On Tue, 31 Mar 2015, Gareth Nelson wrote: > Before anyone says it, i'd be more than willing to work on the code for > this myself but would like feedback on the idea. > > Essentially as follows: > > 1 - A sysctl variable stores a public key that can only be written to once > at startup > 2 - All executables on the system must be signed with that public key > 3 - Any executable not signed is essentially chmod -x > > Of course that's the simple basic idea, there are obvious performance > issues to consider and this system would have to be optional, but for truly > paranoid installs it could be a wonderful feature. > > More complex policies are easily imagined, but for a first version, simply > refusing to run executables without signing seems worthwhile. > > The performance issues could be partly addressed by only signing hashes of > the executables, the unsigned hashes would be stored all in one file that > is supplied with the install sets and signed the first time this feature is > enabled. Signing can take place on another machine and only the signature > file copied over, or signing can take place locally with the private key > later removed - or simply left in place for slightly lower levels of > security. >
It sounds to me like you are describing a type of host-based intrusion detection/protection. Integrating host-based intrustion detection in to an OS kernel could be interesting. The issue is that to turn it in to a protection instead of just detection system would probably slow things down too much since it would need to run some sort of check on each binary before it is executed. Some people might really want something like this. I think the issue is that not enough people would be willing to accept the large slow down that would result. So, you probably won't end up with enough interested people needed to gain any momentum. And, as others have mentioned, it will only protect against certain attacks, and determined attackers will be able to get around it. -- John Merriam
