Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [Dailydave] Default Deny on Executables
From: Blue Boar (BlueBoarthievco.com)
Date: Wed Sep 14 2005 - 12:47:08 CDT
> While this is on a different OS, I've seen numerous installer packages
> modify the binary being put onto the machine to include various
> information (OS version, arch, install time). So, if for any reason,
> there are installation packages that do modify ELF files (I've never
> looked into this), you might have issues. But I don't see this as a
> common thing to *nix -- though I've not looked into it.
My Mac Developers at work tell me that OS X will rebase binaries at
install time, so that there are no address conflicts with any other
binary on disk. This totally screws up attempts to use hashes to verify
things. It seems that the OS X loader couldn't dynamically rebase until
10.3. And 10.3 still does the static rebasing.
In general, a signing scheme has to take into account (or specifically,
leave out) pieces of the binary that are allowed to be modified.
Hopefully, program flow doesn't depend on any of the unsigned pieces. :)
I assume the Mac mangling is too severe to support binary signing as-is.