Date: Sun, 2 Sep 2007 07:58:49 -0400 From: Bill Moran <wmoran@collaborativefusion.com> To: Joerg Sonnenberger <joerg@britannica.bec.de> Cc: freebsd-hackers@freebsd.org Subject: Re: Exclusive binary files Message-ID: <20070902075849.6ede3ade.wmoran@collaborativefusion.com> In-Reply-To: <20070902104508.GB19678@britannica.bec.de> References: <45910cf20709011027o546363e2h4f5646b15e0f84a2@mail.gmail.com> <20070901183020.6a098955@bhuda.mired.org> <20070902104508.GB19678@britannica.bec.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Joerg Sonnenberger <joerg@britannica.bec.de> wrote: > > On Sat, Sep 01, 2007 at 06:30:20PM -0400, Mike Meyer wrote: > > On Sat, 1 Sep 2007 14:27:42 -0300 "Klaus Schneider" <klausps@gmail.com> wrote: > > > Well, anybody know a way to make the FreeBSD run just binaries that I have > > > compiled? > > > > In general, it's impossible. There's no way the system can know that > > you compiled a binary. There are a number of things you could do with > > a custom kernel and toolchain to indicate that you compiled the binary > > (like Peter's changing of ELF OSABI), but that's just security through > > obscurity. If someone figures out those changes and replicates them, > > you lose. > > You mean using cryptographic hashes to ensure that binaries match those > you compiled is impossible? Something like NetBSD's veriexec? Also, the situation can be actively _detected_ using something like tripwire or samhain. It'd be up to the admin to step in and stop things when a problem is detected, but at least you'd know. And those programs are available on all systems now. -- Bill Moran Collaborative Fusion Inc. wmoran@collaborativefusion.com Phone: 412-422-3463x4023
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070902075849.6ede3ade.wmoran>