[vox-tech] Linux file/module security proposal.

[Bill Broadley]

First some background.

I was pondering recent security discussions, the weaknesses of file checksums 
is mostly in that it's not at runtime but at scan time.  Also it's trivial 
(i.e. the default behavior for current hacks) to read a valid checksum, but 
execute the corrupted binary.  Of course offline tripwire usage will find the 
official binaries in the official places with the official checksum.

Centos/Ubuntu (and many others I'm sure) distribute file checksums with their 
packages and sign their packages.

What we really need is a runtime checking of binaries, preferably requiring 
them to be signed.  That way an admin can maintain a list of signatures that 
they trust, yet any hacker that tries to introduce trojan binaries or kernel 
rootkits would find that they don't work.

The problem is none of the unix like operating systems seem to be heading in 
this direction, not even openbsd (which seems to be the most security 
conscious).  Actually I just discovered that RHEL kernels have a GPG signed 
modules, although I'm unclear at the moment if it's just a support thing (I.e. 
you can check under /proc if a driver is official) or if you can limit loading 
only to official binaries.

So the proposal:

A mirror that downloads a distribution, checks the package signature, if valid 
it breaks open, signs all the binaries, rebuilds the package, and signs the 
package with a new key.

The biggest downside (IMO) is that you have to trust that mirror as much as 
you used to have to trust the distro (i.e. redhat, ubuntu, or debian) maintainer.

So would you use such a mirror to protect against trojan binaries and kernel 
modules?  Why?  Why not?  Can you think of a better approach?