operating system loaders
in [Viruses]
|
Prev: Super Fast Web Proxies
Next: Weird spam
From: Vasili on 11 Jul 2010 03:41 "what am I trying to accomplish?" I am sure others have thought about this problem already. But I am trying to guarantee that the OS/system loader is not preparing to execute malware. Vasili On Jul 5, 7:01 pm, "FromTheRafters" <erra...(a)nomail.afraid.org> wrote: > "Vasili" <vigalc...(a)gmail.com> wrote in message > > news:710730bf-2f65-4c25-8dc0-b8ded60e340b(a)c33g2000yqm.googlegroups.com... > On Jul 5, 4:01 pm, "FromTheRafters" <erratic @nomail.afraid.org> > wrote: > > > > > "Vasili" <vigalc...(a)gmail.com> wrote in message > > >news:93daa5d9-b4fb-404e-801c-11a9d039280f(a)d8g2000yqf.googlegroups.com... > > > > Hello, > > > > Has anyone implemented a loader that will only execute digitally > > > signed executables? > > > Not that I have heard of, but why would the control have to be there > > as > > opposed to earlier? Why not integrity check before sending to the > > loader > > chain, that way interpreted programs can be checked at the same time > > as > > binaries or files otherwise destined to become binary images? > > By "earlier" where are you suggesting to do integrity check? > > *** > When the file is opened (if you want it that way). > > What are you trying to accomplish? > ***
From: FromTheRafters on 11 Jul 2010 09:07 "Vasili" <vigalchin(a)gmail.com> wrote in message news:150b80cc-a24f-4b3a-9c33-467622bff106(a)t10g2000yqg.googlegroups.com... Hi FromTheRafters, I am only concerned about "data in motion" ....e.g. if the executable has to moved over the wire to the loader then it's integrity can be compromised after it's integrity check on the "source" side of the wire where the loader is on the destination side of the wire. See my point? *** I found a paper on a proposal for such a thing for an ELF loader: http://webcache.googleusercontent.com/search?q=cache:QMOJ1mQDIu8J:www.cs.umd.edu/~waa/pubs/cs4259.ps+linux+signed+execuatble&cd=2&hl=en&ct=clnk&gl=us However, as with most such schemes there is a trade off in processing cost. To avoid computing cost the signed executable check is only done if the cryptographic hash (integrity check) indicates a 'change detection'. It just seems to me that implementing such a scheme for other executable filetypes would mean each loader would have redundant code to implement the check(s). Why not have one point that checks executables destined for the loader chain? As for the data being compromised 'in motion' I would think that a normal 'integrity check' would suffice. *** [...] PS But then we have to be concerned about a hierarchy of signing authority lest a malware writer signs his/her executable to masquerade as "clean" executable. Yes? *** I suppose that a signed executable's signature would be checked upon arrival on the local machine, and integrity checks thereafter. The signing check assures that the executable is authentic (original) but makes no claim as to whether it is malware or not, and the integrity check checks that it has very likely not changed again since it arrived. Some antivirus applications already implement an integrity checking scheme to avoid the computing cost of checking for 'infections' in *all* executable filetypes. *** On Jul 5, 7:01 pm, "FromTheRafters" <erra...(a)nomail.afraid.org> wrote: > "Vasili" <vigalc...(a)gmail.com> wrote in message > > news:710730bf-2f65-4c25-8dc0-b8ded60e340b(a)c33g2000yqm.googlegroups.com... > On Jul 5, 4:01 pm, "FromTheRafters" <erratic @nomail.afraid.org> > wrote: > > > > > "Vasili" <vigalc...(a)gmail.com> wrote in message > > >news:93daa5d9-b4fb-404e-801c-11a9d039280f(a)d8g2000yqf.googlegroups.com... > > > > Hello, > > > > Has anyone implemented a loader that will only execute digitally > > > signed executables? > > > Not that I have heard of, but why would the control have to be there > > as > > opposed to earlier? Why not integrity check before sending to the > > loader > > chain, that way interpreted programs can be checked at the same time > > as > > binaries or files otherwise destined to become binary images? > > By "earlier" where are you suggesting to do integrity check? > > *** > When the file is opened (if you want it that way). > > What are you trying to accomplish? > ***
From: FromTheRafters on 11 Jul 2010 09:18
"Vasili" <vigalchin(a)gmail.com> wrote in message news:4902dcc6-953f-4d47-a5b5-d182c4082b99(a)c10g2000yqi.googlegroups.com... "what am I trying to accomplish?" I am sure others have thought about this problem already. But I am trying to guarantee that the OS/system loader is not preparing to execute malware. *** I asked this because It wouldn't help against authentic malware. The signing checks only for authenticity and makes no claims as to whether or not you should execute the program. An integrity check would lessen the likelihood that an executable that had been modified after receipt to include malware (infection) would be executed. That is to say that an executable having been infected prior to signing would not be thwarted, but an executable having been modified 'after the fact' would likely be. Not a bad idea, but it seems that regular integrity checking (change detection) would still be the strength of the system. *** |