tag:blogger.com,1999:blog-5718830037963456761.post6077206574793331083..comments2023-10-09T09:37:48.434-04:00Comments on Codepimps: Secure IPC in OS X - Part 1Anonymoushttp://www.blogger.com/profile/04761888377101907631noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-5718830037963456761.post-62474749981996690632009-03-11T11:12:00.000-04:002009-03-11T11:12:00.000-04:00Basically, with the current strategy, I believe yo...Basically, with the current strategy, I believe you have authenticity but not integrity.Anonymoushttps://www.blogger.com/profile/04761888377101907631noreply@blogger.comtag:blogger.com,1999:blog-5718830037963456761.post-74679986037661165742009-03-11T11:03:00.000-04:002009-03-11T11:03:00.000-04:00A message authentication code.A <A HREF="http://en.wikipedia.org/wiki/Message_authentication_code" REL="nofollow">message authentication code</A>.Anonymoushttps://www.blogger.com/profile/04761888377101907631noreply@blogger.comtag:blogger.com,1999:blog-5718830037963456761.post-29949475172704128832009-03-11T11:00:00.000-04:002009-03-11T11:00:00.000-04:00What do you mean by a simple MAC?What do you mean by a simple MAC?Timhttps://www.blogger.com/profile/14838461774136751486noreply@blogger.comtag:blogger.com,1999:blog-5718830037963456761.post-90186678749386894662009-03-11T10:55:00.000-04:002009-03-11T10:55:00.000-04:00So if the use case here assumes no root access, wh...So if the use case here assumes no root access, what is the advantage of this solution versus a simple MAC?<BR/><BR/>Here, it would seem that the advantage is that even without root access, the binary can still be read by normal users and the private key could still be extracted to create a new client.Anonymoushttps://www.blogger.com/profile/04761888377101907631noreply@blogger.comtag:blogger.com,1999:blog-5718830037963456761.post-60584373204541734562009-03-11T10:36:00.000-04:002009-03-11T10:36:00.000-04:00> I think the use case you're targeting nee...> I think the use case you're targeting needs to be clarified.<BR/><BR/>It seems I didn't make it clear that the secure IPC setup I'm talking about does not use any encryption, only identity based security. The<BR/>"secure" part comes from the guarantee that unless the server's binary is changed on disk (which requires root access) then the only clients that can connect are those code-signed by me.<BR/><BR/>Unless I've misunderstood, the issues you raised all require root access to the machine, in which case, there is nothing that can protect you.<BR/><BR/>> Finally, it's not clear if this technique is verifying executable images versus running processes. It's still easy to modify the running image versus the protected code segments on disk.<BR/><BR/>OS X implements dynamic signature verification, so if the runtime image changes, the code-signature becomes invalid; albeit, it isn't very well documented yet.Timhttps://www.blogger.com/profile/14838461774136751486noreply@blogger.comtag:blogger.com,1999:blog-5718830037963456761.post-4906474392349646312009-03-10T21:55:00.000-04:002009-03-10T21:55:00.000-04:00I think the use case you're targeting needs to be ...I think the use case you're targeting needs to be clarified.<BR/><BR/>If you're worried about someone reaching the private key and if both the server and the client are running locally. What would prevent a user that has administrative rights to strip the code signature in both the server and client? Or replace it altogether? <BR/><BR/>At this point, if the service is verifying the client, the string holding the certificate's hash is all that is protecting it from unauthorized access.<BR/><BR/>If the user doesn't have complete control over higher integrity processes, then what would be the advantages of this approach over a simple MAC? <BR/><BR/>Here, what comes to mind is that it's not possible to extract the private key, and such, not possible to communicate directly to the server. Again, not much of an advantage if you have administrative rights.<BR/><BR/>Finally, it's not clear if this technique is verifying executable images versus running processes. It's still easy to modify the running image versus the protected code segments on disk.Anonymoushttps://www.blogger.com/profile/04761888377101907631noreply@blogger.com