Re: security idea - bootable CD to check your system

On Mon, Jun 25, 2007 at 08:23:21AM -0700, Russ Allbery wrote:
> Jim Popovitch <yahoo@jimpop.com> writes:
> > On Sun, 2007-06-24 at 16:50 +0100, andy baxter wrote:
>
> >> The difference is that:
>
> >> a) These all run on the live system they are trying to protect,
>
> > Unless you configure them to only write to an offline mount point that
> > is normally ro and only rw through external effort.... which is in
> > Tripwire's best practices.
>
> That doesn't necessarily help. It makes the attacker's task much more
> difficult, but it's still possible to binary-patch a running kernel in
> various ways to hide files from everything on the system, including
> tripwire.
>
> You have to boot into a known-clean kernel in order to get a fully
> trustable integrity check.

I agree 100%, but ...

another way of looking at it is to ask "how hard would this be to break?"

There aren't any real world "known clean" kernels, just ones we can reasonably expect not to be infected by a specific problem.

just like the compiler thing (reflections on trusting trust), in the real world this has ultimately underwritten by some obstacle course of tough/impossible to follow steps, such as cross-arch compiles and compiles from different compilers, and the expertise and judgment to use this, along with eyes watching for trojans in the source.

A similar story no doubt applies with kernels.

and then it is all to easy to assume that the underlying hardware is not a problem.

but in practice being able to boot from known-clean (eg: read-only media) is a gold-standard weapon in the armoury, and anything that can help join the dots from there to "this installation is clean" is invaluable. Having a strong chain of assurance is important.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

Regards,
Paddy

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org