> -----Original Message-----
> From: Arjan van de Ven [mailto:[email protected]]
> Sent: April 24, 2006 12:48 PM
> To: Makan Pourzandi (QB/EMC)
> Cc: [email protected];
> [email protected]; Serue Hallyen; Axelle
> Apvrille; [email protected]
> Subject: RE: [ANNOUNCE] Release Digsig 1.5: kernel module
> forrun-timeauthentication of binaries
> ok I have to admit that this answer worries me.
>
> how can it be covered? How do you distinguish an elf loader
> application (which just uses open + mmap after all) with...
> say a grep-calling perl script?
>
> As long as you allow apps to mmap (or even just read() a file
> into memory).... they can start acting like an elf loader if
> they chose to do so. And.. remember it's not the files WITH
> signature you're protecting against (which you could check)
> but the ones WITHOUT. And there are many of those; and you
Ok, I believe that now I see your point. You're right, to simplify if
your application reads an ELF file and begins to interpret that, Digsig
does not cover that case. For me what you mention here rather concerns
the bahavior of the application, which is not what we intend to
implement here. Digsig functionality is limited to checking the validity
of the signature of your binary when Linux loads it. And, IMO, it should
be used with other security mechanisms and not alone. I believe though
this simple functionality can do much to avoid executing viruses or
other malware on your system.
Regards
Makan
> can't sign ALL files I think, not without going through
> really great hoops anyway.
>
>
>
>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
