Re: Goal / Danger: Attack by malicious root

[Bennett Todd <bet@rahul.net>]

[-- Attachment #1: Type: text/plain, Size: 2131 bytes --]

The problem you describe is right in the heart of the design
principles of trusted computing systems.

Basically, the only way you can trust a computer to use it for
sensitive purposes (like presenting your reusable authentication
credentials to it) is if you _know_ that the code it's running
hasn't been tampered with. If you want to use a system that's out in
a public lab where people can whack on it, your only real hope is to
see if you can force it to boot from some media you take with you
(or, depending on your assumptions and your local network
architecture, possibly do a network boot from a secured server ---
that latter was the Athena approach). Maybe take a CD-ROM with a
known-good OS along with you.

The problem is that if someone has complete control over a system,
no OS feature can possibly save you, since the attacker is in a
position to completely revise or replace the OS.

Now _if_ you had a situation where the machine was sufficiently
thoroughly physically secured, and the software running on it
sufficiently tightly configured, that you were confident that the OS
wasn't tampered with, then the problem would reduce to a real oldie,
the trusted path. The typical fix for that is to have the OS
directly support a special hot-key combo that is absolutely
guaranteed to terminate all processes associated with that console,
and start a new login process, guaranteed to come from the real OS
and not any trojan left running by the last person on that console.
That would be easy to add to selinux. In fact, I thought I'd
remembered seeing something along those lines, but when I just
checked the todo.html I didn't find 'em, maybe my brain is playing
nasty tricks on me.

They do mention integrating the file mandatory access controls with
file encryption, so that part of your question is on the todo list,
but trusted path I do not see. Perhaps it's too trivial. Certainly
it wouldn't be too hard to rig a script around lsof to blow away
anything that has an open file descriptor on the console device, and
let a getty get respawned by init, and wire that to the crtlaltdel
hook in inittab.

-Bennett

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]