[EROS-Arch] Re: [E-Lang] Re: Interaction Design for End-User Security

[Bill Frantz]

At 8:35 AM -0800 3/22/01, wojtek@ifirma.pl wrote:
>You are right.  I get it. Let me think it over again.
>
>This problem might be reduced to: verify what you boot.
>
>But wait a minute, there is an option, unfortunately quite hard to
>implement: boot from the token. It would require two things to be put on a
>token: 1. bootstrap 2. kernel signature. Then the bootstrap would only load
>the kernel from hard drive and verify its signature.  Then the kernel would
>be responsible for verifying signatures of software it loads. The trusted
>set of certificates might reside on the token. Lets also grant that the
>bootstrap and your OS vendor cert is always read-only.
>
>Do you find this possible? Anything wrong in this scenario?
>
>Wojtek

While certainly not proof against some attacks (e.g. re-flashing a new BIOS
into the machine), booting from a CD probably provides a significant level
of protection.  I have often thought of having a bootable CD which could
verify the (SHA1) checksum on critical system files.  This would certainly
increase my peace of mind that they had not been changed.

Interestingly, the list of filenames and their checksums could be stored on
the system itself (instead of on the CD), if it is protected with a HMAC
where the HMAC key is stored on the CD.  You would need to be running from
the CD to change the list.  If the HMAC and key worry you, then store the
list on the CD and burn a new CD every time you want to change the list.

Cheers - Bill


-------------------------------------------------------------------------
Bill Frantz       | Microsoft Outlook, the     | Periwinkle -- Consulting
(408)356-8506     | hacker's path to your      | 16345 Englewood Ave.
frantz@netcom.com | hard disk.                 | Los Gatos, CA 95032, USA