Subject: Re: Volunteers to test some kernel code...
To: Simon J. Gerraty <>
From: Brett Lymn <>
List: tech-kern
Date: 06/15/1999 13:50:17
According to Simon J. Gerraty:
>I deleted the following from my original post, but I guess its worth
>asking: If the answer is immutable files then what's the benefit of
>the dynamic tripwire?

Only that it stops the execution of any unsigned binary.  There is
nothing to stop a person, given the correct permissions, running any
binary they want - even one they have downloaded into, say, /tmp.  By
using signing you can have a mechanism that can detect such a binary
and not run it.

>Given that at the end of the day you need to trust that immutable
>files etc actually work you can really skip the dynamic hashing

Yes if you only want to look to your TCB - making things immutable
will do the job but as I said before you also gain control :-)

>That is, something like: storing the signatures in the fs as Michael
>suggested (room in the inode?)

Or in a file in the root of the fs which is read on mount.

> and clear them whenever the file is
>written to.  Then the noexec-unsigned* check could simply check for
>the presence of the signature.

Interesting suggestion but this does lose a bit of information.  At
the moment you can tell the difference between an unauthorised binary
and one that has been tampered with.  I suppose I could just mark the
signature as being invalid (i.e. a negative hit) to save re-evaluating
the signature on the file.  Combining that with checking the
signatures on files when they are loaded into the kernel and flagging
a negative hit could improve things.  Though it does occur to me that
checking all the files would be expensive and slow a boot down somewhat.

>  Of course you need to ensure that the
>signature can only be set in single-user mode.
>And of course all that boils down to only allowing chmod +x in single
>user mode :-)

That is very true and an interesting point.  If all the files are tied
down with immutable flags then this would do the job neatly.  I think
that you would have to do it in the open call as well though :-)

Brett Lymn, Computer Systems Administrator, British Aerospace Australia