Re: [ANNOUNCE] DigSig 0.2: kernel module for digital signatureverification for binaries

From: David Gordon
Date: Wed Oct 01 2003 - 21:06:52 EST

Next message: Rusty Russell: "Re: [PATCH] Many groups patch."
Previous message: Dan: "Re: [PATCH] 2.6: joydev is too eager claiming input devices"
In reply to: Edgar Toernig: "Re: [ANNOUNCE] DigSig 0.2: kernel module for digital signatureverification for binaries"
Next in thread: Valdis . Kletnieks: "Re: [ANNOUNCE] DigSig 0.2: kernel module for digital signature verification for binaries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> The "How do I make sure that only licensed software
> will run on my new gizmo?" problem?
>
> Why should an open source developer encourage this?

Digital signatures in open source software are aimed
at running only allowed (read signed) binaries, the
license question is a side issue. IMHO, this has a
potential to increase the security of a Linux box.

> AFAICS if I want to exec something, I can avoid
> exec() syscall and do mmaps by hand...
> Pavel

That is true. A digital signature will only protect
binary data on hard disk. The whole process from the
hard disk to memory is harder to cover (see
http://www.phrack.org/show.php?p=59&a=5 Short Stories
about execve). I believe that digital signature
verification in the kernel must be placed as close as
possible to the actual mmap of the binary. LSM
framework is the current way of implementing this but
not quite sufficient.

> Don't be ridiculous. It's trivial to exploit a
local
> buffer overrun in one of your signed binaries and
> have the shellcode mmap the rest. All pre-built, of

> course.

That's also true. A digital signature will not protect
against an already existing vulnerability in a binary
(bo). Let's say for instance that a linux box is
compromised with a bo, usually another backdoor is
created. Even if the system is running Pax (mentioned
by Makan), "http://www.phrack.org/show.php?p=61&a=8
Cerberus Elf interface" describes how to circumvent
this.

But on a system with digitally signed binaries, this
is no longer possible since it requires modification
of the binary which is signed.

My point is that a system with digitally signed
binaries won't prevent existing security holes, but
will prevent the creation of other ones. The attacker
is constrained to use the system as is, ie. to exploit
the same bo. Unless of course the bo gives him access
to the kernel and he disables digital signature
verification.

David

______________________________________________________________________
Post your free ad now! http://personals.yahoo.ca
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Rusty Russell: "Re: [PATCH] Many groups patch."
Previous message: Dan: "Re: [PATCH] 2.6: joydev is too eager claiming input devices"
In reply to: Edgar Toernig: "Re: [ANNOUNCE] DigSig 0.2: kernel module for digital signatureverification for binaries"
Next in thread: Valdis . Kletnieks: "Re: [ANNOUNCE] DigSig 0.2: kernel module for digital signature verification for binaries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]