[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Checking integrity of /sbin/init from within kernel

To: "'Markus Friedl'" <markus@openbsd.org>
Subject: Re: Checking integrity of /sbin/init from within kernel
From: "Torsten Valentin" <winsock2@musiker.de>
Date: Tue, 1 Oct 2002 11:30:10 +0200
Cc: <misc@openbsd.org>

> > For my purposes and in my scenario it will improve security. My
method
> > is to give the kernel a new variable with a signature in it that I
have
> its not a signature, it's a shared secret.
Right.

> > You could say that it could be easy to create a kernel with my
signature
> > in it, but it isn't. You cannot read the signature from the kernel,
> why is it not possible to read this 'signature'?

If you'd want to read the shared secret, you'd have to debug the kernel
binary to see where it's stored. If you obfuscate the shared secret in
the kernel this is a hard job do to. I agree that everything that a
computer can do (by executing command by command) can be done manually
by a human and therefore can also be decrypted/hacked. All Chinese
people together could probably hack a 4096-Bit-PGP-Key if they had just
one calculator each within a few years. Nevertheless I regard a
4096-Bit-PGP-Key as to be secure at the moment. 
It's the amount of effort that's necessary to crack any kind of
protection. I doubt there's a lot of people having the capability and
time to debug the kernel-binary and search for the shared secret that's
being read by /sbin/init and understand the way you obfuscated it.

> > I think it's a huge improvement in security!
> how? you just have to replace both 'signatures' or disable the
> checks.

You say this, as if this was something you'd do just between getting up
and shaving in the morning. 

In case of the kernel this would mean that you'd have to debug a
kernel-binary. I know this is theoretically possible, but did you ever
do this? How big is the chance that your attacker has the skills and the
time to do this? And how much time will this take him? When I say it
improves security I do not mean it's impossible. I just say it's so hard
that it filters the amount of people who could be doing this
significantly, and I think that it filters the amount so significantly,
that there remain so few people, that they have better things to do than
hack on my kernel.
In case of /sbin/init you could use the shared-secret as key to decrypt
a filesystem, so replacing the shared secret won't help getting the
confidential information there is.

My initial question was, how hard this is. And from what I read from
other mails this doesn't seem to be easy, right? And from your mail I
read, that no one would be interested in such a solution, because you
guys go the "all or nothing" way, as it seems to me, and this doesn't
seem to be "all" to you. 

I'm still sure that this would improve security, but I admit that this
might not be as secure as we'd would want it to be. Anyway, I don't know
of a better way to achieve this.

> -m

T.

Follow-Ups:
- Re: Checking integrity of /sbin/init from within kernel
  - From: Otto Moerbeek <otto@drijf.net>

References:
- Re: Checking integrity of /sbin/init from within kernel
  - From: Markus Friedl <markus@openbsd.org>

Prev by Date: Re: Kernel-option for quiet booting?
Next by Date: Re: Checking integrity of /sbin/init from within kernel
Prev by thread: Re: Checking integrity of /sbin/init from within kernel
Next by thread: Re: Checking integrity of /sbin/init from within kernel
Index(es):
- Date
- Thread