Re: How about importing yara into kernel space ?

[Wesley Shields]

If you are infected with a rootkit moving YARA into the kernel is not an answer 
since the rootkit has full access to muck around with YARA even if it is in the 
kernel.

My recommendation is don't run YARA on a system which is potentially 
compromised with a rootkit like you describe. If the kernel of the system is 
compromised you can no longer trust it.

Sure, it's possible to put YARA in the kernel but it isn't going to get you 
anything if your concern is rootkits.

-- WXS

> On Mar 18, 2016, at 1:19 AM, 慎增刘  wrote:
> 
> Yara is so powerful in malware matching. Sometimes people want to check files 
>  , which attached to file-systems hooks. So how about importing yara ( or 
> just libyara ) into linux kernel?  Is it possible? Is there some advices?  
> Thanks for each response.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: How about importing yara into kernel space ?

[Wesley Shields]

Not entirely true. The YARA VM does not run native instructions directly, so if 
you did manage to jump somewhere other than YARA instructions the VM would 
likely crash badly. If this can lead to arbitrary code execution, I have no 
idea.

Jumps are not bad. BPF, which runs in the kernel, allows forward jumps. 
Backward jumps are not allowed because it could cause an infinite loop. As long 
as you ensure that your jumps are within the bounds of the YARA bytecode then 
they are perfectly fine.

-- WXS

> On Mar 18, 2016, at 11:33 AM, Shiv M  wrote:
> 
> Yara rules with jump constructs would make it easy to get code execution in 
> the kernel.
> 
> On Fri, Mar 18, 2016 at 6:03 AM Wesley Shields  wrote:
> If you are infected with a rootkit moving YARA into the kernel is not an 
> answer since the rootkit has full access to muck around with YARA even if it 
> is in the kernel.
> 
> My recommendation is don't run YARA on a system which is potentially 
> compromised with a rootkit like you describe. If the kernel of the system is 
> compromised you can no longer trust it.
> 
> Sure, it's possible to put YARA in the kernel but it isn't going to get you 
> anything if your concern is rootkits.
> 
> -- WXS
> 
> > On Mar 18, 2016, at 1:19 AM, 慎增刘  wrote:
> >
> > Yara is so powerful in malware matching. Sometimes people want to check 
> > files  , which attached to file-systems hooks. So how about importing yara 
> > ( or just libyara ) into linux kernel?  Is it possible? Is there some 
> > advices?  Thanks for each response.
> >
> > --
> > You received this message because you are subscribed to the Google Groups 
> > "YARA" group.
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to yara-project+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
> 
> --
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: How about importing yara into kernel space ?

[Shiv M]

Yara rules with jump constructs would make it easy to get code execution in
the kernel.

On Fri, Mar 18, 2016 at 6:03 AM Wesley Shields  wrote:

> If you are infected with a rootkit moving YARA into the kernel is not an
> answer since the rootkit has full access to muck around with YARA even if
> it is in the kernel.
>
> My recommendation is don't run YARA on a system which is potentially
> compromised with a rootkit like you describe. If the kernel of the system
> is compromised you can no longer trust it.
>
> Sure, it's possible to put YARA in the kernel but it isn't going to get
> you anything if your concern is rootkits.
>
> -- WXS
>
> > On Mar 18, 2016, at 1:19 AM, 慎增刘  wrote:
> >
> > Yara is so powerful in malware matching. Sometimes people want to check
> files  , which attached to file-systems hooks. So how about importing yara
> ( or just libyara ) into linux kernel?  Is it possible? Is there some
> advices?  Thanks for each response.
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups "YARA" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to yara-project+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.