Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Default Deny on Executables

From: El Nahual <nahual () g-con org>
Date: Wed, 14 Sep 2005 10:51:05 -0500
There are couple of tools that do this, problem is most of them sign inside
the binary which makes harder to actually put this kinda solution in mass
production 8specially if you clone machines and that kinda stuff)

Default deny should be done even on anything that goes hardcore, like maybe
you let word get to your encrypted partition so if someone does a macro that
is not an executable but also should be stopped (now that is kinda annoying
as hell)

Anubis was another project that did that on kernel but nobody was interested
so project was dropped silently

Just my toughts...

//Nahual

-----Mensaje original-----
De: Dave Aitel [mailto:dave () immunitysec com] 
Enviado el: MiƩrcoles, 14 de Septiembre de 2005 07:35 a.m.
Para: dailydave () lists immunitysec com
Asunto: Re: [Dailydave] Default Deny on Executables

That URL would be:
http://www.microsoft.com/windowsvista/default.mspx

Because last I checked making each binary signed is what Palladium does. 
You can do things like say "Only GPG and DLL's signed by GPG.com can 
access my sealed GPG key."

By default your box can come from Dell only running EXE's that are 
signed by vendors you trust. This wouldn't be a bad idea for a GRSec'd 
distribution either, imo. If you assume that you can trust the kernel 
(which is a pretty big assumption, but not everyone is Paul Starzetz) 
you can do similar stuff without special hardware, I think. :>

-dave
Previous By Date Next
Previous By Thread Next

Current thread: