May 12, 2004

Run-time authenticity verification for binaries

Makan Pourzandi writes "DigSig Linux kernel load module checks the signature of a binary before running it. It inserts digital signatures inside the ELF binary and verify this signature before loading the binary. It is based on the Linux Security Module hooks (standard in main stream Linux kernel 2.5.X and higher). Therefore, it improves the security of the system by preventing a wide range of malicious binaries like viruses, worms, Torjan programs and backdoors from running on the system.

It is available under GPL license and you can download it from http://sourceforge.net/projects/disec/ (digsig package).

Typically, in our approach, binaries are not signed by vendors, but we rather hand over control of the system to the local administrator.
S/he is responsible to sign all binaries s/he trusts with her/his private key. Therefore, DigSig guarantees two things: (1) if you signed a binary, nobody else than you can modify that binary without being detected, and (2) nobody can run a binary which is not signed or badly signed.

From release 1.2, the caching of signatures at kernel level is supported. Once the signature of a binary is verified, its signature is cached in the
kernel memory. Therefore, there is no need for signature verification in subsequent calls to this binary. When a binary file is modified, the corresponding cache entry in the memory is invalidated. This reduced the overhead of the use of DigSig. For exact measures, please consult the README file of the project."

Link: sourceforge.net

Category:

  • Linux
Click Here!