On 070626 01:56, Satyam Sharma <[email protected]> wrote: > On 6/25/07, Alexander Wuerstlein > <[email protected]> wrote: >> On 070622 21:40, Satyam Sharma <[email protected]> wrote: >> > [...] >> We decided against >> altering the file itself for that and some other reasons. >> The limitation to suid/sgid was only due to a limited amount of time we >> had for >> implementing our patch. For the future we are planning further uses like >> setting capabilities only for signed binaries. > > Ok, effectively what you have there is a signature on an entire file stored > in one of its extended attributes, so I suspect you could think of few other > applications for something like this too. Yes, for example one could sign Java's classfiles and employ a special trusted Java VM which checks the signatures before execution. Also, this is a more general case of signing kernel modules (as you mentioned below). There are really numerous applications one could imagine, we just don't really know which ones are practical. We definitely appreciate further ideas on this. Also the signature-in-ELF can be used complementary to our approach: for example NFS is currently unable to handle real extended attributes (nfs does only posix acls). So for binaries delivered over NFS our approach wouldn't work. > Ok, so: > > 1. Admin is trusted. [ This need not mean the same as: "superuser > _account_ is trusted", but let's stay in the real world in for now. ] > 2. Signing happens at some central, assumed-to-be-secure location (and say > the private key never leaves that central secure location). And let's say the > admin *repackages* the packages, this time such that the signed files get the > signature-carrying-extended-attributes with them, so the installation > automatically copies them correctly. => nothing wrong with this assumption. > 3. Kernel verifies signatures at runtime. => kernel is trusted. > 4. Public key needs to be *compiled into* the kernel ... so this is not > getting into mainline, but fair enough as something site administrators would > patch in and build. Correct up to here. > 5. Chain-of-trust handled in userspace. => userspace is trusted. Nope. I unluckily wrote 'userspace' where I should have said something else: Chain-of-trust is handled in what I would label 'Adminspace' (Where we do the signing as in points 1 and 2). There is a very small number of signatures (in our example one) known to the kernel and only those are trusted, and those are applied to the binaries by the administrator in your point 2. The kernel does and should never rely on userspace to tell it which signatures are trustworthy. Only the administrator may do so by means of the signatures directly compiled into the kernel. So in short: Chain-of-trust is handled by the administrator in his secure central location. >> So far for the initial idea. Perhaps it would be useful to have more than >> one >> key or some more complex scheme for obtaining the keys and checking their >> validity. But as all of this would need to be part of the kernel we >> decided to >> rather keep it as simple as possible, anything complex is better and more >> flexibly done in userspace. > > Well, if you're trusting (privileged) userspace already, I'm suddenly not so > sure as to what new is this patchset bringing to the table in the first place > ... We do not trust any userspace application, see above. > could you also describe the attack vectors / threats that you had in mind > that get blocked with the proposed scheme? We focus on attacks where an attacker may alter some executable file, for example by altering a mounted nfs-share, manipulating disk-content by simply pulling a disk, mounting it and writing to it, etc. This relies on the kernel beeing trustworthy of course, so one would need to take special measures to protect the kernel-image from beeing similarly altered. One (somewhat not-so-secure method) would be supplying kernel images by PXE and forbidding local booting, another measure would be using a TPM and an appropriate bootloader to check the kernel for unwanted modifications. > Have a look at modsign (signed kernel modules) project too (just the key > management part, specifically the asymmetric crypto and DSA implementation > that they've already ported to the kernel). You could also go through the > lkml archives for whenever that was proposed for inclusion in mainline ... We already thought about that. Using some existing code is definitely preferable to inventing DSA again :) Ciao, Alexander Wuerstlein.
Attachment:
pgpHWuMhus9KC.pgp
Description: PGP signature
- Follow-Ups:
- Re: [PATCH] Check files' signatures before doing suid/sgid [2/4]
- From: "Satyam Sharma" <[email protected]>
- Re: [PATCH] Check files' signatures before doing suid/sgid [2/4]
- References:
- [PATCH] signed binaries support [0/4]
- From: Johannes Schlumberger <[email protected]>
- [PATCH] Check files' signatures before doing suid/sgid [2/4]
- From: Alexander Wuerstlein <[email protected]>
- Re: [PATCH] Check files' signatures before doing suid/sgid [2/4]
- From: "Satyam Sharma" <[email protected]>
- Re: [PATCH] Check files' signatures before doing suid/sgid [2/4]
- From: Alexander Wuerstlein <[email protected]>
- Re: [PATCH] Check files' signatures before doing suid/sgid [2/4]
- From: "Satyam Sharma" <[email protected]>
- [PATCH] signed binaries support [0/4]
- Prev by Date: Re: [patch, v2.6.22-rc6] sys_time() speedup
- Next by Date: Re: [patch -mm 22/28] x86_64: Convert to cleckevents
- Previous by thread: Re: [PATCH] Check files' signatures before doing suid/sgid [2/4]
- Next by thread: Re: [PATCH] Check files' signatures before doing suid/sgid [2/4]
- Index(es):
 |