On 2023/08/18 02:06:11 +0000, whistlez <whistlez...@riseup.net> wrote:
> Il 2023-08-18 02:20 Scott Cheloha ha scritto:
> >> On Aug 17, 2023, at 10:28, whistlez <whistlez...@riseup.net> wrote:
> >>
>
> >> https://github.com/volatilityfoundation/volatility3
> >
> > What is the utility of this software? How
> > would supporting it benefit the project?
> >
> > I read the summary on Github. I am still
> > more or less completely in the dark on
> > why I or anyone would want to use it.
>
> It seems rather important to me because it's not possible to be certain
> about the invulnerability of the underlying operating system or the
> kernel. Alternatively, an attacker might have a zero-day exploit on
> Firefox or Chrome and inject code into the process, allowing data
> exfiltration. Even though the attacker would be confined within the jail
> created by the kernel, it doesn't seem acceptable to have unauthorized
> code running on one's machine, especially in a critical process like a
> browser. The same principle could be applied to another process more
> focused on firewall solutions, such as Snort.
>
> Furthermore, in my opinion - brace yourself, I might trigger an atomic
> war with what I'm about to say - we should consider it certain that the
> kernel could contain unknown vulnerabilities. Unauthorized code running
> in the kernel is impossible to detect, clearly. I'm talking about code
> that might not even reside on the disk but is injected remotely. Thus,
> the only way is through inspecting the RAM dump, that is, a software
> that can analyze the dump and determine its integrity.
Assuming that the kernel was compromised, how can you trust a tool to
detect that? The compromised kernel could return normal-looking data
through /dev/{k,}mem (ignoring for a moment the perils of allowing
random software to access these devices.) You'd be asking a liar if
they're telling the truth :)
