Re: Release DigSig 0.1: LSM module checking digital signatures before loading the binaries

From: Makan Pourzandi (Makan.Pourzandiat_private)
Date: Thu Sep 18 2003 - 10:01:34 PDT

  • Next message: Greg KH: "Re: Release DigSig 0.1: LSM module checking digital signatures before loading the binaries"

    Leendert van Doorn wrote:
    ># > Release of digsig.0.1
    ># > We implemented a kernel module using LSM hooks for 2.5.66
    ># > which checks signatures before running a binary. The main goal is to 
    ># > insert digital signatures inside the ELF binary
    ># > and verify this signature before loading the binary. 
    ># This sounds *very* similar to CryptoMark 1, which we released in 2001 
    >It also sounds very similar to a system my intern Gerco Ballintijn did in 2000 which was published as:
    >Van Doorn, L., Ballintijn, G., Arbaugh, W.A., Signed Executables for Linux, UMD CS-TR-4259, June 2001
    >(available from my CMU home page
    Hi Leendert,
    I read your paper with great interest, and believe that there are many 
    interesting ideas. Particularly, I agree with you in fact that the 
    digital signature is only one of different building blocks to achieve 
    security. This is why the digsig package is part of a greater effort, 
    the DSI project. In DSI project, we have already implemented aprts of 
    what we call distributed access control mechanisms 
    ( We showed their 
    feasability and their performance impact. However, I believe even we 
    fill up different pieces of the puzzle, still many pieces are missing.
    Regarding our release, I want to be very clear on our goal. Our goal is 
    not to claim we are the first ones to deal with digital signatures at 
    kernel level. The digital signature and its possible uses are very known 
    (at least in security aware environments) whether it's in the kernel or 
    not. Our goal is to have a free GPL based code for signature 
    verification at linux kernel level. I believe that community and 
    industry are more and more willing to use this kind of mechanism. As an 
    example, the support for verifying the signature of an executable before 
    loading it has been added to the security requirements for carrier grade 
    Linux release 3 
    Makan Pourzandi,
    Ericsson Research Canada      makan.pourzandiat_private
    This email does not represent or express the opinions of
    Ericsson Inc.
    >Here we actually cached the signature verification results and found that the overhead becomes
    >insignificant because the working set of programs is very small. Of course, signature caching
    >only works for local file systems, remote file systems are not cached.  Full comparison for a
    >kernel with and with-out signature checking is in the paper.
    >Just as in Crispin's case we couldn't release the source code. We used rsaref for the assymetric
    >crypto which license is incompatible with GPL.
    >	Leendert

    This archive was generated by hypermail 2b30 : Thu Sep 18 2003 - 09:55:55 PDT