According to Yubyub bird:
>
>I'd like to keep away from any type of local writable storage (save
>memory - but not mfs)... there are just too many ways to bring down files
>to a comprimised system, then use those executables to do further
>damage.  This way, a potential cracker has a limited set of tools at
>his/her/their disposal.
>

<*ahem*> Beware, gratuitous plug to follow :-)

I made some mods to the NetBSD kernel that would allow only
executables that match an in-kernel list of md5 hashes to run on the
machine.  This meant that someone could not just download a binary and
run it nor could they modify a binary on disk and run the modified
binary because the md5 hash would not match.  There are a few caveats
though:

1) An attacker can still run things if they can find a buffer overflow
and exploit that to mmap memory to run a binary.

2) There is no verification of shared libraries (currently).

Even give the caveats the modification does give you some assurance
that what you think you are running is what you are running and it
does make a crackers job a bit harder because they cannot just copy
/bin/sh off somewhere and set the setuid bit to have a convenient root
shell.  Mind you, this mod does not protect against config changes
though I am thinking that security critical files could also be hashed
and verified on file open.

I am considering further mods to fix the above caveats, I believe I
can securely close both these holes without too much trouble.

BTW if you are thinking that the performance will be impacted, the way
I have done the implementation means a degradation of less than 2% on
a slow machine - I could not see a clear performance drop at all on a
faster machine.


-- 
===============================================================================
Brett Lymn, Computer Systems Administrator, BAE SYSTEMS
===============================================================================