Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Default Deny on Executables

From: "Andrew R. Reiter" <arr () watson org>
Date: Wed, 14 Sep 2005 12:52:32 -0400 (EDT)
On Wed, 14 Sep 2005, Dave Aitel wrote:

:Andrew R. Reiter wrote:
:> <snip>
:> 
:> While this is on a different OS, I've seen numerous installer packages modify
:> the binary being put onto the machine to include various information (OS
:> version, arch, install time).  So, if for any reason, there are installation
:> packages that do modify ELF files (I've never looked into this), you might
:> have issues.  But I don't see this as a common thing to *nix -- though I've
:> not looked into it.
:> 
:>   
:You don't necessarily have to sign the whole file if you can sign sections (aka
:the text/data/global/etc segments) of  it, or include a "these segments are
:signed and all others should be ignored" segment, that is itself signed by
:RH/Dell/etc.
:
:-dave
:

Agreed.  However, it could increase the chances of slipping in changes in 
the case that the program loader is poorly implemented 
(*cough*windows*cough*).  But I agree with you.

Cheers,
Andrew

-------------------------------------------------------------
  "Natural bridges on a clean west swell,
     Break over the reef like a bat of out hell." -- Sublime.
Previous By Date Next
Previous By Thread Next

Current thread: