Re: [ANNOUNCE] Release Digsig 1.5: kernel module for run-time authentication of binaries

From: Ulrich Drepper
Date: Fri Apr 28 2006 - 11:26:17 EST

Next message: David GÃmez: "Re: IP1000 gigabit nic driver"
Previous message: Jan Beulich: "[PATCH] adjust handle_IRR_event() return type"
In reply to: Serge E. Hallyn: "Re: [ANNOUNCE] Release Digsig 1.5: kernel module for run-time authentication of binaries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 4/24/06, Nix <nix@xxxxxxxxxxxxx> wrote:

> But preventing every type of code loading or generation at userlevel
> cannot be prevented this way.

Oh, indeed not. It's just a stopgap that blocks some (large) percentage
of script kiddy attacks that involve downloading binaries and then
executing them, or even compiling them on the spot (not that those are
as common these days).

Script kiddies don't write the exploit code themselves. And for those
who write the code it is no problem to circumvent the signature
testing.

Yeah. I'll admit I've found signed binaries principally useful on
stripped-down firewalls and firewall UML instances. These boxes don't
tend to run, say, CLISP or SBCL or OpenOffice (at least if they do the
firewall maintainer needs shooting).

But they have Perl, Python, etc. Those are sufficient. Heck, I can
cause havor with bash.

Combine it with SELinux, exec-shield, FORTIFY_SOURCE, -fstack-protector
and, say, a COWed filesystem read off a CD and reset with every boot,
and you start to get a bit less insecure than you would otherwise be.

Take signed binaries off of this list and you don't lose anything.

It's another hurdle for the bad guys to leap, and many will fall at the
wayside.

It is a little one-time effort. This approach differs in that it
simply shifts the way binaries are introduced. I can write a dynamic
loader in Perl. and after that I don't load ELF binaries through the
kernel ever again. If such a loader doesn't exist today it could very
well exist in a few months and after that this "protection" is
completely useless. Every script kiddy will have it.

This is the big difference to techniques like randomization which
might be circumventent with a certain probability but never fully can
be removed. Stacking those kind of protections is a good idea
because, if they are not fully correlated, the stacking provides
additional protection. Signed binaries do not.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David GÃmez: "Re: IP1000 gigabit nic driver"
Previous message: Jan Beulich: "[PATCH] adjust handle_IRR_event() return type"
In reply to: Serge E. Hallyn: "Re: [ANNOUNCE] Release Digsig 1.5: kernel module for run-time authentication of binaries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]