[GLLUG] monilithic kernel (debian 3.0) and ethernet devices
Ben Pfaff
blp@cs.stanford.edu
21 Mar 2002 13:10:56 -0800
"Melson, Paul" <PMelson@sequoianet.com> writes:
> I'd be interested to find out if anyone (like Ben Pfaff) has read any
> research on untrusted code verification for kernels. There are some
> neat papers out there (http://citeseer.nj.nec.com/50371.html) on PCC,
> but that relies on the kernel to verify untrusted application code.
I've been hanging out with the security and research crypto group
here at Stanford quite a bit lately, so a little bit of it has
rubbed off. One thing I've heard is that some virus scanners
actually execute untrusted code in a sandbox and watch for known
signatures. That's the way to catch polymorphic viruses that
decrypt themselves.
But the most exciting idea I've heard lately is actually
something that a guy in my research group came up with. He
suggests running your OS in a virtual machine and then using
probe code *outside* the virtual machine to check the running
virtual machine. That way the probe code is completely
independent of the state it's checking, so it can't be corrupted
if the VM is broken into. The OS that the VM runs on can be made
very secure because it can be very simple, a small trusted
computing base. He's actually making a try at implementing this
using VMware on Linux.
There are a lot of other ideas but somehow they slip my mind at
the moment.
> There is also a lot of research (and new products) that deal with MAC
> and managing system calls *to* the kernel, but nothing that deals with
> the behavior of the kernel itself. I can't conceive of how or why you
> would implement something like that for a kernel. It's my understanding
> that read-only media is the best, or at least the easiest, way to secure
> the kernel and the code it depends on.
Well, yes, it's best for secure storage, but how do you make sure
that the code that computes checksums and compares them to what's
on the read-only medium has not itself been compromised? You
can't. And in fact rootkits do lie about file contents in order
to avoid this kind of issue.
--
"Mon peu de succès près des femmes est toujours venu de les trop aimer."
--Jean-Jacques Rousseau