Re: [ANNOUNCE] DigSig 0.2: kernel module for digital signature verification for binaries

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Makan Pourzandi <Makan.Pourzandi@ericsson.ca>
To: viro@parcelfarce.linux.theplanet.co.uk
Cc: Pavel Machek <pavel@suse.cz>,
	linux-kernel@vger.kernel.org,
	Axelle Apvrille <Axelle.Apvrille@ericsson.ca>,
	Vincent Roy <vincent.roy@ericsson.ca>,
	David Gordon <davidgordonca@yahoo.ca>,
	socrate@infoiasi.ro
Subject: Re: [ANNOUNCE] DigSig 0.2: kernel module for digital signature verification for binaries
Date: Wed, 01 Oct 2003 14:14:31 -0400	[thread overview]
Message-ID: <3F7B1987.3050104@ericsson.ca> (raw)
In-Reply-To: 20031001141718.GT7665@parcelfarce.linux.theplanet.co.uk

viro@parcelfarce.linux.theplanet.co.uk wrote:

>On Wed, Oct 01, 2003 at 09:33:09AM -0400, Makan Pourzandi wrote:
> 
>  
>
>>Third, the intruder now has access to the system, he cannot execute the 
>>code he brought in with himself (not signed) or he cannot bring it in 
>>(c.f. above). So he needs to compile the code on the system. AFAIK, for 
>>the absolute majority of servers the admins remove all compilers 
>>(specially gcc) on all servers. this is for several different security 
>>reasons  (I don't want to get there). therefore, the above hypothesis 
>>gets even more difficult to realize. 
>>    
>>
>
>Don't be ridiculous.  It's trivial to exploit a local buffer overrun in
>one of your signed binaries and have the shellcode mmap the rest.  All
>pre-built, of course.
>  
>

Hi Viro,

Obviously, I failed to show that the main functionality of digsig is to 
avoid the execution of __normal__ rootkits, Trojan horses and other 
malicious binaries on your system. 

the above was to analyze an imaginary scenario. well, you bring a new 
scenario than the mmap is used from a shell code. well, in this 
scenario, digsig makes it difficult for the intruder to bring his own 
rootkit and run it. i mean, yes he could decide to reboot your system or 
remove all your files or ..., and digsig is not going to help here, it 
isn't its job either !   
Back to the subject, in the first 2 points of my previous email, I tried 
to show that the use of digsig make it difficult for the intruder to 
bring in the malicious binaries, __then and only then__ at last 
resource, to be able to use mmaps, he can choose to compile the code 
locally.  

Once again,  the purpose here is neither to secure system against all 
possible attacks nor to avoid all possible scenarios; digsig is not  
going to avoid you buffer overflows or other vulnerabilities. BTW, there 
are tools to avoid that to happen (c.f. Pax, Exec Shield...).  the 
purpose here is to make it more difficult for the intruder to abuse the 
system. if there is a remote exploit in your system, the intruder can 
use it. however, i believe, as i explained in first 2 points of the 
previous email, digsig  makes it much more difficult for the intruder to 
bring in his rootkit and use it, same for the excution of Trojan horses 
or backdoor programs.

On the other hand, you're right if the people begin to write these 
shellcode mmaps, this is a problem that we have to solve. however, my 
understanding of the state of the art on malware today is that we don't 
have many of these "shellcode mmap" exploits. generally, many of the 
exploits use classical rootkits which still use exec for executing their 
binaries.

regards,
makan

next prev parent reply	other threads:[~2003-10-01 18:06 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-09-25 19:19 [ANNOUNCE] DigSig 0.2: kernel module for digital signature verification for binaries Makan Pourzandi
2003-10-01 10:26 ` Pavel Machek
2003-10-01 13:33   ` Makan Pourzandi
2003-10-01 14:17     ` viro
2003-10-01 18:14       ` Makan Pourzandi [this message]
2003-10-01 18:24         ` viro
2003-10-01 21:51           ` Willy Tarreau
2003-10-01 21:55           ` Radu Filip
2003-10-01 22:05             ` Pavel Machek
2003-10-01 23:36             ` Larry McVoy
2003-10-02  0:53               ` jlnance
2003-10-02  0:17             ` [ANNOUNCE] DigSig 0.2: kernel module for digital signatureverification " Edgar Toernig
2003-10-02  2:04               ` David Gordon
2003-10-02  2:42             ` [ANNOUNCE] DigSig 0.2: kernel module for digital signature verification " Valdis.Kletnieks
2003-10-02 18:36               ` [ANNOUNCE] DigSig 0.2: kernel module for digital signature ve rification " Makan Pourzandi
2003-10-01 14:05   ` [ANNOUNCE] DigSig 0.2: kernel module for digital signature verification " Valdis.Kletnieks

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3F7B1987.3050104@ericsson.ca \
    --to=makan.pourzandi@ericsson.ca \
    --cc=Axelle.Apvrille@ericsson.ca \
    --cc=davidgordonca@yahoo.ca \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pavel@suse.cz \
    --cc=socrate@infoiasi.ro \
    --cc=vincent.roy@ericsson.ca \
    --cc=viro@parcelfarce.linux.theplanet.co.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox