A free and open-source rootkit for Linux(lwn.net)

94 pointsby jwilk9 hours ago6 comments

jraph5 hours ago
> If one did wish to use Singularity for nefarious purposes, however, the code is MIT licensed and freely available — using it in that way would only be a crime, not an instance of copyright infringement.
Too bad the author picked the MIT license. Had they picked (A)GPL, it would have forced the criminals to distribute a copy of LICENSE.TXT alongside their improved copy of the source code on systems they compromise. Failing this, using it in that way would be both a crime and an instance of copyright infringement.
Although, it occurs to me that if they don't give credits to the original author, it's also already a copyright infringement under the MIT.
- jjmarr4 minutes ago
  If I might interject for a moment, you should've recommended the (A)GPLv3.
  The anti-tivoization clause in Version 3 would allow users to modify and replace the rootkit with their own, more or less malicious version, even if it would otherwise violate copyright law.
- ilvez5 hours ago
  It's probably an old joke, but heard it here first. LOL
  - jraph5 hours ago
    I don't know about you, but for ethical reasons, I only allow libre rootkits to run on my systems.
    fc417fc8022 hours ago
    It's just like a gun free zone. You glue a prominent sign to your laptop that uses bright colors and an imposing font. "No proprietary software permitted!" Problem solved.
    sva_3 hours ago
    Do you compile them yourself then? For possible arch specific optimizations
    da_chicken2 hours ago
    Are you even free if your rootkit isn't part of Gentoo Stage 0?
- reactordev3 hours ago
  They checked with their lawyers first… lol.
  Pretty sure all laws are null and void in their mind.
bmitch30204 hours ago
Previously discussed at https://news.ycombinator.com/item?id=46498658
markus_zhang2 hours ago
Ah this is so interesting. Rootkits are difficult to implement already, and RE them definitely is another level. Now we have a guidance.
sabdarmdhn42 minutes ago
Since i dont know about Linux Rootkit, isnt this gonna raise the potential of Cyberattack?
- Retr0id4 minutes ago
  No, plenty of open-source linux rootkits already exist (although this one does look more modern/maintained than most).
TacticalCoder33 minutes ago
> The Ftrace mechanism can be disabled at run time, of course — so Singularity helpfully enables it automatically and blocks any attempts to turn it off.
Can a kernel be compiled with Ftrace forced off? If it can be disabled at runtime, I take it it's not mandatory for the kernel to work. And I don't just mean off: I mean striping the Ftrace code path (dead code elimination or whatever).
I'm also interested in other measures, like a unified kernel moreover without the ability to load modules but this is not what my question is about. I'd like to know if Ftrace can just be turned off for good at kernel compile time.
XorNot4 hours ago
Man I just discovered this as a good guide on how to exceed the normal limits on Linux kernel modules.
Been working on a derviative which hooks the VFS to allow dynamically remapping file paths on a per process basis so I can force badly behaved apps to load custom TLS certificates (looking at you Bazil builds in nixpkgs).
(If anyone knows something which already does this it would save me a lot of yak shaving)
- st_goliath3 hours ago
  > how to exceed the normal limits on Linux kernel modules.
  Uh, what limits? I'm not aware of anything that would stop your module, once probed, from reaching around the back of the kernel and futzing around in the internals of another driver/device in a completely unrelated subsystem, or subsystem internals. SoC/SoM vendors love to pull that kind of crap in their BSPs.
  > hooks the VFS to allow dynamically remapping file paths on a per process basis
  Instead of messing with kernel VFS internals, you could try:
  - patching the offending application or package (ideally make the path configurable and contribute that back upstream)
  - running the application in a mount namespace and bind-mount something over the path
  - use LD_PRELOAD to wrap fopen/open/openat (I'm pretty sure, ready made solutions for this already exist)
  - fc417fc8022 hours ago
    > use LD_PRELOAD to wrap fopen/open/openat (I'm pretty sure, ready made solutions for this already exist)
    I think I would literally recompile libc to patch fopen/open/openat long before I would even begin to consider writing a kernel module to mess with filesystem paths on a per-process basis.
    I feel like if you find yourself seriously considering writing a kernel module then you are either contributing to kernel development, or have embarked on an adventure specifically to learn about kernel internals, or have take a very wrong turn.
- linuxftw3 hours ago
  > Been working on a derviative which hooks the VFS to allow dynamically remapping file paths on a per process basis so I can force badly behaved apps to load custom TLS certificates (looking at you Bazil builds in nixpkgs).
  chroot or namespaces/containers?
  - fc417fc8022 hours ago
    Well he said nix so it's probably hardcoded to load from the store. Tampering with the store itself might have unintended consequences if anything else references the same certificate package.