How about digital signed binaries?

[Vinícius da Silveira Serafim <serafim () inf ufrgs br>]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Hi folks, I need some help from you!

I'm a Master on Computer Science student at UFRGS-BR, and I must develop
until the end of the present year an individual work. So I've been
thinking on a server that just executes signed binaries, and I want hear
you about that...

How do I get the idea?
When we root any server, in most cases, we compile some toolz and
execute them, deploy some trojan binaries, etc... How about if you got
in a server and you cannot execute any of your tools or change the
binaries?

The idea...
Sign the binaries (ALL of them), with a private key and the kernel
checks this signature with  the public key every time you ask for the
execution of any binary. If the checking fails, an alarm is raised. Ok,
we have tripwire, but tripwire doesn't do exactly this (you know).

Overhead on the server
That's a possible problem, but I don't intent to use it on servers that
users can make their own programs (and have a lot of users).

I hope you can help on something.

Thanks for you attention
Vini.