Secure OS stuff

[Kurt Seifried <bugtraq () SEIFRIED ORG>]

ImmunixOS and SecureWave are  working on stuff (SecureEXE is shipping actually,
nice product) to prevent trojan code/etc.

http://www.securityportal.com/closet/closet20010314.html

RaceGuard/CryptoMark
Last but not least, we have RaceGuard and CryptoMark. As far as I know, neither
has been released yet. However, RaceGuard is planned for the next release of
ImmunixOS. Crispin Cowan (CTO at WireX) had this to say:

It's a kernel enhancement that makes mktemp (and hand-rolled variations) safe to
use.  In the StackGuard tradition, it detects attempts to race the victim suid
root program in progress, and (optionally) either refuses the killer open()
call, or kills the victim process.  I've been running it on my laptop for a
month, and there's a few teething problems, but it basically works.  It will be
in Immunix 7.1.

CryptoMark is a sort of tripwire-style program, except that it operates in real
time (remarkably similar to SecureExe in description). If it is released and
works as advertised, it will not only prevent Trojans from running, but will
help prevent users from running unauthorized programs.

http://www.securityportal.com/closet/closet20010307.html

Preventing Trojans and Restricting What Users Can Run
One of the easiest ways to hack into a system is to have a batch file that
creates a new administrator account, and get someone with administrative access
to run it (just one reason why auditing and logging system events is so
important).

This can be as simple as creating a desktop icon and telling the help desk,
"every time I click on this I get a weird error." They come by, log in, run it,
and presto, the batch file (or whatever Trojan) is run.

In addition, most companies want to control what users run. This is typically
done by using system policies; however, these are very weak. Unless you give the
full path to the executable, all an attacker needs to do is name their program
"notepad.exe" (or something else the user is allowed to run). Even with the full
path name to the executable, an attacker can overwrite a program the user is
allowed to run with a Trojan - and this doesn't even touch on the problems with
other kinds of executable content such as DLLs.

The SecureExe system uses not only the name and path of the program or file in
question, but a SHA-1 digital signature, stored on a server. The system uses a
kernel module that intercepts calls to things like DLLs, makes sure that the
user in question is allowed to run the item, and that the signature matches. If
the signature doesn't match, it won't be run and the violation will be logged.

This is useful not only for preventing people from running Trojans (accidentally
or otherwise), but also for enforcing software versions. (If someone upgrades,
it will "break" since the signatures do not match the old profile.)

Kurt Seifried, seifried () securityportal com
Securityportal - your focal point for security on the 'net