Exclusive binary files
Robert Watson
rwatson at FreeBSD.org
Sun Sep 2 10:14:26 PDT 2007
On Sun, 2 Sep 2007, Max Laier wrote:
> On Saturday 01 September 2007, Klaus Schneider wrote:
>
>> Well, anybody know a way to make the FreeBSD run just binaries that I have
>> compiled?
>>
>> For example: A hacker get a access to a shell into my server, and then it
>> put a exploit code, but on the machine don't have a compiler, then he tries
>> to put the compiled exploit... supose that I can't mount the users
>> partition in "noexec" mode...
>>
>> Anybode knows a solution for these?
>
> IIRC csjp@ had some code to do this inside the MAC framework. Storing
> hashes in extended attributes and only allowing execution of signed
> executables ...
> http://perforce.freebsd.org/fileLogView.cgi?FSPC=//depot/projects/trustedbsd/mac/sys/security/mac%5fchkexec/mac%5fchkexec.c
> ... not sure what became of it, though.
I believe he also was able to verify other things, such as shared libraries,
which for modern binaries is the obvious next step given that a fair chunk of
code run in many programs isn't in the main program binary.
Robert N M Watson
Computer Laboratory
University of Cambridge
More information about the freebsd-hackers
mailing list