Dailydave mailing list archives
RE: Default Deny on Executables
From: El Nahual <nahual () g-con org>
Date: Wed, 14 Sep 2005 11:55:36 -0500
I have a client with 10000 machines, already installed and he is not going to reinstall all, if you sign the binary inside it can be a problem, a nicer more elegant solution is to issue certificates with a list of files. Problem arises when you have a polymorphic binary for instance you have to check something that is running is the thing you get on memory but then why are you signing a damn polymorphic binary? Lets rememeber when couple of years ago the programmers key for Microsoft got stolen in the UK and some stuff got signed, big deal if you were a nice company, personally I just trust my own CA. (BTW would be nice to check out if windows still installs binaries if they are signed by Microsoft without asking) You can always just reassemble the new binary, yet again the new binary must be signed wich comes into trust, who do u trust to sign binaries //Nahual -----Mensaje original----- De: Andrew R. Reiter [mailto:arr () watson org] Enviado el: MiƩrcoles, 14 de Septiembre de 2005 11:41 a.m. Para: miah CC: dailydave () lists immunitysec com Asunto: Re: [Dailydave] Default Deny on Executables On Wed, 14 Sep 2005, miah wrote: :On Wed, Sep 14, 2005 at 10:51:05AM -0500, El Nahual wrote: :> There are couple of tools that do this, problem is most of them sign inside :> the binary which makes harder to actually put this kinda solution in mass :> production 8specially if you clone machines and that kinda stuff) : :Why would that make it harder? Its not like the binary will have a :different signature on each system, its going to be the same file. Look :at it from a distro perspective. If Redhat were to sign all their :binaries, the signature would be the same on each file on each installed :system, and you'd be able to verify it actually came from Redhat by :checking that signature and comparing it to Redhat's online database (if :they had such a thing). : :RPM has that basic functionality built in, the RPM's are signed, and the :rpm knows the md5sum of each file it contains, using RPM you can easily :determine if a file owned by a RPM has been modified (so long as somebody :hasn't modified the rpm database). : While this is on a different OS, I've seen numerous installer packages modify the binary being put onto the machine to include various information (OS version, arch, install time). So, if for any reason, there are installation packages that do modify ELF files (I've never looked into this), you might have issues. But I don't see this as a common thing to *nix -- though I've not looked into it. Cheers, Andrew ------------------------------------------------------------- "Natural bridges on a clean west swell, Break over the reef like a bat of out hell." -- Sublime.
Current thread:
- Re: Re: Hacking's American as Apple Cider, (continued)
- Re: Re: Hacking's American as Apple Cider pageexec (Sep 14)
- Re: Default Deny on Executables Dave Aitel (Sep 14)
- Re: Default Deny on Executables miah (Sep 14)
- Re: Default Deny on Executables Simon B (Sep 14)
- Re: Default Deny on Executables Kurt Seifried (Sep 14)
- RE: Default Deny on Executables Sash (Sep 14)
- Re: Default Deny on Executables Eduardo Tongson (Sep 14)
- RE: Default Deny on Executables El Nahual (Sep 14)
- Re: Default Deny on Executables miah (Sep 14)
- Re: Default Deny on Executables Andrew R. Reiter (Sep 14)
- RE: Default Deny on Executables El Nahual (Sep 14)
- Re: Default Deny on Executables Dave Aitel (Sep 14)
- Re: Default Deny on Executables Andrew R. Reiter (Sep 14)
- Re: Default Deny on Executables Joel Eriksson (Sep 14)
- Re: Default Deny on Executables Blue Boar (Sep 14)
- Re: Re: Hacking's American as Apple Cider Jason Syversen (Sep 20)
- Science? (WAS: Hacking's American as Apple Cider) Barrie Dempster (Sep 21)