Digitally Signed Binaries w/ Kernel support, etc.
Roland Smith
rsmith at xs4all.nl
Wed Apr 2 20:55:10 UTC 2008
On Wed, Apr 02, 2008 at 03:09:59PM -0400, Forrest Aldrich wrote:
> Does FreeBSD have support for digitally signed binary checking, similar to
> what Linux has with bsign and DigSig, where system binaries are signed and
> this signature is verified before being run in the kernel?
If an attacker can modify binaries, he already has root privileges. In
that case, what will stop him from creating a new pgp key and re-sign
his doctered binaries?
> This would be very useful to have to further tighen-down the system.
As an alternative, on FreeBSD you can set the system immutable flag on
binaries (see chflags(1)), and set the securelevel > 0. See
init(8). Once this is set, not even root can undo this. You have to
reboot to reset the securelevel to -1.
The only weakness is that the securelevel is set quite late in the boot
process. An attacker could compromise the system if he gets access
before the securelevel is set.
Roland
--
R.F.Smith http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20080402/b60f9a30/attachment.pgp
More information about the freebsd-stable
mailing list