[vox-tech] Linux file/module security proposal.

[Wes Hardaker]

>>>>> On Thu, 21 Aug 2008 10:16:03 -0700, Bill Broadley <bill at cse.ucdavis.edu> said:

>> Well, it all comes down to how much of the system the hacker owns.  If
>> he has root on your machine he's likely inserted a kernel module to hide
>> things or change things 

BB> Right, but if the kernel only accepts signed binaries then he can't.

Ah, yes...  I agree.  I even know it's been done.  The problem is that
it's not generally deployed :-(

You need:

  - A kernel that only accepts signed modules
  - A system that protects the file system where kernel components and
    keys are installed (or else all it takes is a reboot)
  - A system that protects the memory

So, all of those have been done.  SELinux brings a lot of it to the
table that is needed, in fact, and I know there has been a lot of work
to ensure kernels only load signed modules.

Unfortunately, I don't think most people have half of what they need
turned on in order to accomplish the above.

(I know I'm sounding pessimistic...  In part because I've looked at
doing something like this before.  It's a lot of work when you get down
to the nitty-gritty.  You're right, though, that it should be possible
in theory.)

Personally, I think it might be easier to do only-loading-of-modules
from R/O media that are created on a different system and have the key
systems all boot from CDROM or something.  That way you don't need to
worry quite as much about all the security policies being written perfectly.

-- 
"In the bathtub of history the truth is harder to hold than the soap,
 and much more difficult to find."  -- Terry Pratchett