Subject: Re: Kernel modification that verifies execs against a md5 fingerprint
To: Brett Lymn <blymn@baea.com.au>
From: Jason R Thorpe <thorpej@zembu.com>
List: tech-security
Date: 03/14/2000 09:02:04 
  by redmail.netbsd.org with SMTP; 14 Mar 2000 17:17:19 -0000
	id 9BB4E4681; Tue, 14 Mar 2000 09:02:04 -0800 (PST)
Date: Tue, 14 Mar 2000 09:02:04 -0800
From: Jason R Thorpe <thorpej@zembu.com>
To: Brett Lymn <blymn@baea.com.au>
Cc: tech-security@netbsd.org
Subject: Re: Kernel modification that verifies execs against a md5 fingerprint
Message-ID: <20000314090204.N10872@dhcp0.wlan.shagadelic.org>
Reply-To: thorpej@zembu.com
Mail-Followup-To: Brett Lymn <blymn@baea.com.au>, tech-security@netbsd.org
References: <200003140306.NAA04792@mallee.awadi>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <200003140306.NAA04792@mallee.awadi>; from blymn@baea.com.au on Tue, Mar 14, 2000 at 01:36:46PM +1030
Organization: Zembu Labs, Inc.

On Tue, Mar 14, 2000 at 01:36:46PM +1030, Brett Lymn wrote:

[ description of md5 executable signature hack ]

 > Naturally, evaluating a md5 fingerprint on a executable every time
 > does involve overhead - it slows the machine down to almost half speed
 > (things take about 70% longer).  To overcome this slow down the status
 > of the md5 fingerprint comparison is cached in the kernel which
 > markedly reduces the impact of the md5 fingerprinting on the running
 > of the system.

While the of fingerprinting executables is a cool idea, I have some
concerns here:

	(1) Demand paging of executables is effectively dead with this
	    modification.

	(2) What does it really buy you?  The md5 signatures are loaded
	    at boot time, presumably from a file in the file system.
	    What's to prevent an attacker from modifying this file?
	    That could cause a DoS (can't start programs!), or allow
	    an attacker to sneak in a trojan horse.

	(3) To address (2), you'd need to make the file immutable.  But,
	    for that matter, you could also make all executables on the
	    system immutable, which would prevent people from changing them.

And, now that I think about it, you could easily add a sysctl that could
allow execution of programs only if they had the SCHG (system immutable
flag -- only super-user can set/clear it) set, and also hack in a list
of valid interpreters that exec_script could use ... then you could e.g.
chmod go-x the interpreter, and allow #!-style execution if the interpreter
appeared in the kernel's list of valid interpreters.

-- 
        -- Jason R. Thorpe <thorpej@zembu.com>