[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Checking integrity of /sbin/init from within kernel

To: "'Jatin Nansi'" <jatin.nansi@timesgroup.com>
Subject: Re: Checking integrity of /sbin/init from within kernel
From: "Torsten Valentin" <winsock2@musiker.de>
Date: Tue, 1 Oct 2002 11:52:23 +0200
Cc: <misc@openbsd.org>, "'Markus Friedl'" <markus@openbsd.org>,"'Kurt Seifried'" <openbsd@seifried.org>,"'Otto Moerbeek'" <otto@drijf.net>

> Yes, but you dont need to boot from a disk to access its contents.
> As per your scenario, I can take out a disk and stick the disk in
> another PC with
> another HDD, boot from the other HDD, and read all data from the first
> disk.


I see I should have given you more information on what I'm working on at
the moment.

The shared-secret in the kernel is a PGP secret-key. Decryption of the
sensitive data (which after decryption is stored in a RAM-disk) is only
possible, if this is a valid key. So you cannot "just" replace the key
in both, the kernel and/or init. The hd does not hold more than just the
tools necessary to initialize a RAM-Disk and decrypt a tarball into the
RAM-disk. So if I can make sure that no one can use the kernel with my
(well obfuscated) secret-key by just modifying or replacing /sbin/init
(where init might be just a shell which could allow the attacker to read
the secret key from the kernel), my goal would be achieved. Changing the
kernel for a different one (one without the integrity check if
/sbin/init) wouldn't help, because the secret-key for decrypting the
tarball with the sensitive information would be missing. There could be
only two ways to get the secret-key:

1. boot the kernel and get a shell and try to read the key the way
/sbin/init does
2. debug the kernel binary

To make sure (1) cannot happen, I'd like the kernel to make the
integrity check I was talking about.

To make sure (2) is not easy, obfuscation of the secret key within the
kernel-binary would be necessary (but that's not too hard from what I
saw yet), as well as obfuscation of the integrity check of /sbin/init. 

If the kernel could do an integrity check of /sbin/init, (1) would be
impossible. So the only way left is (2). I know there is no way to make
(2) impossible, but it's possible to make this so hard, that only few
people would have the skills and hardly anyone would be wanting to do
this.

Physical access is no point here as that's not what I'm talking about. I
know that this is the first thing to assure. But there are situations
where you need more than this. And as I still think that my concept
would help against more than 99 % of the crackers that would want to
break into my machine, I still regard this as a good solution.

T.

Follow-Ups:
- Re: Checking integrity of /sbin/init from within kernel
  - From: Markus Friedl <markus@openbsd.org>

References:
- Re: Checking integrity of /sbin/init from within kernel
  - From: Jatin Nansi <jatin.nansi@timesgroup.com>

Prev by Date: Re: Checking integrity of /sbin/init from within kernel
Next by Date: Re: Checking integrity of /sbin/init from within kernel
Prev by thread: Re: Checking integrity of /sbin/init from within kernel
Next by thread: Re: Checking integrity of /sbin/init from within kernel
Index(es):
- Date
- Thread