Date: Sun, 2 Sep 2007 18:14:25 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: Max Laier <max@love2party.net> Cc: freebsd-hackers@freebsd.org, Klaus Schneider <klausps@gmail.com> Subject: Re: Exclusive binary files Message-ID: <20070902181330.W21906@fledge.watson.org> In-Reply-To: <200709021813.28332.max@love2party.net> References: <45910cf20709011027o546363e2h4f5646b15e0f84a2@mail.gmail.com> <200709021813.28332.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 2 Sep 2007, Max Laier wrote: > On Saturday 01 September 2007, Klaus Schneider wrote: > >> Well, anybody know a way to make the FreeBSD run just binaries that I have >> compiled? >> >> For example: A hacker get a access to a shell into my server, and then it >> put a exploit code, but on the machine don't have a compiler, then he tries >> to put the compiled exploit... supose that I can't mount the users >> partition in "noexec" mode... >> >> Anybode knows a solution for these? > > IIRC csjp@ had some code to do this inside the MAC framework. Storing > hashes in extended attributes and only allowing execution of signed > executables ... > http://perforce.freebsd.org/fileLogView.cgi?FSPC=//depot/projects/trustedbsd/mac/sys/security/mac%5fchkexec/mac%5fchkexec.c > ... not sure what became of it, though. I believe he also was able to verify other things, such as shared libraries, which for modern binaries is the obvious next step given that a fair chunk of code run in many programs isn't in the main program binary. Robert N M Watson Computer Laboratory University of Cambridge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070902181330.W21906>