FreeBSD trusted execution system: beta testers wanted

From: Christian S.J. Peron (csjp_at_freebsd.org)
Date: 03/11/05

  • Next message: Peter Jeremy: "Re: FreeBSD trusted execution system: beta testers wanted"
    Date: Fri, 11 Mar 2005 15:29:51 +0000
    To: freebsd-security@freebsd.org
    
    

    All,

    I have written a trusted execution module and would appreciate if anyone could
    help in testing. This module provides a functionality similar to NetBSD's
    verified exec mechanism. Once the design details of this security policy has
    been solidified, I will be releasing a white paper which describes the
    technical implementation in greater detail.

    The mac_chkexec policy logic can be found here:

            http://people.freebsd.org/~csjp/mac/trustedexec.png

    Q: What is mac_chkexec?
    A: It's a mandatory access control policy which ensures that if the code
       contained in a binary, shell script, shared object or kernel module has
       been modified from it's "trusted" form, it can not be executed. It also
       ensures that untrusted code can not be executed. I.E. If an adversary
       uploads an agent or rogue program, it should not be executed.

       In addition, dependencies are supported. Since configuration files,
       system databases or other files can alter how a program runs, it is
       possible to make the policy verify the integrity of these dependencies
       before allowing the execution of the object.

    Q: What is required to run mac_chkexec?
    A: This policy requires that options MAC be compiled into your kernel.
       Since it depends on extended attributes for dependency and checksum
       storage, it also requires UFS2. This security policy requires
       FreeBSD 5.X

    Q: How do I set this up and test it?
    A:
        cd /usr/src/sys
        fetch http://people.freebsd.org/~csjp/mac/mac_vnode_mmap.1106783302.diff
        patch < mac_vnode_mmap.1106783302.diff

    NOTE: Patch should work against -CURRENT or RELENG_5

       Add the following line to your kernel config:

            options MAC

       Now Recompile and install your kernel.

       Download, build and install the mac_chkexec kernel module:

        fetch http://people.freebsd.org/~csjp/mac/mac_chkexec.1110510616.tar.gz
        tar zxvf mac_chkexec.1110510616.tar.gz
        cd mac_chkexec
        make
        make install

       The policy can be loaded using:

        kldload mac_chkexec

       Download, build and install the set{get}fhash user-space utility:

        cd /usr/src/usr.sbin
        fetch http://people.freebsd.org/~csjp/mac/getfhash.1110501625.shar
        sh getfhash.1110501625.shar
        cd getfhash
        make
        make install
        ln -s /usr/sbin/getfhash /usr/sbin/setfhash

    Q: I have everything installed, how do I generate my baseline?
    A: Easy, load the module and run your system like you would any other day. By
       default when you load the module without "enforcing" the policy, the trusted
       exec system is in "learning" mode. Which means anytime an object gets
       executed, a checksum is computed and stored with the object.

       If you do not want to wait for nature to take it course, you can always
       force the calculation and storage of checksums using setfhash.

        setfhash /bin/ls

    Q: How can I see what checksum is currently registered for an object?
    A:
        getfhash /bin/ls

    Q: How can I set dependencies for an object?
    A:
        setfhash -m /etc/rc.firewall /bin/ipfw

       Executables can have more then one dependency. You can use a colon to
       separate them:

        setfhash -m /path/foo:/path/foo/test /bin/ls

    NOTE: DEPENDENCIES PATHNAMES ARE RELATIVE TO THE CALLING PROCESS WITH
          COMPLICATES THINGS IS CHROOT OR JAIL ENVIRONMENTS.

    Q: OK, I've generated my baseline, now how do I start enforcing the policy?
    A:
            sysctl security.mac.chkexec.enforce=1

    NOTE: If you plan on doing a buildworld, you might want to increase the
          cache size to something like 1024

            sysctl security.mac.chkexec.cache.objmax=1024

    Good luck & Thanks!

    -- 
    Christian S.J. Peron
    csjp@FreeBSD.ORG
    FreeBSD Committer
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: Peter Jeremy: "Re: FreeBSD trusted execution system: beta testers wanted"

    Relevant Pages

    • Re: Leftover questions for Tony P.
      ... Then I guess it's a good thing I'm not proposing execution as the penalty for ... how extreme is it to call for a policy of not calling your ... any sanctions on violators, let alone capital ones. ...
      (talk.origins)
    • FreeBSD trusted execution system: beta testers wanted
      ... I have written a trusted execution module and would appreciate if anyone could ... Once the design details of this security policy has ... In addition, dependencies are supported. ... Now Recompile and install your kernel. ...
      (freebsd-hackers)
    • Re: full trus and 1.1 SP1
      ... Unless you have other policy changes that need to be preserved, ... a good idea to reset your CAS policy to default settings in order to start ... .NET runtime to omit verification of execution permission (e.g.: ... To verify whether the option to skip execution skipping is enabled, ...
      (microsoft.public.dotnet.security)
    • WindowsXP application logging and security
      ... You can enable Audit Policy using Group Policy snap-in in ... Audit Object Access is the setting that you are looking ... >ability to log execution of programs at, preferably, ... >be allowed withour prior configuration. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Critical Performance Issue - OLAP + OWC11
      ... Execution Location = 3, but it seemed to not make a difference. ... The client still downloads about 18 mb in each view. ... application on a desktop to install the latest OLAP drivers. ... Generally it seems that if clients are accessing the cube directly from ...
      (microsoft.public.sqlserver.olap)