Signed executables under Linux

by

I realize this is an ancient question but I just now found it.

I wrote signed executable support for the Linux kernel (around version 2.4.3) a while back, and had the entire toolchain in place for signing executables, checking the signatures at execve(2) time, caching the signature validation information (clearing the validation when the file was opened for writing or otherwise modified), embedding the signatures into arbitrary ELF programs, etc. It did introduce some performance penalties upon the first execution of every program (because the kernel had to load in the entire file, rather than just demand-page the needed pages) but once the system was in a steady-state, it worked well.

But we decided to stop pursuing it because it faced several problems that were too large to justify the complexity:

  • We had not yet built support for signed libraries. Signed libraries would require also modifying the ld.so loader and the dlopen(3) mechanism. This wasn’t impossible but did complicate the interface: should we have the loader ask the kernel to validate a signature or should the computation be done entirely in userspace? How would one protect against a strace(2)d process if this portion of the validation is done in userspace? Would we be forced to forbid strace(2) entirely on such a system?

    What would we do about programs that supply their own loader?

  • A great many programs are written in languages that do not compile to ELF objects. We would need to provide language-specific modifications to bash, perl, python, java, awk, sed, and so on, for each of the interpreters to be able to also validate signatures. Since most of these programs are free-format plain text they lack the structure that made embedding digital signatures into ELF object files so easy. Where would the signatures be stored? In the scripts? In extended attributes? In an external database of signatures?

  • Many interpreters are wide open about what they allow; bash(1) can communicate with remote systems entirely on its own using echo and /dev/tcp, and can easily be tricked into executing anything an attacker needs doing. Signed or not, you couldn’t trust them once they were under control of a hacker.

  • The prime motivator for signed executables support comes from rootkits replacing the system-provided /bin/ps, /bin/ps, /bin/kill, and so on. Yes, there are other useful reasons to have signed executables. However, rootkits got significantly more impressive over time, with many relying on kernel hacks to hide their activities from administrators. Once the kernel has been hacked, the whole game is over. As a result of the sophistication of rootkits the tools we were hoping to prevent from being used were falling out of favor in the hacking community.

  • The kernel’s module loading interface was wide-open. Once a process has root privilege, it was easy to inject a kernel module without any checking. We could have also written another verifier for kernel modules but the kernel’s infrastructure around modules was very primitive.

More Related Contents:

  1. create a file with prefix =file1 followed by the random number
  2. How do the likely/unlikely macros in the Linux kernel work and what is their benefit?
  3. Increasing the maximum number of TCP/IP connections in Linux
  4. Using openssl to get the certificate from a server
  5. What happens to an open file handle on Linux if the pointed file gets moved or deleted
  6. Finding which process was killed by Linux OOM killer [closed]
  7. Is there any API for determining the physical address from virtual address in Linux?
  8. Use of floating point in the Linux kernel
  9. kernel stack and user space stack
  10. Using gdb to single-step assembly code outside specified executable causes error “cannot find bounds of current function”
  11. How to continuously monitor the directory using dnotify /inotify command
  12. Why can’t I mmap(MAP_FIXED) the highest virtual page in a 32-bit Linux process on a 64-bit kernel?
  13. How to reset Jenkins security settings from the command line?
  14. How to “hibernate” a process in Linux by storing its memory to disk and restoring it later?
  15. What is the interface for ARM system calls and where is it defined in the Linux kernel?
  16. How does Linux determine the next PID?
  17. How to add poll function to the kernel module code?
  18. How to access(if possible) kernel space from user space?
  19. Do Kernel pages get swapped out?
  20. Just black screen after running Qemu
  21. How is the Linux kernel tested?
  22. How to avoid transparent_hugepage/defrag warning from mongodb?
  23. Converting jiffies to milli seconds
  24. Direct Memory Access in Linux
  25. Linux Stack Sizes
  26. How to decode /proc/pid/pagemap entries in Linux?
  27. init function invocation of drivers compiled into kernel
  28. How can I monitor the NIC status(up/down) in a C program without polling the kernel?
  29. How can I create a device node from the init_module code of a Linux kernel module?
  30. Sending UDP packets from the Linux Kernel

Leave a Comment