kernel: disabling /dev/kmem and /dev/mem
There's a slide deck from Scale 7x 2009 titled: Undermining the Linux Kernel: Malicious Code Injection via /dev/mem that contained these 2 bullets.
Who needs this?
- X Server (Video Memory & Control Registers)
- DOSEmu
From everything I've found from search thus far it would appear that these 2 bullets are the front-runners for legitimate uses.
References
- Anthony Lineberry on /dev/mem Rootkits - LJ 8/2009 by Mick Bauer
- Who needs /dev/kmem?
It's worth noting that even if you disabled /dev/mem and /dev/kmem that memory can still be dumped; take a look at man proc to reveal /proc/kcore; it is the systems physical memory. A really good forensics toolkit rekall has a tool that does this already; it dumps the memory (and /boot files) so that they can be analyzed.
As a matter of fact, Ubuntu by default disables /dev/kmem:
There is no modern use of
/dev/kmemany more beyond attackers using it to load kernel rootkits.CONFIG_DEVKMEMis set to "n". While the/dev/kmemdevice node still exists in Ubuntu 8.04 LTS through Ubuntu 9.04, it is not actually attached to anything in the kernel.
Ubuntu doesn't disable /dev/mem because its needed by applications.
Some applications (Xorg) need direct access to the physical memory from user-space. The special file
/dev/memexists to provide this access. In the past, it was possible to view and change kernel memory from this file if an attacker had root access. TheCONFIG_STRICT_DEVMEMkernel option was introduced to block non-device memory access (originally namedCONFIG_NONPROMISC_DEVMEM).
How to disable /proc/kcore?
Do not enable CONFIG_PROC_KCORE when building the kernel.
How do you disable /dev/mem?
Well, looking over man mem gives us some details about how its created:
mknod -m 660 /dev/mem c 1 1
chown root:kmem /dev/mem
You should be able to just rm -rf /dev/mem; you can disable during kernel build phase by not enabling CONFIG_STRICT_DEVMEM.
How to disable /dev/kmem?
Ensure that CONFIG_DEVKMEM is not enabled upon kernel build.
How to prevent cold-boot attacks?
What if I was able to disable /proc/kcore, /dev/mem, /dev/kmem and then used an encrypted swap partition or didn't use swap at all? Well, your memory could just be freezed and accessed that way. How do you prevent this attack? You encrypt your RAM; how do you encrypt your RAM? You can't. See TRESOR for details.