Subject: Re: Systrace policy fingerprints? (Re: finer grained IPNOPRIVPORTing)
To: Simon J. Gerraty <sjg@crufty.net>
From: Brett Lymn <blymn@baesystems.com.au>
List: tech-security
Date: 05/31/2005 22:16:22
On Mon, May 30, 2005 at 04:39:01PM -0700, Simon J. Gerraty wrote:
>
> Hmmm, that doesn't sound particularly useful, wouldn't that mean that every
> file needs a fingerprint and thus becomes immutable?
>
Yes, that is the case, it means no temporary files on the
machine... well, they can be written but not read. It really is
intended for more tightly locking down an appliance or the like where
you push the logs etc off to another machine.
>
> As I've said before, I don't like the idea of pulling RSA and similar
> stuff into the kernel.
Yes, and I do agree that pulling RSA into the kernel is not a nice
idea to consider, I don't like it at all really. Though we could get
this stuff for the cost of a driver it we supported the TPM chips
(these aren't meant for bulk encryption but they do have a RSA
encryption engine amongst other things...)
> I'm using detached signatures on the fingerprint
> manifests, and using a loader that won't proceed unless it can verify
> the signature. You could easily have it tag the structs passed to the kernel
> with an id of the signer (I only have one signer of course), doing this
> in userland allows maximum flexibility.
oh my.... why just one id? (though that would be sufficient for most
cases). If multiple signers were required before an executable was run
then you would be able to enforce a "two man" rule if that was
required.
> The only way the loader can be
> compromised is if verexec doesn't work ;-).
I know, but sometimes I worry too much...
--
Brett Lymn