Date: Mon, 1 Jun 1998 11:07:36 +0200 (CEST) From: Andrzej Bialecki <abial@nask.pl> To: Joe McGuckin <joe@via.net> Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: Signed executables, safe delete etc. Message-ID: <Pine.NEB.3.95.980601104339.280A-100000@korin.warman.org.pl> In-Reply-To: <199805312148.OAA25397@monk.via.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 31 May 1998, Joe McGuckin wrote:
>
> I've thought about this in the past - specifically as it would apply to
> a firewall machine. If binaries could be signed with with a key, and
> the kernel exec routine required that a proper key be decryped before
> loading the program, this would eliminate someone hacking onto a
> firewall and using it as a platform for further mischief. Generally, they
> like to bring over a toolkit of snooping programs written in 'C'.
>
> Even though they could compile their nifty toolset, nothing would execute
> because they couldn't properly sign their binaries.
>
> Of course, the signing program would have to reside on a floppy or other
> removable media. I don't think it would be wise to leave it on the
> system.
Thanks for the reply on the subject... :-)
Yes, that's the situation I'm thinking about. As it was suggested to me by
Niall Smart, we already have something called securelevel. but this
protects only already existing binaries (and not new ones, possibly
exploiting e.g. kernel bugs), and only on running system. To be more
precise: I know that when securelevel=2 or something, all the binaries
with immutable and append-only flags cannot be changed. But this doesn't
prevent executing user's own program (possibly in order to get root
shell).
What I thought was two separate ideas:
* the system would refuse to execute non-signed binary
* the system would even refuse to boot and to load the kernel without
appropriate authentication. This would require cooperation from filesystem
(like encrypting parts of it, say superblocks) so that attacker couldn't
get the disk to other machine and mount it there.
First item is relatively easy to implement, the second one is much more
difficult...
As for removable media with encrypting program (and encryption keys):
there exist small flash mems which can be placed on a keyring, and there
are special sockets/readers to use them... I personally haven't seen them,
but I know certain company which builds a version of standard PC with such
a reader (they use it as means of storing private keys for their program).
Andrzej Bialecki
--------------------+---------------------------------------------------------
abial@nask.pl | if(halt_per_mth > 0) { fetch("http://www.freebsd.org") }
Research & Academic | "Be open-minded, but don't let your brains to fall out."
Network in Poland | All of the above (and more) is just my personal opinion.
--------------------+---------------------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.95.980601104339.280A-100000>