Only executing signed code
 

Hi everyone,


I need to build a Linux environment in which only "signed" processes are allowed to run. When I say signed I don't mean a VeriSign etc. signature like you know it from Windows, but I mean signed by myself. I.e. I choose the software allowed to run, sign it, and then want to deny any other processes to run.
If it is somehow possible I'd like to extend this even to scripts and the kernel (i.e. no unsigned modules can be loaded).
Does anyone have a good idea how to solve this problem?
The bad thing is: I'm pretty fine with coding stuff myself in C, but have absolutely 0 experience or knowledge in kernel (module)-programming.

Any tipps, links, literature, finished programs will be appreciated, thanks

One approach I came up with (just a rough idea at the moment): Linux starts new processes with a fork-and-exec-combination. I therefore wonder if it is possible to change exec() in such a way that it will only execute signed programs.

Thank you :)

Can you precise purpose of this signing? I like this idea, but for me, one PC user, it will be only encumbrance as I known what I want to run and in principle I will must to sign all applications. But for multiuser environments it can give some security.

If you mean about anti-hacking purposes, I think it will not work, as hackers run their exploits in running processes, already signed. It can little difficult attack, but all harmful action can be made undercover of signed proccess.

Well, it is actually more about embedded systems, not on a PC.
Imagine you sell a mobile phone and don't want the user to use any software you didn't sign or to change the software you gave him. So you basically want to make sure that the user can only use programs that he payed for (i.e. he got from you). (I know this example isn't perfect as it disregards the possibilty of getting signed software from somewhere else, but just to give you a brief example)

So it's basically to make sure that you can control which processes your customers can run and that noone just tries to execute a totally different code. Against a real hacking exploit I'm thinking of additional protection in form of a MAC (which doesn't belong to this topic)

Edit: It's basically about Code Integrity. That's the keyword I was looking for ;)

What your describing has generally been referred to as Trusted Computing. A number of companies, particularly Microsoft, have been pursuing this idea for years. Here in the FOSS world, you're highly likely to run into a huge amount a skepticism and outright hostility since Trusted Computing pretty much goes against every tenet of FOSS. I'd be highly surprised if there were any Linux tools out there that would help you, but I may be wrong about that.

There's non-TPM checking embedded signatures before execution (BSign, DigSig and DSI: http://disec.sourceforge.net/ IBM DeveloperWorks tutorial Attacking binary signatures) and there's a lot of code to make use of TPM hardware work: the tpmddTPM Device Driver, the TrouSerS OSS TCG Software Stack, TrustedGRUB, a TPM Manager GUI and SmartRM. This h-online article reminds all that GPLv3-licensed software is forbidden from running on platforms which require a private signing key unless the key is freely available to the computer owner. (http://gplv3.fsf.org/, http://www.fsf.org/licensing/license...ide-gplv3.html) and among these IBM TCG papers is one that tries to combat wrong criticism. Also see the OpenTC Open Trusted Computing Consortium

Wow. I had absolutely no idea there was that much activity.