CryptoMark Overview
CryptoMarkTM
is a part of WireX's Immunix host security
technology family. CryptoMark is a Linux kernel enhancement intended
to protect the integrity of the programs installed on a machine by providing
and verifying digital certificates for programs. Readers
unfamiliar with the concepts should first read up on public
key cryptography and digital
certificates. CryptoMark functions as follows:
-
The system owner or vendor creates a private/public
key pair, as usual keeping the private key highly private, and publishing
the public key as widely as possible.
-
The private kye CryptoMark cm_insert program is used to sign
all of the programs to be run on the CryptoMark-protected machine.
-
The public key is installed in the protected system's /etc/cryptomark
directory.
When programs execute, the kernel checks to see whether the digital signature
that cm_insert has attached to the program is valid for that program
using the public key in /etc/cryptomark. If the signature
is invalid or missing, and the program is attempting to execute as root,
then the kernel aborts the program. Otherwise, if the signature is
valid, or the program is attempting to run as a non-root privileged user-ID,
the kernel allows it to execute.
Benefit: Trojan Horse Protection
Trojan Horse programs are programs disguised to look like normal
programs, but coded to perform one or more malicious actions on the machine
when they are run. Attackers who penetrate the security of a machine
commonly install Trojan Horse programs that do things such as:
-
Back Doors: these programs give the attacker an easy way back in
to your computer, e.g. by replacing /bin/login with a program
that will always log in a user as root when they use the password
"opensesame".
-
Intrusion Hiding: system administrators often check systems for
intrusion using common UNIX commands like ps and ls. The Rootkit
suite of tools replace these utilities with Trojan'd versions designed
to show the sys admin what they want to see, while hiding the evidence
of intrusion by failing to report particular processes and files.
-
Password Sniffing: attackers often break into one machine, and then
attempt to leverage that to break into additional machines in the same
domain. One powerful way to do this is to sniff or collect
passwords as users log in. The traditional way is to install a program
that sniffs network traffic for login connections, and collects the password
as it goes by. Encryption products like SSH
defeat the straight forward sniffing attack, so another approach is to
Trojan the sshd (SSH daemon) itself to collect passwords, in addition
to the usual function of authenticating remote users.
Readers may recognize Trojan Horse protection as a benefit that is also
provided by the Tripwire family of
tools. Tripwire and CryptoMark provide complementary Trojan
Horse protection in the following way:
-
CryptoMark provides protection as opposed to detection.
Tripwire only detects Trojan Horse programs (corrupted execuitable files)
as often as the Tripwire database check is done, usually long after the
Trojan Horse program has run. CryptoMark, in contrast, actually prevents
the Trojan Horese program from ever executing. Tripwire helps you
clean up the mess after the fact, while CryptoMark prevents the dirty deed
itself.
Tripwire's defense is broader, in that Tripwire detects corruption
not only of programs, but also configuration and data files.