Subject: Re: Volunteers to test some kernel code...
To: Simon J. Gerraty <sjg@quick.com.au>
From: Brett Lymn <blymn@baea.com.au>
List: tech-kern
Date: 06/15/1999 13:50:17
According to Simon J. Gerraty:
>
>I deleted the following from my original post, but I guess its worth
>asking: If the answer is immutable files then what's the benefit of
>the dynamic tripwire?
>
Only that it stops the execution of any unsigned binary. There is
nothing to stop a person, given the correct permissions, running any
binary they want - even one they have downloaded into, say, /tmp. By
using signing you can have a mechanism that can detect such a binary
and not run it.
>Given that at the end of the day you need to trust that immutable
>files etc actually work you can really skip the dynamic hashing
>altogether.
>
Yes if you only want to look to your TCB - making things immutable
will do the job but as I said before you also gain control :-)
>That is, something like: storing the signatures in the fs as Michael
>suggested (room in the inode?)
Or in a file in the root of the fs which is read on mount.
> and clear them whenever the file is
>written to. Then the noexec-unsigned* check could simply check for
>the presence of the signature.
Interesting suggestion but this does lose a bit of information. At
the moment you can tell the difference between an unauthorised binary
and one that has been tampered with. I suppose I could just mark the
signature as being invalid (i.e. a negative hit) to save re-evaluating
the signature on the file. Combining that with checking the
signatures on files when they are loaded into the kernel and flagging
a negative hit could improve things. Though it does occur to me that
checking all the files would be expensive and slow a boot down somewhat.
> Of course you need to ensure that the
>signature can only be set in single-user mode.
>
>And of course all that boils down to only allowing chmod +x in single
>user mode :-)
>
That is very true and an interesting point. If all the files are tied
down with immutable flags then this would do the job neatly. I think
that you would have to do it in the open call as well though :-)
--
===============================================================================
Brett Lymn, Computer Systems Administrator, British Aerospace Australia
===============================================================================