Re: [ANNOUNCE] Release Digsig 1.3.1: kernel module for run-time authenticationof binaries

[Makan Pourzandi]

Hi Chris,

Chris Wright wrote:
> * Makan Pourzandi (Makan.Pourzandi@xxxxxxxxxxxx) wrote:
> > DSI development team would like to announce the release 1.3.1 of digsig.
...
> > Changes from Digsig release 0.2 announced in this mailing list:
> > ================================================================
> >
> >     - the verification of signatures for the shared binaries has been
> >     added.
> >     - added support for caching of signatures
> >     - added documentation for digsig
> >     - added support for revoked signatures
> >     - support to avoid vulnerability for rewrite of shared
> >     libraries
>
>
> Could you elaborate on this one?

We realized that when a shared library is opened by a binary it can 
still be modified. To solve the problem, we block the write access to 
the shared binary while it is loaded.

> >     - use sysfs to connect to the module instead of the char device
> >     - code clean up, and some bug fixes
> >
> > Future works
> > =============
> >
> >     - improving the caching and revocation: it is currently tested
> >       and will be sent out soon after stability testing
>
>
> Should be helpful enough to cache result until thing's opened for
> writing, or is that what you're doing now?

This is what we're doing now, but we need to implement a hash table to 
accelerate the lookup for the signatures.

Regards,
Makan

> thanks,
> -chris

--

Makan Pourzandi, Open Systems Lab
Ericsson Research, Montreal, Canada
*This email does not represent or express the opinions of Ericsson Inc.*

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/