Richard B. Johnson wrote:
> One can make a 'certified' kernel with 'certified' modules
> for some hush-hush project. Adding this kind of junk isn't
> how it's done. You just take your favorite kernel with the
> modules you require, you verify that it meets your security
> requirements, then you CRC the kernel and its modules. You
> keep the CRCs somewhere safe, available from a read-only
> source like a CD/ROM or a network file-server. You automatically
> check these CRCs occasionally using a read-only program on
> read-only source like the network or a CD/ROM. If the checks
> fail, you call the "super" and shut down the system.
If a malicious module loads, you lose instantly. You cannot relaibly check
module integrity on this system anymore. E.g. the malicious module might
patch the module checker to check a signed module instead of the malicious
one. Or the Exploit saves the old module, puts in the patched one, loads it
and puts the old one back in place.
Therefore you have to check on loading the module, independent from the
program loading the module. (Or you'd have to check the program loading the
module and provide a reliable way to prevent any race condition, which
would be much harder.)
--
Our last fight was my fault: My wife asked me "What's on the TV?"
I said, "Dust!"
Fri?, Spammer: [email protected] [email protected]
On Sun, 17 Oct 2004, Bodo Eggert wrote:
> Richard B. Johnson wrote:
>
>> One can make a 'certified' kernel with 'certified' modules
>> for some hush-hush project. Adding this kind of junk isn't
>> how it's done. You just take your favorite kernel with the
>> modules you require, you verify that it meets your security
>> requirements, then you CRC the kernel and its modules. You
>> keep the CRCs somewhere safe, available from a read-only
>> source like a CD/ROM or a network file-server. You automatically
>> check these CRCs occasionally using a read-only program on
>> read-only source like the network or a CD/ROM. If the checks
>> fail, you call the "super" and shut down the system.
>
> If a malicious module loads, you lose instantly. You cannot relaibly check
> module integrity on this system anymore. E.g. the malicious module might
> patch the module checker to check a signed module instead of the malicious
> one. Or the Exploit saves the old module, puts in the patched one, loads it
> and puts the old one back in place.
>
What malicious module? They have all been certified. That ARE NO
OTHER modules. If you don't do it this way, i.e., if you allow
anybody to load a module, then you have no security, regardless of
what's in the module, the loader, or the kernel. Any crap inside
either of these is crap. Then can all be modified to do anything
so gigibytes of "protective" software is absouye bullshit, and
a lot of memory wasted.
Cheers,
Dick Johnson
Penguin : Linux version 2.6.8 on an i686 machine (5537.79 BogoMips).
Note 96.31% of all statistics are fiction.