Whitelisting only digitally signed binaries
McGuffey, David C.
DAVID.C.MCGUFFEY at saic.com
Wed Sep 17 19:48:46 UTC 2008
> From: Bingo <right.ho at gmail.com>
> Subject: Re: Whitelisting only digitally signed binaries
>
> > There is quite a raging debate in the Information Assurance arena
about
> > the failure of blacklisting and that we need to migrate to
whitelisting,
> > or at least a balance between blacklisting and whitelisting...
> >
> > I would envision something that checks a digital signature or at
least
> > checks a table of hash strings associated with the true/trusted
version
> > of the executable before allowing the loader to proceed...
>
> I might have misunderstood you, but what will stop the malicious
attacker
> from signing his tampered executables? Maybe the signing ability will
only
> be granted to "registered" developers. But in linux, everyone is a
> developer
> in the sense that running and distributing among friends of
self-compiled
> executables is popular. Not all users actually write code, but a large
> majority compiles with slightly different options than fedora RPMs.
>
> So such users might have to disable this whitelisting stuff. Who would
> control the grant of signing ability?
>
Agree that implementing the signing infrastructure behind the capability
would be a challenge. Not saying that is trivial. Such an
infrastructure would have some kind of "registered" release agent for
each package that one would want to install. Maybe at first there would
be two kinds of packages...those signed by a registered release agent
(meaning there is some level of trust behind them), and those not signed
(no trust). The end-user could choose what to install and be allowed to
run.
Back to the original question...has anyone developed a "trusted loader"
for Linux?
Dave McGuffey
Principal Information System Security Engineer // NSA-IEM, NSA-IAM
SAIC, IISBU, Columbia, MD
More information about the fedora-list
mailing list