music

OSdata.com

kernel modules

summary

    This subchapter looks at UNIX and Linux kernel modules.

free book on UNIX/Linux System Administration Teach Yourself UNIX/Linux System Administration and Shell Programming free computer programming text book project table of contents If you like the idea of this project, then please donate some money. more information on donating

kernel modules

    This subchapter looks at UNIX and Linux kernel modules.

    Loadable Kernel Modules (LKM) go by many different names, including kernel loadable module (kld) in FreeBSD and kernel extension (kext) in Mac OS X, as well as Kernel Loadable Modules (KLM) or Kernel Modules (KMOD).

purpose

    Loadable kernel modules allow the flexibility to add additional functionality to an operating system without requiring recompiling and reloading the entire operating system. This same flexibility can be used to choose between various options at start-up time.

Linux

    Loadable Kernel Modules (LKMs) are loaded (and unloaded) by the modprobe command. Linux LKMs are located in /lib/modules and have the file extension .ko (for kernel object). Prior to Linux version 2.6 they were identified by the .o file extension.

    Linux views LKMs as derived works of the kernel and allow symbols to be marked as only available to GNU General Public License (GPL) modules. Loading a proprietary or non-GPL-compatible LKM will set a “taint” flag in the running module.

    LKMs run as part of the kernel, so they can corrupt kernel data structures and produce bugs.

FreeBSD

    Kernel modules for FreeBSD are stored within /boot/kernel/ for modules distributed with the OS, or usually /boot/modules/ for modules installed from FreeBSD ports or FreeBSD packages, or for proprietary or otherwise binary-only modules. FreeBSD kernel modules usually have the extension .ko. Once the machine has booted, they may be loaded with the kldload command, unloaded with kldunload, and listed with kldstat. Modules can also be loaded from the loader before the kernel starts, either automatically (through /boot/loader.conf) or by hand.

Mac OS X

    Some loadable kernel modules in OS X can be loaded automatically. Loadable kernel modules can also be loaded by the kextload command. They can be listed by the kextstat command. Loadable kernel modules are located in application bundles with the extension .kext. Modules supplied with the operating system are stored in the /System/Library/Extensions directory; modules supplied by third parties are in various other directories.

binary compatibility

    Linux does not provide a stable API or ABI for kernel modules. This means that there are differences in internal structure and function between different kernel versions, which can cause compatibility problems. In an attempt to combat those problems, symbol versioning data is placed within the .modinfo section of loadable ELF modules. This versioning information can be compared with that of the running kernel before loading a module; if the versions are incompatible, the module will not be loaded.

    Other operating systems, such as Solaris, FreeBSD, Mac OS X, and Windows keep the kernel API and ABI relatively stable, thus avoiding this problem. For example, FreeBSD kernel modules compiled against kernel version 6.0 will work without recompilation on any other FreeBSD 6.x version, e.g. 6.4. However, they are not compatible with other major versions and must be recompiled for use with FreeBSD 7.x, as API and ABI compatibility is maintained only within a branch.

security

    While loadable kernel modules are a convenient method of modifying the running kernel, this can be abused by attackers on a compromised system to prevent detection of their processes or files, allowing them to maintain control over the system. Many rootkits make use of LKMs in this way. Note that on most operating systems modules do not help privilege elevation in any way, as elevated privilege is required to load a LKM; they merely make it easier for the attacker to hide the break-in.

    Linux allows disabling module loading via /proc/sys/kernel/modules_disabled. A initramfs system may load specific modules needed for a machine at boot and then disable module loading. This makes the security very similar to a monolithic kernel. If an attacker can change the initramfs, they can change the kernel binary.

    On Mac OS X, a loadable kernel module in a kernel extension bundle can be loaded by non-root users if the OSBundleAllowUserLoad property is set to True in the bundle’s property list. However, if any of the files in the bundle, including the executable code file, are not owned by root and group wheel, or are writable by the group or “other”, the attempt to load the kernel loadable module will fail.

---