Torsten,

>It might be that I'm not skilled enough in hacking a binary, but I
>believe that this could be made impossible (at least theoretically) by
>randomizing the spreading of the binary part of the decoding through the
>kernel. You may know by reading the source how this is done, but you
>don't know the result, because of the randomization. Therefore
>disassembling the kernel still might be possible but very hard.

You don't need to do anyhing - you run the kernel under x86 emulator and
just wait until the decryption code in it does the work. Do you understand.
You don't have to hack anything.

                                                                                                                                       
                      "Torsten
                      Valentin" To: <wojtekifirma.pl>
                      <winsock2musiker cc: <miscopenbsd.org>
                      .de> Subject: RE: Thanks / was: RE: Checking integrity of /sbin/init from within kernel
                                                                                                                                       
                      2002-10-01 16:54
                                                                                                                                       
                                                                                                                                       

> I am afraid you may not have the last word and tell other people to
shut
> up.

I never told anybody to shut up. I think I understood your points and -
bare with me - I still have a different opinion. You may have seen
someone on the list asking us to keep this off the list (which was later
than my posting), I thought I had understood most of the opinions that
have been said here.

I cannot see what I have done to make you start a flame at me. I tried
my best to be polite, I'd be glad if you'd try that, too.

> Well, a general method is: you just use the kernel's own method of
> unwrapping without the need to understand how it does the job. The
> complexity of the process doesn't matter at all.

It might be that I'm not skilled enough in hacking a binary, but I
believe that this could be made impossible (at least theoretically) by
randomizing the spreading of the binary part of the decoding through the
kernel. You may know by reading the source how this is done, but you
don't know the result, because of the randomization. Therefore
disassembling the kernel still might be possible but very hard.

I stressed already that I'm no skilled kernel programmer, so it might be
that I'm a blind man talking about color, but I know a few methods I
could be doing this with different (non kernel) code in different
languages.

> First you wanted to protect only the second link in the chain (init),
then
> you extended your idea to protect first two: kernel and init.

I'm not used to using mailing lists. I saw that most people try to ask
questions in a very short form without explaining a lot. That's what I
did. I didn't tell the whole story, because I have done the rest
already. All that I'm missing is the ability of the kernel to check
init. And that's what my first request was about. The explanation about
further protections were just to explain my method to those people who
were telling me that my way was no good way to go.

> This is of
> limited applicability at best. And then you are suprised that nobody
wants
> to implement this for you for free.

I'm surprised about that "all or nothing" thing I mentioned in my last
mail. I never expected anyone to do anything for free for me and if you
read my mails, you'll see that. Please stop flaming at me! It seems you
want to provoke me.

> You just constantly refuse to accept the fact that many people don't
share
> your opinon that your enhancement is well working and messurable.

I don't want to be sarcastic, but would you please accept, that I have
the right to have my own opinion and that this is not "constant
refusing" but just the way I see it?

Nobody disagreed when I said that my method would probably stop 99% of
all attackers, everybody insisted on that this is still possible to hack
my method, which I never denied. But stopping 99 % of all attackers is
SIGNIFICANT increase of security. Even 40% were significant increase,
because there's no alternative for my method.

I understand that you amongst others are not interested in such solution
and I accept and somehow I understand it, seen from your "all or
nothing" point of view.

> Good luck. Once you are done, please share your results for exogenous
> verification. You will find out who was correct.

Would you want to give it a try to hack the machine (with physical
access to the hd (I might send you an image)) when given the source of
it?

T.

> Wojtek

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]