ctl-alt-del/secure attention sequence

Bengt Richter bokr at accessone.com
Sat Apr 15 00:23:03 GMT 2000 

At 10:18 2000-04-13 -0400, John Baldwin wrote:
>
>On 13-Apr-00 Kris Kennaway wrote:
>> On Wed, 12 Apr 2000, Bengt Richter wrote:
>>> Someone suggested that kbdcontrol might be able to disable ctl-alt-del.
>>> >From a quick skim of the man page it wasn't immediately obvious to me
how,
>>> but if so, I think that would have to be changed in order to make
ctl-alt-del
>>> a proper SAK (which of course is a different ball game from the default
>>> reboot issue). It would solve my immediate accident-prevention need
though :)
>> 
>> I'm not sure about this - check on a FreeBSD list.
>
>You just edit the keymap to remove the binding of ctrl-alt-del to reboot.
>This takes effect immediately without having to recompile anything.
>
>> Kris
>
>-- 
>
>John Baldwin <jhb at FreeBSD.org> -- http://www.FreeBSD.org/~jhb/
>PGP Key: http://www.cslab.vt.edu/~jobaldwi/pgpkey.asc
>"Power Users Use the Power to Serve!"  -  http://www.FreeBSD.org/
>
	Thanks. I won't pursue further offtopic details on that here.
	If/when SAK is something you want to pursue, I would think that
you will be concerned with minimizing security weaknesses at the console
(realising that power/reset buttons must also be physically secured).
	Either you will want a dedicated trigger for SAK, or you may
want to use some keyboard combination. Since the latter requires no new
hardware, it is probably the path of least resistance. The choice of
"overloading" the ctl-alt-del combination for use as SAK seems to accomplish
two things at once: (1) It eliminates reboot except by authorised users, and
(2) it provides a SAK if properly implemented. (1) is desirable since you
may be able to separate security concerns in the boot/startup sequence from
the security of the running system per se (besides the obvious unacceptability
of unauthorised rebooting by any means). (2), it seems to me, would require
detecting the ctl-alt-del key as early in the processing sequence as possible
(i.e., in the interrupt routine), so that the amount of software involved in
its secure function can be minimized and the relevant functionality separated
to appropriate modules (less to audit). That would mean not passing that key
on through remapping etc. -- and removing the console driver call to
shutdown_nice(), so that no other keys could be mapped to cause booting.
	I hope the above is on topic. I apologize for discussing my preference
for moving the default behavior of the current system in this direction even
before real security considerations demand it, and other elements are missing.
(Hm, I guess that was a loaded apology ;-)

Regards,
Bengt Richter


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list