From: Chris Wright <chrisw@osdl.org>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: Chris Wright <chrisw@osdl.org>,
linux-kernel@vger.kernel.org,
Axelle Apvrille <axelle.apvrille@trusted-logic.fr>,
david.gordon@ericsson.com, gaspoucho@yahoo.com
Subject: Re: [ANNOUNCE] Release Digsig 1.3.1: kernel module for run-time authentication of binaries
Date: Fri, 10 Sep 2004 14:28:29 -0700 [thread overview]
Message-ID: <20040910142829.Q1924@build.pdx.osdl.net> (raw)
In-Reply-To: <20040909214507.GA29412@escher.cs.wm.edu>; from serue@us.ibm.com on Thu, Sep 09, 2004 at 05:45:07PM -0400
* Serge E. Hallyn (serue@us.ibm.com) wrote:
> > Thing is, x86 makes no distinction btween r/x so, have you tried mmaping
> > with read, then executing (I haven't)?
>
> Yup, clearly that will work on x86. And so obviously DigSig is not
> a solution to format and buffer overflows :) Nor, unfortunately, a
heh
> solution to code which for whatever reason exploited this behavior.
That's what I was getting at. Beats me what's out there that does this,
but I expect some stuff does, and it wouldn't get the same assurance.
> > This has nothing to do with file permissions aside of read. All you need
> > is read permission, then you can mmap(PROT_EXEC) which will kick off the
> > check, and do deny_write_access. It's a freeform way to lock writers
> > out of any readable file in the system.
>
> No, not "any readable file," because DigSig will not lock non-ELF files.
Ahh, this is the part I had missed.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
next prev parent reply other threads:[~2004-09-10 21:30 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-09 15:55 [ANNOUNCE] Release Digsig 1.3.1: kernel module for run-time authentication of binaries Makan Pourzandi
2004-09-09 16:24 ` Chris Wright
2004-09-09 17:23 ` Serge E. Hallyn
2004-09-09 17:42 ` Chris Wright
2004-09-09 18:43 ` Serge E. Hallyn
2004-09-09 17:31 ` Makan Pourzandi
2004-09-09 17:55 ` Chris Wright
2004-09-09 19:05 ` Serge E. Hallyn
2004-09-09 20:40 ` Makan Pourzandi
2004-09-09 21:03 ` Chris Wright
2004-09-09 21:45 ` Serge E. Hallyn
2004-09-10 21:28 ` Chris Wright [this message]
2004-09-10 20:53 ` Makan Pourzandi
2004-09-10 21:26 ` Chris Wright
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040910142829.Q1924@build.pdx.osdl.net \
--to=chrisw@osdl.org \
--cc=axelle.apvrille@trusted-logic.fr \
--cc=david.gordon@ericsson.com \
--cc=gaspoucho@yahoo.com \
--cc=linux-kernel@vger.kernel.org \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.