current-users: Re: verified executable kernel modification committed

Subject: Re: verified executable kernel modification committed
To: Dries Schellekens <gwyllion@ace.ulyssis.org>
From: Brett Lymn <blymn@baesystems.com.au>
List: current-users
Date: 10/30/2002 21:26:09

On Wed, Oct 30, 2002 at 09:30:28AM +0100, Dries Schellekens wrote:
>
> How does it compare to TrojanProof and Stephanie k5?
>

Quite well, even if I do say so myself :-)

> TrojanProof: http://www.trojanproof.com

Version 1 of TrojanProof was pretty bad IMHO, the fingerprints were
evaluated each and every time so the impact of the performance of the
system would have been horrendous - for interests sake I did a
measurement of the impact of doing the fingerprint calculation every
time and found the machine ran 1.7 times slower.  Note that there is
not only a CPU performance hit but also it blows demand paging.  

The updated version 2 is much better from the sounds of things, mainly
because I pointed out the work I had already done.  He read the paper
I had presented at a conference a couple of years ago and has taken
some of those ideas (particularly the caching of the fingerprint
comparison) to improve performance, I am happy to say he did credit my
ideas to me.  By the sounds of it he is working on controlling the
mmap call so that only trusted sources will be mapped with the idea of
preventing shared libraries being trojaned.  I took a different
approach to this by fingerprinting the file when it is opened, if a
file has a fingerprint and it is opened then the fingerprint is
verified and the open will fail if the fingerprints do not match.
This means that not only can shared library files be protected but
_any_ file on the system can be fingerprinted and it's use prevented
if the contents have been modified.

> Stephanie: http://www.innu.org/~brian/Stephanie/
> The Design of k5: http://www.innu.org/~brian/Stephanie/dist/Stephanie-3.1/doc/DESIGN.k5
> 

Stephanie (iirc) made a trusted computing base by shifting all the
critical binaries into a separate, locked down tree.  I believe this
to be somewhat similar to just using chflags on everything.  What I
have done will bleat if a fingerprint does not match so you have
notification of someone doing nasty stuff to you and it also allows
you to finely control what is allowed to run on the system.

-- 
Brett Lymn