Re: Whitelisting only digitally signed binaries

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> From: Bingo <right.ho@xxxxxxxxx>
> Subject: Re: Whitelisting only digitally signed binaries
> 
> > There is quite a raging debate in the Information Assurance arena
about
> > the failure of blacklisting and that we need to migrate to
whitelisting,
> > or at least a balance between blacklisting and whitelisting...  
> >
> > I would envision something that checks a digital signature or at
least
> > checks a table of hash strings associated with the true/trusted
version
> > of the executable before allowing the loader to proceed... 
> 
> I might have misunderstood you, but what will stop the malicious
attacker
> from signing his tampered executables? Maybe the signing ability will
only
> be granted to "registered" developers. But in linux, everyone is a
> developer
> in the sense that running and distributing among friends of
self-compiled
> executables is popular. Not all users actually write code, but a large
> majority compiles with slightly different options than fedora RPMs.
> 
> So such users might have to disable this whitelisting stuff. Who would
> control the grant of signing ability?
>
Agree that implementing the signing infrastructure behind the capability
would be a challenge.  Not saying that is trivial.  Such an
infrastructure would have some kind of "registered" release agent for
each package that one would want to install.  Maybe at first there would
be two kinds of packages...those signed by a registered release agent
(meaning there is some level of trust behind them), and those not signed
(no trust).  The end-user could choose what to install and be allowed to
run.

Back to the original question...has anyone developed a "trusted loader"
for Linux?

Dave McGuffey
Principal Information System Security Engineer // NSA-IEM, NSA-IAM
SAIC, IISBU, Columbia, MD


-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux