user477 is a new contributor. Be nice, and check out our Code of Conduct.













user477 is a new contributor. Be nice, and check out our Code of Conduct.












user477 is a new contributor. Be nice, and check out our Code of Conduct.
















Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f495353%2fhow-can-you-write-to-the-kernel-memory%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Loup dans la culture

Image
Loups sur une enluminure du Bestiaire d'Aberdeen Le loup est l'animal le plus emblématique de l'histoire de l'Eurasie, il était à l'honneur durant l'Antiquité chez la totalité des anciens peuples européens [ 1 ] . Sommaire 1 Le loup dans la mythologie 2 Les loups dans le folklore 2.1 L'évolution des mentalités 2.2 Le loup dans la psychanalyse 3 Le loup dans les œuvres culturelles 3.1 Le loup dans la littérature 3.1.1 Fables 3.1.2 Poésie 3.1.3 Romans 3.1.4 Littérature jeunesse 3.1.4.1 Quelques titres d'albums contemporains 3.1.5 Bande dessinée 3.2 Le loup à l'écran 3.2.1 Le cinéma et la télévision 3.2.2 Documentaires 3.2.3 Dessins animés 3.2.4 Jeux vidéo 3.3 Le loup en peinture et en sculpture 3.4 Le loup dans les œuvres musicales 4 Le loup et les noms propres 5 Bibliographie 6 Notes et références 7 Voir aussi 7.1 Articles connexes
Read more

How to solve the problem of ntp “Unable to contact time server” from KDE?

Image
1 0 I want to set date and time automatically but this error appears when I try to .. I'm using openSUSE, I tried different servers but it didn't work either, help please! It doesn't seem to be a network problem: $ ping pool.ntp.org 64 bytes from 41.78.128.17: icmp_seq=1 ttl=41 time=260 ms To the question of whether ntpd is installed and running: $ ps -C ntpd PID TTY TIME CMD i.e. there's no ntpd process running. $ rpm -qa | grep ntp yast2-ntp-client-3.1.12-1.7.noarch ntp-4.2.6p5-25.2.1.i586 Further information from the comments: $ sudo ntpdate pool.ntp.org 25 Sep 19:41:51 ntpdate[3162]: no server suitable for synchronization found networking kde opensuse ntp ntpd sh
Read more

Connection limited (no internet access)

Image
-1 My laptop is running on Windows 10 ، My wifi adapter is tenda V7TW311M ,My router is D-Link , When I connect to the internet I get connection limited with yellow triangle , and no ipv4 address in ipconfig ,Ihave tried manually setting the ipv4 address When dhcp works there is no ipv4 , When I select ipv4 manually dhcp is turned off , I tried an update my wifi to the Latest version But the same problem remained . networking wifi internet net share | improve this question asked 13 mins ago Souchi Souchi 1 1
Read more