>> This is great until md5 collision attacks[1] and >> kernel-based rootkits are used on your system (common these days). > > Do you have any references to the use of md5 collision attacks being > common?
Ahh, you are correct. I was thinking of kernel-based rootkits being common. I have no evidence that states collision attacks are currently common. To clarify, it's trivially easy, using freely available source code[1] (31 secs/file now), to attack a system so that some valid executables have the same checksum as the vendors distributed copy but do something completely unexpected. If nothing else changes with those files (permissions, size, owner, group, time) it would easily fool many admins. > It's possible that I'm missing the point here, but what guarantees do > you have that you can trust your Dom0? Well, it's running Ubuntu of course! ;) The way we run our dom0s is that they are not listening on the network, they have no users (other than admins), run little (mainly ssh-client) non-base install software, and they are physically secure. We have not yet seen a domU -> dom0 escalation attack (anyone else?). It may come eventually but thankfully it's not here yet. We could also build Xen from source, and examine the Xen diffs in great detail, but we aren't *that* paranoid, yet. Really the only known way to compromise a system and kernel in this environment is to control the mirror/media, control the Xen build environment or, control ring -1 (think "blue pill"[2] - heh installing Xen inside an already virtualized system would quickly degrade the quality of life). So, reducing the circle of trust is a very good thing. Trusting your vendors and yourself (ie your mirror, admins, and process) is about as good as it gets. Scott --------- [1] http://cryptography.hyperlink.cz/MD5_collisions.html [2] http://en.wikipedia.org/wiki/Blue_Pill_(malware) -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
