Re: [PATCH prototype] [0/8] Predictive bitmaps for ELF executables
From: Pavel Machek
Date: Sun Mar 23 2008 - 09:38:57 EST
On Sat 2008-03-22 15:29:49, Andi Kleen wrote:
> On Sat, Mar 22, 2008 at 03:16:31AM -0700, Nicholas Miell wrote:
> >
> > *sigh* this is probably true
>
> Actually it is a relatively weak argument assuming the standard
> 4k xattrs, but still an issue.
>
> The other stronger argument against it is that larger xattrs tend to be
> outside the inode so you would have another seek again.
>
> > > and a mess to manage (a lot of tools don't know about them)
> >
> > At this point in time, all tools that don't support xattrs are
> > defective,
>
> Good joke.
>
> > I just have an instinctive aversion towards the kernel mucking around in
> > ELF objects -- for one thing, you're going to have to blacklist
> > cryptographically signed binaries.
>
> What signed binaries?
>
> Anyways there are two ways to deal with this:
>
> - Run the executable through a little filter that zeroes the bitmap before
> computing the checksum. That is how rpm -V deals with prelinked binaries which
> have a similar issue. You can probably reuse the scripts from rpm.
Is this good idea? Attacker can send you binary with the bitmap
inverted, it is now slow on your system and signature matches.
...might be important for benchmarks... 'here, see, Oracle is slow.
Feel free to verify the signature'.
...ok, I guess it is not too serious, because it is similar to
fragmentation....
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/