Re: Hook function suggestion

• Previous message: richard offer: "Re: backward compat / access (was Re: Benchmarks)"
• In reply to: Amon Ott: "Re: Hook function suggestion"
• Next in thread: Amon Ott: "Re: Hook function suggestion"
• Next in thread: Steve Beattie: "Re: Hook function suggestion"
• Reply: Amon Ott: "Re: Hook function suggestion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Amon Ott wrote:

> On Don, 19 Apr 2001 buddy wrote:
> > As an example, needing root privileges in order to (un)load modules doesn't make
> > me feel any safer, but apparently I'm more paranoid than you are. ;-) I'm worried
> > about all those people relying on their LKM notifying them of a root compromise,
> > and being owned all the same.
>
> One of my main reasons for saying 'Modules are not secure enough'. However, if
> all we have (or can get) is a modules interface, let's make the best out of it.

A module interface is all we can get out of the standard kernel.  Linux remains open
source, so you can do more (much more) on your own fork, elsewhere.  I heartily
encourage people to do so.

In particular, the validity of kernel modules is a very fine thing to work on.  The
catch is that validity is a cascading sequence of trust that goes all the way back to
the reset pin on the CPU (and right inside the CPU, if you are that paranoid).  It's
like this:

   * the CPU needs to validate a signature on the BIOS, to make sure it has not been
     flashed by an attacker
   * the BIOS needs to validate lilo (or whatever boot sector thingie) to make sure it
     has not been corrupted
   * lilo needs to validate the kernel, to make sure that /boot/vmlinuz has not been
     corrupted

Only then does it add value for the kernel to validate the LSM module, because only
then can you trust that the kernel itself has not been corrupted.  root can corrupt any
of these stages, so if we only harden the LSM interface, it just squishes the problem
elsewhere.

So, if someone wants to work on secure bootstrapping sequences, I suggest the
following:

   * check out Bill Arbaugh's PhD on secure bootstrapping sequences
     http://www.cs.umd.edu/~waa/aegis.html
   * talk to Bill (cc'd);  I happen to know that he has a grad student working on this
   * help them develop the secure bootstrap in the Linux BIOS project
     http://www.acl.lanl.gov/linuxbios/

When you're done, come back and chat to us about extending the secure bootstrap to the
LSM module.

There's a way to get this done right, but it doesn't start with LSM.

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Andrew Morgan: "Re: Implementing hooks"
• Previous message: richard offer: "Re: backward compat / access (was Re: Benchmarks)"
• In reply to: Amon Ott: "Re: Hook function suggestion"
• Next in thread: Amon Ott: "Re: Hook function suggestion"
• Next in thread: Steve Beattie: "Re: Hook function suggestion"
• Reply: Amon Ott: "Re: Hook function suggestion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 13:36:01 PDT