Anthony Lineberry
Undermining the Linux Kernel: Malicious Code Injection Via /dev/mem
Flexilis, Inc.
Sr. Software Engineer

Anthony Lineberry is a security researcher from Los Angeles who has been active in the security community for many years, specializing in reverse engineering code, researching vulnerabilities, and advanced exploitation development. He has written an open source kernel from scratch, helped with the first iPhone jailbreak, and as a result ran the first ever local shell on the iPhone.

Professionally his experience includes working as a security researcher for McAfee, NeuralIQ, and currently with Flexilis.


This presentation will cover alternative methods for rootkits in the 2.6 linux kernel. Instead of using kernel modules to insert malicious code, I have been researching other means of undermining the Linux kernel via direct code injection through /dev/mem (the driver interface to physically addressable memory). Some research has been done previously with injecting through /dev/kmem, but the advantage there is being able to address kernel structures with virtual addresses. But in recent years read/write access to /dev/kmem has been shut off. I will discuss methods of locating important structures in the kernel, manipulating the memory inside there, and hijacking the system, all via /dev/mem.