Does FreeBSD have support for digitally signed binary checking, similar to what Linux has with bsign and DigSig, where system binaries are signed and this signature is verified before being run in the kernel? This would be very useful to have to further tighen-down the system. Thanks.
On Wed, Apr 02, 2008 at 03:09:59PM -0400, Forrest Aldrich wrote:> Does FreeBSD have support for digitally signed binary checking, similar to > what Linux has with bsign and DigSig, where system binaries are signed and > this signature is verified before being run in the kernel?If an attacker can modify binaries, he already has root privileges. In that case, what will stop him from creating a new pgp key and re-sign his doctered binaries?> This would be very useful to have to further tighen-down the system.As an alternative, on FreeBSD you can set the system immutable flag on binaries (see chflags(1)), and set the securelevel > 0. See init(8). Once this is set, not even root can undo this. You have to reboot to reset the securelevel to -1. The only weakness is that the securelevel is set quite late in the boot process. An attacker could compromise the system if he gets access before the securelevel is set. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20080402/b60f9a30/attachment.pgp
Roland Smith wrote:> On Wed, Apr 02, 2008 at 03:09:59PM -0400, Forrest Aldrich wrote: >> Does FreeBSD have support for digitally signed binary checking, similar to >> what Linux has with bsign and DigSig, where system binaries are signed and >> this signature is verified before being run in the kernel? > > If an attacker can modify binaries, he already has root privileges. In > that case, what will stop him from creating a new pgp key and re-sign > his doctered binaries? > >> This would be very useful to have to further tighen-down the system. > > As an alternative, on FreeBSD you can set the system immutable flag on > binaries (see chflags(1)), and set the securelevel > 0. See > init(8). Once this is set, not even root can undo this. You have to > reboot to reset the securelevel to -1.Signing binaries could be naturally tied in with securelevel, where some securelevel (1?) would mean kernel no longer accepts new keys.> The only weakness is that the securelevel is set quite late in the boot > process. An attacker could compromise the system if he gets access > before the securelevel is set.-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20080403/74da2b7a/signature.pgp
On Wednesday 02 April 2008 21:09:59 Forrest Aldrich wrote:> Does FreeBSD have support for digitally signed binary checking, similar > to what Linux has with bsign and DigSig, where system binaries are > signed and this signature is verified before being run in the kernel?There is mac_chkexec[1], but I'm not sure about its status.> This would be very useful to have to further tighen-down the system.[1]http://perforce.freebsd.org/depotTreeBrowser.cgi?FSPC=//depot/projects/trustedbsd/mac/sys/security/mac%5fchkexec&HIDEDEL=NO -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News
On Thu, Apr 03, 2008 at 01:46:39PM +0200, Ivan Voras wrote:> Roland Smith wrote: > > On Wed, Apr 02, 2008 at 03:09:59PM -0400, Forrest Aldrich wrote: > >> Does FreeBSD have support for digitally signed binary checking, similar to > >> what Linux has with bsign and DigSig, where system binaries are signed and > >> this signature is verified before being run in the kernel? > > > > If an attacker can modify binaries, he already has root privileges. In > > that case, what will stop him from creating a new pgp key and re-sign > > his doctered binaries? > > > >> This would be very useful to have to further tighen-down the system. > > > > As an alternative, on FreeBSD you can set the system immutable flag on > > binaries (see chflags(1)), and set the securelevel > 0. See > > init(8). Once this is set, not even root can undo this. You have to > > reboot to reset the securelevel to -1. > > Signing binaries could be naturally tied in with securelevel, where some > securelevel (1?) would mean kernel no longer accepts new keys.If you set the system immutable flag on the binaries, you cannot modify them at all at securelevel >0. Signing the binaries would be pointless in that case. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20080403/058422b5/attachment.pgp