Subject: Re: Volunteers to test some kernel code...
To: Dave McConnell <>
From: Brett Lymn <>
List: tech-kern
Date: 06/12/1999 21:46:24
According to Dave McConnell:
>Access control is also an issue. Its no use validating binaries when 
>someone has managed to get hold of the root password, or reboots 
>your system off a diskette and then has access to your filesystem 
>to replace the kernel without your knowledge.

I agree.  Physical security is an important part of the whole picture.
Also, what I have done is just another building block - not a whole
solution.  What it does do is give a bit more control.  Combine it
with some immutable files plus a securelevel of 3 and even if someone
does have the root password they are going to have a challenging time
doing anything real.  Remember they cannot run anything that is not
signed, if they replace an existing binary then it is unlikely it will
run (md5 signature is unlikely to match), they cannot play games in
/dev/kmem.  If they have ddb access then, yes, the system breaks but
then we are back to physical security :-)

>It all depends how serious you are about this Brett. Using 
>something like a smartcard and developing a sound architecture 
>would be great tho...You can also then look at encrypted 
>filesystems etc etc :-)

encrypted file systems have been done - someone in Bell labs did one
called CFS IIRC.  My aim was not to do this but more to try and
provide a validation of the TCB on the fly.  This is not CMW by any
means.  What I aiming to provide is a difficult to bypass but
relatively cheap check that what you are running is what you think you
are running.

>No security system is ever 100%. How much money and effort you 
>expend securing your system is proportional to what your threat is 
>and the cost of a compromise. 

This is true but at the risk of sounding like a broken record - what I
have done provides another string in the security bow.  The setup
involved is minimal - it took me less than half an hour on my p75
laptop to generate the signature file required.  The binaries need no
modification at all.  I do not believe that this level of security is
necessary for all machines - I was thinking more along the lines of
machines like firewalls or even DMZ machines could have their security
strengthened by this technique.

Brett Lymn, Computer Systems Administrator, British Aerospace Australia