LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

The current development kernel is...linux-next?

Notes on the Viacom ruling

LWN.net Weekly Edition for July 3, 2008

More DTrace envy

LWN.net Weekly Edition for June 26, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Ineffective as a DRM / other checking component

Ineffective as a DRM / other checking component

Posted Mar 29, 2007 11:48 UTC (Thu) by hummassa (subscriber, #307)
Parent article: Integrity management in the kernel

Take the following path:
1. inject some code into kernelspace, via known vulnerability;
2. this code makes the kernel present to the TPM (*) the original file to
generate the signature (that will be sent to the network), but execute
another file altogether;
3. ...
4. Profit!!!
:-)
Sorry for the /.-ism, but that's it. This should be kept out of the
kernel, not because of its immorality, but because of its ineffectivity.
(*) funny thing is, in Portuguese, this is the acronym to PMS :-)

(Log in to post comments)

Ineffective as a DRM / other checking component

Posted Apr 3, 2007 14:39 UTC (Tue) by droundy (subscriber, #4559) [Link]

It isn't intended to protect against vulnerabilities in the kernel (as I read the description), but rather to protect against offline compromise, as described in the article. This is a real protection, albeit not against the most common threat.

Of course, you might be able to achieve the same safety using BIOS settings that require a password to modify those settings themselves and disable booting from external media, and you lock the box itself with an alarm system (to keep bad guys from removing the hard disk and sticking it in another computer to modify its contents). But that seems a bit more complicated, to me, than just having a chip on the motherboard that stores checksums.

Ineffective as a DRM / other checking component

Posted Apr 6, 2007 3:12 UTC (Fri) by pimlott (subscriber, #1535) [Link]

It isn't intended to protect against vulnerabilities in the kernel (as I read the description), but rather to protect against offline compromise
Then there's no point in verifying checksums except at start-up. The code to do so can either go in the firmware/BIOS, or run in the kernel on boot. The on-line checks may be valuable for detecting errors, but not attacks.

Ineffective as a DRM / other checking component

Posted Apr 11, 2007 18:01 UTC (Wed) by droundy (subscriber, #4559) [Link]

Except that it'd be horrifically expensive to checksum the entire system at startup. It looks like this approach would allow a trusted startup without having to check everything.

Ineffective as a DRM / other checking component

Posted Apr 11, 2007 18:19 UTC (Wed) by pimlott (subscriber, #1535) [Link]

Hmm, good point. Lazy evaluation strikes again.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.