Cracking the GNU/Linux Security Cliché


One of the jibes about GNU/Linux from the closed-source crowd is that the only reason there are so few security exploits against it is that its market share is too small for crackers to care. Against that background, the following development must represent some kind of milestone:

The art of burying invisible malware deep inside a Linux machine is about to go mainstream, thanks to a new open-source rootkit released Thursday by Immunity Inc., a firm that supplies tools for penetration testers.

When implemented, Immunity's DR, or Debug Register, makes backdoors and other types of malware extremely difficult to detect or eradicate. It's notable because it cloaks itself by burrowing deep inside a server's processor and availing itself of debugging mechanisms available in Intel's chip architecture. The rootkit, in other words, mimics a kernel debugger.

By exploiting a CPU's native ability to generate interrupts, DR escapes some of the pitfalls that have visited more traditional types of rootkits, which modify an operating system's system call table. That's of increasing importance as more and more Linux distributions make it harder to make changes to the syscall table and rootkit detection programs such as chkrootkit and rkhunter actively check for such modifications.

Paradoxically, I think this is a useful development. In the past, GNU/Linux's seeming invulnerability has fostered a certain complacency. The more rootkits we have, ideally open source, the more developers are going to have to sit up and take notice.

Just as Microsoft's attacks over free software's Total Cost of Ownership (TCO) had the virtue of making open source advocates move beyond simplistic statements that free software was cheaper because, well, it was free, so I believe that work on predatory rootkits will help make the GNU/Linux ecosystem healthier and more resilient in the long term.

"Recommended For You"

Essential security tools for Linux professionals Oracle + Sun: Good News or Bad News for Open Source?