Whitelisting only digitally signed binaries

[Bruno Wolff III]

On Wed, Sep 17, 2008 at 23:30:25 +0530,
  Bingo <right.ho at gmail.com> wrote:
> 2008/9/17 McGuffey, David C. <DAVID.C.MCGUFFEY at saic.com>
> 
> > There is quite a raging debate in the Information Assurance arena about
> > the failure of blacklisting and that we need to migrate to whitelisting,
> > or at least a balance between blacklisting and whitelisting.  We spend a
> > lot of time developing security functions (like SELinux, ClamAV, etc.),
> > which is a good thing, but why not also add the capability to keep
> > tampered/unauthorized executables from executing in the first place?

SELinux can actually help with that. You can make it hard for an attacker
to label a file such that it can be executed.

> I might have misunderstood you, but what will stop the malicious attacker
> from signing his tampered executables? Maybe the signing ability will only

Nothing will stop them from signing executables with some signature. Signing
them with one that will actually be executed will require the secret key
for one of the allowed signatures. Presumably that will be hard.

> be granted to "registered" developers. But in linux, everyone is a developer
> in the sense that running and distributing among friends of self-compiled
> executables is popular. Not all users actually write code, but a large
> majority compiles with slightly different options than fedora RPMs.

Probably executables would be signed by distros and admins.

> 
> So such users might have to disable this whitelisting stuff. Who would
> control the grant of signing ability?

The admins of the systems would control which keys would be allowed. They may
or may not allow end users to do this depending on how a system is used.