From owner-freebsd-hackers  Sat May 30 02:33:45 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id CAA22077
          for freebsd-hackers-outgoing; Sat, 30 May 1998 02:33:45 -0700 (PDT)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from heron.doc.ic.ac.uk (EJzzvairmJqq5eIId/T3ug0go2x3C4tx@heron.doc.ic.ac.uk [146.169.46.3])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id CAA22071
          for <freebsd-hackers@freebsd.org>; Sat, 30 May 1998 02:33:39 -0700 (PDT)
          (envelope-from njs3@doc.ic.ac.uk)
Received: from oak66.doc.ic.ac.uk [146.169.33.66] ([lfzLCiGQVVYWCX0tz8Q5YKOoYkf/LjMn])
	by heron.doc.ic.ac.uk with smtp (Exim 1.62 #3)
	id 0yfi0K-00066z-00; Sat, 30 May 1998 10:32:44 +0100
Received: from njs3 by oak66.doc.ic.ac.uk with local (Exim 1.62 #3)
	id 0yfi0J-0004ev-00; Sat, 30 May 1998 10:32:43 +0100
From: njs3@doc.ic.ac.uk (Niall Smart)
Date: Sat, 30 May 1998 10:32:43 +0100
In-Reply-To: Andrzej Bialecki <abial@nask.pl>
       "Signed executables, safe delete etc." (May 30,  2:15am)
X-Mailer: Mail User's Shell (7.2.5 10/14/92)
To: Andrzej Bialecki <abial@nask.pl>, freebsd-hackers@FreeBSD.ORG
Subject: Re: Signed executables, safe delete etc.
Message-Id: <E0yfi0J-0004ev-00@oak66.doc.ic.ac.uk>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On May 30,  2:15am, Andrzej Bialecki wrote:
} Subject: Signed executables, safe delete etc.
> 
> What I imagine is e.g. to have kernel and/or init(8) check it's own binary
> file against a checksum of some kind (preferably MD5 or SHA) stored
> somewhere. If the checksumming fails (i.e. the kernel or init have been
> tampered with) it refuses to go on.

If an attacker can tamper with the kernel or init then he can simply
remove this code which performs this check, or make it a nop.  Use
securelevels to protect system binaries from modification.  Also check
out tripwire which has the kind of functionality you talk about and can be
useful when setting immutable flags on a particular file is impractical.
(e.g everyones .login)

> The second idea is to add new flag and functionality to FFS: purge on
> delete. If this flag is set, kernel would wipe out the contents of the
> file which is being deleted, using special patterns (3-7 times). This
> would ensure that if you delete the sensitive data, they are really
> deleted and unrecoverable.

Yes, this would be useful to certain people.  A encryption layer on
top of the read/write interface to disks would also be nice,  people
have worked on this, but I don't have the URL handy.

Niall

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message