From owner-freebsd-hackers@FreeBSD.ORG Fri Apr 17 04:06:19 2015 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9C1CEF0B for ; Fri, 17 Apr 2015 04:06:19 +0000 (UTC) Received: from ipmail06.adl2.internode.on.net (ipmail06.adl2.internode.on.net [150.101.137.129]) by mx1.freebsd.org (Postfix) with ESMTP id 31FF06A958 for ; Fri, 17 Apr 2015 04:06:18 +0000 (UTC) Received: from ppp121-45-49-75.lns20.adl2.internode.on.net (HELO midget.dons.net.au) ([121.45.49.75]) by ipmail06.adl2.internode.on.net with ESMTP; 17 Apr 2015 13:31:08 +0930 Received: from [10.0.2.26] ([10.0.2.26]) (authenticated bits=0) by midget.dons.net.au (8.15.1/8.14.9) with ESMTPSA id t3H40wV0080406 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 17 Apr 2015 13:31:05 +0930 (CST) (envelope-from darius@dons.net.au) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\)) Subject: Re: Is it possible to check the running kernel signature? From: "O'Connor, Daniel" In-Reply-To: <553074DE.4070106@rawbw.com> Date: Fri, 17 Apr 2015 13:30:58 +0930 Cc: freebsd-hackers@FreeBSD.org Content-Transfer-Encoding: quoted-printable Message-Id: <7C5F6DC3-5507-409E-B58A-F9F291D1924A@dons.net.au> References: <553074DE.4070106@rawbw.com> To: Yuri X-Mailer: Apple Mail (2.2098) X-Spam-Score: -2.899 () ALL_TRUSTED,BAYES_00,URIBL_BLOCKED X-Scanned-By: MIMEDefang 2.75 on 10.0.2.1 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Apr 2015 04:06:19 -0000 > On 17 Apr 2015, at 12:20, Yuri wrote: > The idea that comes to mind is the ability to verify that the running = kernel wasn't tampered with by comparing it with its disk image copy. = Same with the kernel modules. Kernel can be verified through the memory = mmapped to /dev/mem device. > Is this idea feasible, and would it make sense to implement it? If the kernel has been compromised then you can't trust it, since any = userland program has to use the kernel to do its job it is impossible to = validate the kernel because the kernel could just fake up anything it = wants. Also I think when the kernel is loaded it is modified for things like = relocations (although I'm not sure) which would make it tricky to = verify. -- Daniel O'Connor "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C