Re: 'sign' modules? was: RE: 'lock' modules?

From: Gabor Lenart (lgb@veszprog.hu)
Date: Wed Jun 07 2000 - 04:23:15 EST

Next message: Werner Almesberger: "Re: [RFC] union-mount stuff"
Previous message: Urban Widmark: "Re: IBM DB2 failures in 2.4.0-test*"
In reply to: Keith Owens: "Re: 'sign' modules? was: RE: 'lock' modules?"
Next in thread: ronbarry@es.com: "RE: 'sign' modules? was: RE: 'lock' modules?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jun 07, 2000 at 05:30:33PM +1000, Keith Owens wrote:
> On Wed, 7 Jun 2000 01:04:12 -0600 ,
> ronbarry@es.com wrote:
> >Anyway, what if we were to institute a system where a kernel module could be
> >digitally signed by assorted authorities as 'blessed?'
>
> Sigh. Why do people keep bring up this topic without reading the
> archives first? This has been discussed and rejected before but one
> more time ....
>
> Module loading is handled by user space utilities, not the kernel. To
> bypass signed modules a hacker can use their own user space code,
> either a butchered version of insmod or they just invoke the module
> syscalls directly from their own programs.

So you must implement signature checking into the kernel code. If does
not match, kernel would return from syscall with error value and drop
the module. I've already started to write this thing (on module related
syscalls kernel creates CRC checksums of to be loaded modules, but I hadn't
got enough time to finish and I don't know a GOOD crc algorithm).

> Once more with feeling - "root can do anything that root is allowed to
> do". First design a mechanism to distinguish between a good and a bad
> root user, when you have working code send it to the list.

Hmmm, yes it's true. But great percent of "crackers" only know about cook-book
type exploits and only a few of them can do something if they're dropped
back with message "unsignatured kernel module" or something similar.
(Do you know the flame thread about Solar Designer's Secure Linux patch
becomes standard part of kernel ?). So IMHO it's good to make a system
more secure even with not absolutly secure solutions IF result will be better
then standard one. But this is a dangerous thing: users would have got
false feeling of secure. So most of these stuffs may be not go into mainstream
kernels. Not yet.

I think this project CAN be usefull but I don't think so that this stuff will
be part of the main kernel nowdays. But it would be great if there would be such
a patch.

- Gabor

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Werner Almesberger: "Re: [RFC] union-mount stuff"
Previous message: Urban Widmark: "Re: IBM DB2 failures in 2.4.0-test*"
In reply to: Keith Owens: "Re: 'sign' modules? was: RE: 'lock' modules?"
Next in thread: ronbarry@es.com: "RE: 'sign' modules? was: RE: 'lock' modules?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Wed Jun 07 2000 - 21:00:27 EST