Subject: Re: Kernel modification that verifies execs against a md5 fingerprint
To: None <tech-security@netbsd.org>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-security
Date: 03/15/2000 13:58:37 
  by redmail.netbsd.org with SMTP; 15 Mar 2000 19:00:55 -0000
	by pzero.sandelman.ottawa.on.ca (8.8.8/8.8.8) with ESMTP id NAA01771
	for <tech-security@netbsd.org>; Wed, 15 Mar 2000 13:58:37 -0500 (EST)
Message-Id: <200003151858.NAA01771@pzero.sandelman.ottawa.on.ca>
To: tech-security@netbsd.org
Subject: Re: Kernel modification that verifies execs against a md5 fingerprint 
In-reply-to: Your message of "Tue, 14 Mar 2000 09:02:04 PST."
             <20000314090204.N10872@dhcp0.wlan.shagadelic.org> 
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
Date: Wed, 15 Mar 2000 13:58:37 -0500
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>


>>>>> "Jason" == Jason R Thorpe <thorpej@zembu.com> writes:
    Jason> On Tue, Mar 14, 2000 at 01:36:46PM +1030, Brett Lymn wrote:

    Jason> [ description of md5 executable signature hack ]

    >> Naturally, evaluating a md5 fingerprint on a executable every time
    >> does involve overhead - it slows the machine down to almost half speed
    >> (things take about 70% longer).  To overcome this slow down the status
    >> of the md5 fingerprint comparison is cached in the kernel which
    >> markedly reduces the impact of the md5 fingerprinting on the running
    >> of the system.

    Jason> While the of fingerprinting executables is a cool idea, I have some
    Jason> concerns here:

    Jason> 	(1) Demand paging of executables is effectively dead with this
    Jason> 	    modification.

  If you load a signature for each block, then you only have to check it
when the block is loaded.

    Jason> 	(2) What does it really buy you?  The md5 signatures are loaded
    Jason> 	    at boot time, presumably from a file in the file system.
    Jason> 	    What's to prevent an attacker from modifying this file?
    Jason> 	    That could cause a DoS (can't start programs!), or allow
    Jason> 	    an attacker to sneak in a trojan horse.

  RSA signature on it, public key on read-only boot media.

    Jason> 	(3) To address (2), you'd need to make the file immutable.  But,
    Jason> 	    for that matter, you could also make all executables on the
    Jason> 	    system immutable, which would prevent people from changing them.

  It also prevents people from signing an executable on another system, and
then copying it to the machine and running it. 

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [