Subject: re: verified executable kernel modification committed
To: Andrew Brown <email@example.com>
From: matthew green <firstname.lastname@example.org>
Date: 10/30/2002 23:22:16
>> i don't see how veriexec makes this
>> inherently more secure. it probably has some nicer benefits over
>> chflags, but nothing that should increase/decrease real security.
>As I said, it gives a verification that what you think you are running
>is what you are running, it is about ensuring the integrity of the
>trusted computing base. Chflags can prevent files being modified but
>it cannot tell you if it was tampered with as some stage before the
>flags were applied.
...and it also can't tell you if the raw disk was frobbed out from
underneath you. chflags protects things at the ffs layer. if you go
below that, all bets are off.
i dunno. chflags isn't useful (*) without securelevel > 1 anyway,
at which point you can't frob the raw disk without physical (console)
i guess my point is if i can modify the raw disk i can pretty much
do whatever i like already, regardless of vexec - i can probably
change the vexec-ok list and cause a reboot - sure, you will notice
this but to attack the machine protected with chflags would need as
much force - a shutdown to single user or more.
this is not to say i don't find vexec useful. i know several
systems that i will definately use it on. i just don't think it
necessarily is inherently more secure than chflags protection.
(*) for security, that is. "uappnd" flags are *always* useful IMO. :)