Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Dailydave] Default Deny on Executables
From: Dave Aitel (daveimmunitysec.com)
Date: Wed Sep 14 2005 - 07:35:04 CDT
That URL would be:
Because last I checked making each binary signed is what Palladium does.
You can do things like say "Only GPG and DLL's signed by GPG.com can
access my sealed GPG key."
By default your box can come from Dell only running EXE's that are
signed by vendors you trust. This wouldn't be a bad idea for a GRSec'd
distribution either, imo. If you assume that you can trust the kernel
(which is a pretty big assumption, but not everyone is Paul Starzetz)
you can do similar stuff without special hardware, I think. :>
> On 14 Sep 2005 at 12:20, Nick Drage wrote:
>> On Sat, Sep 10, 2005 at 08:30:32PM +0100, pageexecfreemail.hu wrote:
> you didn't pay attention, did you ;-). i said 'executable FILES',
> not merely 'executables' for a reason. when you run firefox, you
> not only get one 'executable' mapped into memory but 50 other
> libraries as well (give or take a few, you get the idea). in the
> 'default deny' world that means that you would have to explicitly
> exclude everything else 'executable' present in the system from
> being able to load into firefox (in addition to all the 'executables'
> that the given user is not supposed to run at all). ditto for all
> the other 'executables' of course (including interpreters and the
> scripts that can be fed into them). now, on my little development
> system at last count i had something like 3000 'executables files',
> presumably all of which i needed at one point in time (i.e., it's
> not just some default install of some distro). if you look at what
> a corporation of said magnitude (and that's not a big company as
> i said) installs for different users, you will easily get the 1000
> 'executables files', all of which must be dealt with in the access
> control matrix, should you want the 'default deny', that is.
>> As for those 1000 users, there will
>> be entire swathes of them that have the same requirements because they
>> essentially carry out the same task or do the same job, so they are
>> effectively just the one users... suddenly that million element control
>> matrix looks a lot, lot simpler.
> well then, i'm waiting for the URL where i can buy the product that
> does the work, everything else is empty speculation or wishful thinking,
> which was kinda the point i was making. in security many people had
> ideas that would give us so nice security if we could just overcome
> this or that little detail, 'default deny' is no exemption to that.