Re: signed exec, was: Re: When to submit something? and: signed executables.

From: Julien Oster (joster@soft-research.de)
Date: Mon Aug 21 2000 - 13:58:03 EST

Next message: Linus Torvalds: "Re: [PATCH] Re: Move of input drivers, some word needed from you"
Previous message: Philipp Rumpf: "Re: [PATCH] Re: Move of input drivers, some word needed from you"
In reply to: Martin MaD Douda: "signed exec, was: Re: When to submit something? and: signed executables."
Next in thread: Greg KH: "Re: When to submit something? and: signed executables."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Aug 21, 2000 at 08:31:28PM +0200, Martin MaD Douda wrote:

> Just a few questions for you:
> 1. How much slowes your module down the system?

It slows down the startup of binaries a little bit, depending on how big
the executable is. With my Celeron 333 CPU on a Sony VAIO Notebook, the
execution of a 40MB zero file took 4 seconds more.

So, if you are starting many processes in a small amount of time, you should
think twice about using it. However, from what I've tested, it's not that
bad.

> 2. You have kernel MD5ing a few megabyte executable. Are all processes
> other stopped (kernel is not reentrant) during this?

No, they aren't. I just checked it out again to make sure. During the 4
seconds the MD5 sum for the 40MB executable is computed, all processes
continue running. (er... by the way... why? I don't know very much about task
handling yet)

> 3. Do you solve shared libraries modification?

Uh, something I have not thought about yet. However, if I discover any
misbehaviour (that is, shared libraries are not checked), I'll include it in
the next version.

> 4. Isn't "chattr +i" sufficient protection with much less impact on
> performance?

If you are starting many processes in a small amount of time, you should not
use "sexec", or you should only use it for executables that a) you are
paranoid about and/or b) won't get called every second.

sexec only computes MD5 digests for executable that have an entry in the list.
There is virtually no performance loss for others.

You can't "lock down" +i as I understood. And I think it's a little harder
to keep track of the immutable files. You can use the same MD5 digest list
that sexec uses for other things. A distribution could come with a MD5 digest
list and initialize sexec for it. And chattr +i doesn't protect you from new
setuid root binaries (of course you already have a big problem if an attacker
is able to create them).

Julien

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Next message: Linus Torvalds: "Re: [PATCH] Re: Move of input drivers, some word needed from you"
Previous message: Philipp Rumpf: "Re: [PATCH] Re: Move of input drivers, some word needed from you"
In reply to: Martin MaD Douda: "signed exec, was: Re: When to submit something? and: signed executables."
Next in thread: Greg KH: "Re: When to submit something? and: signed executables."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Wed Aug 23 2000 - 21:00:05 EST