Bugtraq mailing list archives
Re: Trusted process on an untrusted machine?
From: newsham () LAVA NET (Tim Newsham)
Date: Wed, 19 Jan 2000 10:49:56 -1000
A PhD friend of mine (Rick Kennell) and I spent _alot_ of time discussing how to establish a trusted client on an untrusted machine. His idea was a customized kernel that would fetch a kernel module off the net at boot time. The kernel module's purpose would be to verify that the running kernel was intact and had not been subverted (only the known good kernel was running without any unknown modules). The kernel module would traverse memory and calculate a checksum (maybe of all the memory mapped in the page tables). The module would then send the checksum back to the central authority who would grant credentials to the untrusted machine if the checksum matched. This worked off the assumption that the kernel could be trusted to uphold the security of the system. Keep in mind that it would make liberal use of digital signatures and encrypted communication between the client and the central auth.
An attacker can likewise load a kernel module into the kernel that subverts its securities, but do so in a way that is no detectable by a simple checksum (you never mentioned what you proposed to checksum, anyway, but I'm sure once you come up with your list of checksums, I can come up with something else to patch, ad infinitum). Your module will continue to pull over its certificates, and my module will continue to use them as it sees fit.
I've left out (and forgotten) many implementation details. And this makes the assumption that a kernel could be trusted to maintain security once running.
That last assumption is a big one.
The purpose for the idea was to take the several hundred machines on campus that run linux and turn them into a compute cluster at night. Unfortunately they would need write permissions to do any useful simulation work and I'm sure we all know how (in)secure linux boxes get when the student body can park their collective asses in front of one.
What is the your threat model? Do you envision students trying to subvert your cluster computations? Most likely students will be more interested in running ftp daemons or irc bots than in fiddling with the data in your particle simulations.. I guess what I'm trying to ask is "are you expending too much effort to protect something that doesn't need to be protected?" How about something along these lines: - have the computers power cycle at a given time each night - have them boot over the network from a (more) trusted machine or from read-only media, without trusting any of the data on the hard drive. Without running extrenuous services. - run the cluster - power cycle the machines in the morning before students get on them In otherwords.. let the users have 1 system on the machines and start with a clean slate for your cluster at nights. Net booting has the advantage of letting you upgrade them all easily, too. And you can customize and optimize your kernel for your particular task.
later, .mike
Current thread:
- Re: Hotmail security hole - injecting JavaScript using <IMG, (continued)
- Re: Hotmail security hole - injecting JavaScript using <IMG Eivind Eklund (Jan 08)
- IIS still revealing paths for web directories Vanja Hrustic (Jan 10)
- Re: IIS still revealing paths for web directories Vladimir Dubrovin (Jan 12)
- Re: IIS still revealing paths for web directories Chris Tobkin (Jan 12)
- Altavista Free Internet Security Plex Inphiniti (Jan 14)
- Re: Altavista Free Internet Security Bill (Jan 17)
- Trusted process on an untrusted machine? Mike Frantzen (Jan 18)
- Re: Trusted process on an untrusted machine? Pavel Machek (Jan 19)
- Re: Trusted process on an untrusted machine? Mike Frantzen (Jan 19)
- Re: Trusted process on an untrusted machine? Pavel Machek (Jan 20)
- Re: Trusted process on an untrusted machine? Tim Newsham (Jan 19)
- Re: Trusted process on an untrusted machine? Anonymous Anonymous (Jan 19)
- Re: Trusted process on an untrusted machine? Crispin Cowan (Jan 19)
- Crafted Packets Handling by Firewalls - FW-1 case Ofir Arkin (Jan 19)
- Rh 6.1 initial root password encryption Ken Barber (Jan 20)
- Re: Rh 6.1 initial root password encryption Fabian Kroenner (Jan 22)
- Re: Crafted Packets Handling by Firewalls - FW-1 case Darren Reed (Jan 20)
- Microsoft Security Bulletin (MS00-005) Microsoft Product Security (Jan 17)
- Re: Microsoft Security Bulletin (MS00-005) bugtraq () NS DOOMSDAY COM (Jan 19)
- Re: Microsoft Security Bulletin (MS00-005) Matt Davis (Jan 19)
- Re: Microsoft Security Bulletin (MS00-005) Tabor J. Wells (Jan 19)