First some background. I was pondering recent security discussions, the weaknesses of file checksums is mostly in that it's not at runtime but at scan time. Also it's trivial (i.e. the default behavior for current hacks) to read a valid checksum, but execute the corrupted binary. Of course offline tripwire usage will find the official binaries in the official places with the official checksum.
Centos/Ubuntu (and many others I'm sure) distribute file checksums with their packages and sign their packages. What we really need is a runtime checking of binaries, preferably requiring them to be signed. That way an admin can maintain a list of signatures that they trust, yet any hacker that tries to introduce trojan binaries or kernel rootkits would find that they don't work. The problem is none of the unix like operating systems seem to be heading in this direction, not even openbsd (which seems to be the most security conscious). Actually I just discovered that RHEL kernels have a GPG signed modules, although I'm unclear at the moment if it's just a support thing (I.e. you can check under /proc if a driver is official) or if you can limit loading only to official binaries. So the proposal: A mirror that downloads a distribution, checks the package signature, if valid it breaks open, signs all the binaries, rebuilds the package, and signs the package with a new key. The biggest downside (IMO) is that you have to trust that mirror as much as you used to have to trust the distro (i.e. redhat, ubuntu, or debian) maintainer. So would you use such a mirror to protect against trojan binaries and kernel modules? Why? Why not? Can you think of a better approach? _______________________________________________ vox-tech mailing list [email protected] http://lists.lugod.org/mailman/listinfo/vox-tech
