Wait, what's a "write only" fs? Never heard of that. Probably something like encrypting something with the public key of someone else, where even the sender can't decrypt/read the message afterwards?
Of what use it that here? The infected online computer has to have write access, and the secure to-be-infected offline computer needs read access (for the first part of the signing). With that, the malware will be able to reach the offline computer no matter what. The question is to prevent it from executing on the offline machine. After that, with both machines infected, all is lost anyway.
I may be missing something here?
Ente
Of what use it that here? The infected online computer has to have write access, and the secure to-be-infected offline computer needs read access (for the first part of the signing). With that, the malware will be able to reach the offline computer no matter what. The question is to prevent it from executing on the offline machine. After that, with both machines infected, all is lost anyway.
I may be missing something here?
Ente
You can create a big partition, filled by lots and lots of files, unknown to any program on the online computer, so the malware on the online computer, without knowledge of the underlying structure of the FS, should have a very slim chance of putting itself somewhere auto-executable(on the contrary it may even make the filesystem unmountable by overwriting some essential metadatas) after the decryption, as the space allocation is not contiguous and linear. Armory, otoh, could be instructed to write transaction data to some designated places, to be recovered later.
In theory, yes.
We are speaking of a highly targeted armory-infecting malware here. Armory is open-source, for good reason. The malware author would know what files/sections Armory uses, and would ignore the bogus other file/area. Security by obscurity isn't a good solution, and always a bad solution when the stuff is public ;-)
Also, malware would either have to make use of an unknown bug in Armory which executes code, or an unknown bug in the (linux?) OS of the offline computer while mounting the USB stick.
I guess absolutely nothing helps against these two vectors, if exploitable bugs are known to the attacker.
We could make the transferred data a limited length, or even better, human-readable. This would make an attack more difficult, but still not impossible.
As long as we transfer data in both directions, there can't be provable/100%/total security.
If there is a way to make sure my offline linux box won't be infected by a USB stick when I plug it in, totally independent to the whole Armory scenario, I am satisfied. As long as I am not the target of real humans, that is..
Ente
