From owner-freebsd-security Sun Jun 20 0:49:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from beach.silcom.com (beach.silcom.com [199.201.128.19]) by hub.freebsd.org (Postfix) with ESMTP id 8676114A12 for ; Sun, 20 Jun 1999 00:49:55 -0700 (PDT) (envelope-from brian@CSUA.Berkeley.EDU) Received: from smarter.than.nu (pm0-31.vpop1.avtel.net [207.71.237.31]) by beach.silcom.com (Postfix) with ESMTP id 96A6F660; Sun, 20 Jun 1999 00:49:48 -0700 (PDT) Date: Sun, 20 Jun 1999 00:49:48 -0700 (PDT) From: "Brian W. Buchanan" X-Sender: brian@smarter.than.nu To: Nicholas Brawn Cc: freebsd-security@FreeBSD.ORG Subject: Re: proposed secure-level 4 patch In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 20 Jun 1999, Nicholas Brawn wrote: > On Sat, 19 Jun 1999, Brian W. Buchanan wrote: > > > Anyway, this all boils down to a matter of choice. If you value being > > able to restart daemons without rebooting, then don't use this level of > > protection. > > Here's an idea i'll toss into the ring. What about runtime integrity > checks. If there were some way of guaranteeing that a program being > executed has the correct checksum prior to processing execve()? > > I'm not advocating this line of approach, but it may be one option to > consider. Using MD5 checksums in-kernel would certainly be an effective countermeasure against the mount_union ruse I described last night, as well as against starting new daemons on privileged ports. I don't think it would be very useful for most installations, but this could be a very good thing for systems with a fixed set of binaries and that the sysadmin doesn't mind downing to do even very minor software upgrades. The more I think about securelevels and related topics, the more I think we should be putting our efforts into making sure that attackers don't break rootin the first place, rather than into clever attempts to limit damage once a compromise has occured. The whole "root is god" design principle is at odds with these efforts, and I'm resonably confident that there are still undiscovered holes of varying size in the implementation. In dealing with and planning for the event of incidents, the attitude that must be taken is that no matter what the configuration, once root has been compromised, all bets are off. -- Brian Buchanan brian@CSUA.Berkeley.EDU -------------------------------------------------------------------------- FreeBSD - The Power to Serve! http://www.freebsd.org daemon(n): 1. an attendant power or spirit : GENIUS 2. the cute little mascot of the FreeBSD operating system To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message