From owner-freebsd-hackers  Mon Jun  1 03:45:08 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id DAA11919
          for freebsd-hackers-outgoing; Mon, 1 Jun 1998 03:45:08 -0700 (PDT)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from heron.doc.ic.ac.uk (k/WKlxFia1g/ai48DpsdDIoRE5XCJwwv@heron.doc.ic.ac.uk [146.169.46.3])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id DAA11909
          for <freebsd-hackers@freebsd.org>; Mon, 1 Jun 1998 03:45:01 -0700 (PDT)
          (envelope-from njs3@doc.ic.ac.uk)
Received: from oak66.doc.ic.ac.uk [146.169.33.66] ([1gSLZM47/jT/TzhJMeDjWKW5HUSJeQEj])
	by heron.doc.ic.ac.uk with smtp (Exim 1.62 #3)
	id 0ygS4r-0000Jp-00; Mon, 1 Jun 1998 11:44:29 +0100
Received: from njs3 by oak66.doc.ic.ac.uk with local (Exim 1.62 #3)
	id 0ygS4q-0006k1-00; Mon, 1 Jun 1998 11:44:28 +0100
From: njs3@doc.ic.ac.uk (Niall Smart)
Date: Mon, 1 Jun 1998 11:44:27 +0100
X-Mailer: Mail User's Shell (7.2.5 10/14/92)
To: Joe McGuckin <joe@via.net>, freebsd-hackers@FreeBSD.ORG
Subject: Re: Signed executables, safe delete etc.
Message-Id: <E0ygS4q-0006k1-00@oak66.doc.ic.ac.uk>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


> I've thought about this in the past - specifically as it would apply to 
> a firewall machine. If binaries could be signed with with a key, and
> the kernel exec routine required that a proper key be decryped before 
> loading the program, this would eliminate someone hacking onto a 
> firewall and using it as a platform for further mischief. Generally, they 
> like to bring over a toolkit of snooping programs written in 'C'.

This is a pretty nifty idea, but perhaps is not as useful as you might
think.  Firstly, you would have to remove all scripting utilities capable
of doing whatever the intruder is trying to achieve.  Secondly, think
of all the (non-sugid) executables which have potential buffer overflows,
the attacker can simply overflow the buffer with code that will load
from disk any code which he likes and execute it in that processes
address space; it would not be necessary to create a new process.

I have a couple of other ideas which I'm hoping to work on this summer.
These include a per-binary flag to indicate if the stack should be marked
non-executable, and a flag to indicate if the process' environment and
arguments should be checked for non-printable ASCII characters before
allowing execution.  I haven't yet checked if it is possible to write
shellcode using just printable ASCII characters though, so that last
idea might be worthless  (and yes, I know they are no 'silver bullet'
to the perennial problem of buffer overflows).

Niall

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message