From owner-freebsd-hackers@FreeBSD.ORG  Sun Sep  2 11:59:19 2007
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 18A8816A41B
	for <freebsd-hackers@freebsd.org>; Sun,  2 Sep 2007 11:59:19 +0000 (UTC)
	(envelope-from wmoran@collaborativefusion.com)
Received: from mx00.pub.collaborativefusion.com
	(mx00.pub.collaborativefusion.com [206.210.89.199])
	by mx1.freebsd.org (Postfix) with ESMTP id 5B0F613C458
	for <freebsd-hackers@freebsd.org>; Sun,  2 Sep 2007 11:59:18 +0000 (UTC)
	(envelope-from wmoran@collaborativefusion.com)
Received: from working (c-71-60-127-199.hsd1.pa.comcast.net [71.60.127.199])
	(AUTH: LOGIN wmoran, SSL: TLSv1/SSLv3,256bits,AES256-SHA)
	by wingspan with esmtp; Sun, 02 Sep 2007 07:58:50 -0400
	id 00056407.46DAA57B.0000F344
Date: Sun, 2 Sep 2007 07:58:49 -0400
From: Bill Moran <wmoran@collaborativefusion.com>
To: Joerg Sonnenberger <joerg@britannica.bec.de>
Message-Id: <20070902075849.6ede3ade.wmoran@collaborativefusion.com>
In-Reply-To: <20070902104508.GB19678@britannica.bec.de>
References: <45910cf20709011027o546363e2h4f5646b15e0f84a2@mail.gmail.com>
	<20070901183020.6a098955@bhuda.mired.org>
	<20070902104508.GB19678@britannica.bec.de>
Organization: Collaborative Fusion Inc.
X-Mailer: Sylpheed 2.4.4 (GTK+ 2.10.14; i386-portbld-freebsd6.2)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Cc: freebsd-hackers@freebsd.org
Subject: Re: Exclusive binary files
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Sep 2007 11:59:19 -0000

Joerg Sonnenberger <joerg@britannica.bec.de> wrote:
>
> On Sat, Sep 01, 2007 at 06:30:20PM -0400, Mike Meyer wrote:
> > On Sat, 1 Sep 2007 14:27:42 -0300 "Klaus Schneider" <klausps@gmail.com> wrote:
> > > Well, anybody know a way to make the FreeBSD run just binaries that I have
> > > compiled?
> > 
> > In general, it's impossible. There's no way the system can know that
> > you compiled a binary. There are a number of things you could do with
> > a custom kernel and toolchain to indicate that you compiled the binary
> > (like Peter's changing of ELF OSABI), but that's just security through
> > obscurity. If someone figures out those changes and replicates them,
> > you lose.
> 
> You mean using cryptographic hashes to ensure that binaries match those
> you compiled is impossible? Something like NetBSD's veriexec?

Also, the situation can be actively _detected_ using something like
tripwire or samhain.  It'd be up to the admin to step in and stop things
when a problem is detected, but at least you'd know.  And those
programs are available on all systems now.

-- 
Bill Moran
Collaborative Fusion Inc.

wmoran@collaborativefusion.com
Phone: 412-422-3463x4023