RE: general questions

From: Jörgen_Sigvardsson <jorgen@profitab.com>
Subject: RE: general questions
Date: Wed, 15 Aug 2001 15:33:59 +0200

Next Article (by Date): Re: general questions Amon Ott
Previous Article (by Date): Re: general questions Fabrice MARIE
Top of Thread: general questions Justus Pendleton
Next in Thread: Re: general questions Amon Ott
Articles sorted by: [Date] [Author] [Subject]

-----BEGIN PGP SIGNED MESSAGE-----

> Hello,
>
> On Wednesday 15 August 2001 10:51, Amon Ott wrote:
> > [...]
> > > I was also looking at the malware scanner.  I think it is a
> > > pretty nifty idea but I was thinking it would be even better if
> it could act
> > > like tripwire.  Like generate a SHA-1 hash of the
> executable and then
> > > check it against a database.  If the hash doesn't match
> the expected
> > > result the kill the program and notify the user.  I'm not sure
> > > how easy it would be to put SHA-1 in the kernel (well, pretty
> easy if you
> > > have the international kernel patch, I guess) or how easy
> it would be
> > > to have a decent database lookup in the kernel.
> > Jörgen meant to implement this scheme as an RSBAC module,
> but I have not
> > looked into any code yet.
>
> It would be a good feature to have, but it would most probably
> make the system crawl, unless like tripwire, it runs once
> periodically.
> However, this defeats the purpose of having it in the kernel...
> What do you guys think ?

Personally, I think this is a great idea (I guess that's why I wrote
my masters thesis about it ;-)
My idea/model is however not just about detecting changes in files.
It's basically a model for restricting what programs can do. Think
about how users in a system are restricted, and apply that to
programs.

Example:
"Program /bin/mail may access file:/var/spool/mail/$USER using rw
access, may connect to tcp:localhost:25, may connect to
tcp:mailserver.com:110"

All access is off by default (very restrictive). Before any access
control rule can be enforced, the program itself must be
identified/authenticated. The identification of a program is its path
and its origin. The origin may be a vendor, say "Red Hat" or some
other person (physical or legal). This id would then be used to
generate a signature for the program which would be appended to the
program file. The kernel could then detect if the program is
authorized to run at all (by checking the local policy) and detect
whether the binary has been modified after it was signed (the effect
of virii, crackers, etc.).

Since I changed my mind about working at a University (teaching can
really get to you ;-), I never implemented my model. I implemented
the signature/detection scheme +/- some configurability of it, but
nothing worth publishing.

If this is something that anyone would like to persue for fun and
profit, don't hesitate :-). My thesis can be made available upon
request. Or it may be viewed online from the Karlstad University /
Computer Science / Security research groups website. Simone, is it up
there yet?

I may pick this up sometime in the future when time allows, and when
there is a Free(or Open)BSD port of RSBAC.

- --
Jörgen Sigvardsson * SW Developer   * jorgen@profitab.com
Gelinsgatan 1      * 65229 Karlstad * +46-54-21 75 50

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQEVAwUBO3p6R32XcTB6rEikAQFTMggApLKpAbUuySqEbEQ0rXGwEnZT2ZyHYssG
Wt3pozm7sIw4LaUlgIaDUCHri1Gk1c7DhGWnWbByHxTalik7m7/hecq5NlxVgUVS
7LHWaOiNzmOWCU1N0UsWm2VChpuvlvyS22ig3EpG/mUijDa/bJzTq2rwxu0foBIe
x+LZGfFIcyPnSWd4ctTyabrYI5Q2mJNoDonSLS2Y7dsYTh+bxw3iSMyC4bFeeZ5p
eHV9H93PpHm+peCZVUXV0GASxHrjdURyYu3qkcxEaT5mS9Nr8wPaelcihFMmSjRo
PMhJ1YDggngYmcSM9VABcrrUE6k5vADEcL0Od1GmcQPVaA6p5+Dp5g==
=FLe+
-----END PGP SIGNATURE-----

-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Go to Compuniverse LWGate Home Page.