Date: Mon, 1 Jun 1998 11:44:27 +0100 From: njs3@doc.ic.ac.uk (Niall Smart) To: Joe McGuckin <joe@via.net>, freebsd-hackers@FreeBSD.ORG Subject: Re: Signed executables, safe delete etc. Message-ID: <E0ygS4q-0006k1-00@oak66.doc.ic.ac.uk>
next in thread | raw e-mail | index | archive | help
> I've thought about this in the past - specifically as it would apply to > a firewall machine. If binaries could be signed with with a key, and > the kernel exec routine required that a proper key be decryped before > loading the program, this would eliminate someone hacking onto a > firewall and using it as a platform for further mischief. Generally, they > like to bring over a toolkit of snooping programs written in 'C'. This is a pretty nifty idea, but perhaps is not as useful as you might think. Firstly, you would have to remove all scripting utilities capable of doing whatever the intruder is trying to achieve. Secondly, think of all the (non-sugid) executables which have potential buffer overflows, the attacker can simply overflow the buffer with code that will load from disk any code which he likes and execute it in that processes address space; it would not be necessary to create a new process. I have a couple of other ideas which I'm hoping to work on this summer. These include a per-binary flag to indicate if the stack should be marked non-executable, and a flag to indicate if the process' environment and arguments should be checked for non-printable ASCII characters before allowing execution. I haven't yet checked if it is possible to write shellcode using just printable ASCII characters though, so that last idea might be worthless (and yes, I know they are no 'silver bullet' to the perennial problem of buffer overflows). Niall To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E0ygS4q-0006k1-00>