Vulnerability Development mailing list archives
Re: Secure OS stuff
From: "Dick St.Peters" <stpeters () NETHEAVEN COM>
Date: Wed, 28 Mar 2001 15:50:08 -0500
I've been using Immunix in a small-ISP environment for months, and it holds up well here. We're too small to beat on it real hard, but one of our mail servers does occasionally exceed 50,000 emails in one day, with each one going through extensive anti-spam/anti-virus filtering. Another system does all our user login authentication for 3 POPs while also doing DNS for a few hundred domains, being a web server fielding 75,000 hits per day, and putting up with my building kernels on it. -- Dick St.Peters, stpeters () NetHeaven com Gatekeeper, NetHeaven, Saratoga Springs, NY Ron DuFresne writes:
sounds very simliar to the things claimed about CA-associates<?> entrust kernel tool. That tools comes with a cost, is my understanding, a preformance hit, depending upon how much 'is asked' of it. How do these immunix kernel enhancements fair up to resource utilization when tasked up some? Thanks, Ron DuFresne On Sun, 25 Mar 2001, Kurt Seifried wrote:ImmunixOS and SecureWave are working on stuff (SecureEXE is shipping actually, nice product) to prevent trojan code/etc. http://www.securityportal.com/closet/closet20010314.html RaceGuard/CryptoMark Last but not least, we have RaceGuard and CryptoMark. As far as I know, neither has been released yet. However, RaceGuard is planned for the next release of ImmunixOS. Crispin Cowan (CTO at WireX) had this to say: It's a kernel enhancement that makes mktemp (and hand-rolled variations) safe to use. In the StackGuard tradition, it detects attempts to race the victim suid root program in progress, and (optionally) either refuses the killer open() call, or kills the victim process. I've been running it on my laptop for a month, and there's a few teething problems, but it basically works. It will be in Immunix 7.1. CryptoMark is a sort of tripwire-style program, except that it operates in real time (remarkably similar to SecureExe in description). If it is released and works as advertised, it will not only prevent Trojans from running, but will help prevent users from running unauthorized programs. http://www.securityportal.com/closet/closet20010307.html Preventing Trojans and Restricting What Users Can Run One of the easiest ways to hack into a system is to have a batch file that creates a new administrator account, and get someone with administrative access to run it (just one reason why auditing and logging system events is so important). This can be as simple as creating a desktop icon and telling the help desk, "every time I click on this I get a weird error." They come by, log in, run it, and presto, the batch file (or whatever Trojan) is run. In addition, most companies want to control what users run. This is typically done by using system policies; however, these are very weak. Unless you give the full path to the executable, all an attacker needs to do is name their program "notepad.exe" (or something else the user is allowed to run). Even with the full path name to the executable, an attacker can overwrite a program the user is allowed to run with a Trojan - and this doesn't even touch on the problems with other kinds of executable content such as DLLs. The SecureExe system uses not only the name and path of the program or file in question, but a SHA-1 digital signature, stored on a server. The system uses a kernel module that intercepts calls to things like DLLs, makes sure that the user in question is allowed to run the item, and that the signature matches. If the signature doesn't match, it won't be run and the violation will be logged. This is useful not only for preventing people from running Trojans (accidentally or otherwise), but also for enforcing software versions. (If someone upgrades, it will "break" since the signatures do not match the old profile.) Kurt Seifried, seifried () securityportal com Securityportal - your focal point for security on the 'net~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
Current thread:
- Secure OS stuff Kurt Seifried (Mar 26)
- Re: Secure OS stuff Ron DuFresne (Mar 28)
- Re: Secure OS stuff Dick St.Peters (Mar 28)
- Re: Secure OS stuff Crispin Cowan (Mar 28)
- Re: Secure OS stuff Ron DuFresne (Mar 28)