No fancy HTML here! :-)
exec_verify is a module that adds binary verification functionality to the 2.4-series Linux kernels. It does this not by directly replacing sys_execve(), but rather by augmenting the available number of binary loaders, through the kernel's binfmt functionality.
The basic idea of a module like this is to add a kernel-line of defense against script kiddies and rootkits; a sort of a kernel-mode Tripwire (which, of course, doesn't imply that you shouldn't run Tripwire as well). It works by storing an MD5 sum and some other info of various executables an administrator might care about or which might be common rootkit targets in the module itself during buildtime.
Then, when the module is loaded every exec() call is preceded by a check to see if the executable is one which the administrator cares to keep an eye on; if it is, a couple of simple checks (inode and mtime) are first made, and then a MD5 sum is calculated and compared to the last-known-good sum stored in the module. If it doesn't match, the administrator can decide what to do: ignore it, log it, block the exec(), or "Halt and Catch Fire." The module also has some special provisions for suid/sgid executable handling.
We are releasing the module to the community in the hopes that we will get some much-needed feedback on our design, implementation methodology and code.
Neither of us are kernel (security) experts, so comments from security geeks would be welcomed as well. Security (specifically, covering all entry points to the kernel to disallow circumvention on the binary sum checking the module provides) is of upmost importance in a module such as this one, obviously... otherwise it's useless.
The writeup available in the tarball has tons more info, including a feature list, general module goals, a TODO list, a first shot at profiling information, and other goodies. Please read the README and writeup files in the tarball for more information.
Get the tarball here; we'll probably setup anonymous CVS once the module is ready for primetime, assuming a) anyone wants it, and b) it ever gets ready for primetime.
This module was a final project for Cal Poly's "Implementation of Operatings Systems" course; it was enough to pass the class, but God (or possibly Linus) only knows if it's good enough to be used for anything else. In other words, don't use it for anything else... for now, at least.
Please send any code or documentation feedback to exec_verify@sigkill.com; please be kind... this is our first kernel module, and you know how school projects go... ;-)
Thanks for your time,help, and suggestions!
Brian Morris, aka brian@sigkill.com
J. Paul Reed, aka preed@sigkill.com