Vulnerability Development mailing list archives
Secure OS stuff
From: Kurt Seifried <bugtraq () SEIFRIED ORG>
Date: Sun, 25 Mar 2001 21:34:01 -0700
ImmunixOS and SecureWave are working on stuff (SecureEXE is shipping actually, nice product) to prevent trojan code/etc. http://www.securityportal.com/closet/closet20010314.html RaceGuard/CryptoMark Last but not least, we have RaceGuard and CryptoMark. As far as I know, neither has been released yet. However, RaceGuard is planned for the next release of ImmunixOS. Crispin Cowan (CTO at WireX) had this to say: It's a kernel enhancement that makes mktemp (and hand-rolled variations) safe to use. In the StackGuard tradition, it detects attempts to race the victim suid root program in progress, and (optionally) either refuses the killer open() call, or kills the victim process. I've been running it on my laptop for a month, and there's a few teething problems, but it basically works. It will be in Immunix 7.1. CryptoMark is a sort of tripwire-style program, except that it operates in real time (remarkably similar to SecureExe in description). If it is released and works as advertised, it will not only prevent Trojans from running, but will help prevent users from running unauthorized programs. http://www.securityportal.com/closet/closet20010307.html Preventing Trojans and Restricting What Users Can Run One of the easiest ways to hack into a system is to have a batch file that creates a new administrator account, and get someone with administrative access to run it (just one reason why auditing and logging system events is so important). This can be as simple as creating a desktop icon and telling the help desk, "every time I click on this I get a weird error." They come by, log in, run it, and presto, the batch file (or whatever Trojan) is run. In addition, most companies want to control what users run. This is typically done by using system policies; however, these are very weak. Unless you give the full path to the executable, all an attacker needs to do is name their program "notepad.exe" (or something else the user is allowed to run). Even with the full path name to the executable, an attacker can overwrite a program the user is allowed to run with a Trojan - and this doesn't even touch on the problems with other kinds of executable content such as DLLs. The SecureExe system uses not only the name and path of the program or file in question, but a SHA-1 digital signature, stored on a server. The system uses a kernel module that intercepts calls to things like DLLs, makes sure that the user in question is allowed to run the item, and that the signature matches. If the signature doesn't match, it won't be run and the violation will be logged. This is useful not only for preventing people from running Trojans (accidentally or otherwise), but also for enforcing software versions. (If someone upgrades, it will "break" since the signatures do not match the old profile.) Kurt Seifried, seifried () securityportal com Securityportal - your focal point for security on the 'net
Current thread:
- Secure OS stuff Kurt Seifried (Mar 26)
- Re: Secure OS stuff Ron DuFresne (Mar 28)
- Re: Secure OS stuff Dick St.Peters (Mar 28)
- Re: Secure OS stuff Crispin Cowan (Mar 28)
- Re: Secure OS stuff Ron DuFresne (Mar 28)