Christian S.J. Peron
2005-Mar-12 05:37 UTC
FreeBSD trusted execution system: beta testers wanted
All,
I have written a trusted execution module and would appreciate if anyone could
help in testing. This module provides a functionality similar to NetBSD's
verified exec mechanism. Once the design details of this security policy has
been solidified, I will be releasing a white paper which describes the
technical implementation in greater detail.
The mac_chkexec policy logic can be found here:
http://people.freebsd.org/~csjp/mac/trustedexec.png
Q: What is mac_chkexec?
A: It's a mandatory access control policy which ensures that if the code
contained in a binary, shell script, shared object or kernel module has
been modified from it's "trusted" form, it can not be executed.
It also
ensures that untrusted code can not be executed. I.E. If an adversary
uploads an agent or rogue program, it should not be executed.
In addition, dependencies are supported. Since configuration files,
system databases or other files can alter how a program runs, it is
possible to make the policy verify the integrity of these dependencies
before allowing the execution of the object.
Q: What is required to run mac_chkexec?
A: This policy requires that options MAC be compiled into your kernel.
Since it depends on extended attributes for dependency and checksum
storage, it also requires UFS2. This security policy requires
FreeBSD 5.X
Q: How do I set this up and test it?
A:
cd /usr/src/sys
fetch http://people.freebsd.org/~csjp/mac/mac_vnode_mmap.1106783302.diff
patch < mac_vnode_mmap.1106783302.diff
NOTE: Patch should work against -CURRENT or RELENG_5
Add the following line to your kernel config:
options MAC
Now Recompile and install your kernel.
Download, build and install the mac_chkexec kernel module:
fetch http://people.freebsd.org/~csjp/mac/mac_chkexec.1110510616.tar.gz
tar zxvf mac_chkexec.1110510616.tar.gz
cd mac_chkexec
make
make install
The policy can be loaded using:
kldload mac_chkexec
Download, build and install the set{get}fhash user-space utility:
cd /usr/src/usr.sbin
fetch http://people.freebsd.org/~csjp/mac/getfhash.1110501625.shar
sh getfhash.1110501625.shar
cd getfhash
make
make install
ln -s /usr/sbin/getfhash /usr/sbin/setfhash
Q: I have everything installed, how do I generate my baseline?
A: Easy, load the module and run your system like you would any other day. By
default when you load the module without "enforcing" the policy,
the trusted
exec system is in "learning" mode. Which means anytime an object
gets
executed, a checksum is computed and stored with the object.
If you do not want to wait for nature to take it course, you can always
force the calculation and storage of checksums using setfhash.
setfhash /bin/ls
Q: How can I see what checksum is currently registered for an object?
A:
getfhash /bin/ls
Q: How can I set dependencies for an object?
A:
setfhash -m /etc/rc.firewall /bin/ipfw
Executables can have more then one dependency. You can use a colon to
separate them:
setfhash -m /path/foo:/path/foo/test /bin/ls
NOTE: DEPENDENCIES PATHNAMES ARE RELATIVE TO THE CALLING PROCESS WITH
COMPLICATES THINGS IS CHROOT OR JAIL ENVIRONMENTS.
Q: OK, I've generated my baseline, now how do I start enforcing the policy?
A:
sysctl security.mac.chkexec.enforce=1
NOTE: If you plan on doing a buildworld, you might want to increase the
cache size to something like 1024
sysctl security.mac.chkexec.cache.objmax=1024
Good luck & Thanks!
--
Christian S.J. Peron
csjp@FreeBSD.ORG
FreeBSD Committer
On Fri, 2005-Mar-11 15:29:51 +0000, Christian S.J. Peron wrote:>I have written a trusted execution module and would appreciate if anyone could >help in testing. This module provides a functionality similar to NetBSD's >verified exec mechanism. Once the design details of this security policy has >been solidified, I will be releasing a white paper which describes the >technical implementation in greater detail.Sounds good.> Download, build and install the mac_chkexec kernel module: > > fetch http://people.freebsd.org/~csjp/mac/mac_chkexec.1110510616.tar.gz > tar zxvf mac_chkexec.1110510616.tar.gz > cd mac_chkexec > make > make installUnfortunately, the existing file is incompatible with the "standard" kernel building process. The instructions above seem to work but since it's a separate step from buildkernel/installkernel, I'm sure to forget it at some time. If I unpack it into /sys/modules and add "SUBDIR += mac_chkexec" to /sys/modules/Makefile - it blows up with: ===> mac_chkexec @ -> /usr/src/sys machine -> /usr/src/sys/i386/include awk -f @/tools/vnode_if.awk @/kern/vnode_if.src -h rm -f .depend mkdep -f .depend -a -nostdinc -I/usr/src/sys/crypto -D_KERNEL -DKLD_MODULE -I- -I/usr/src/sys/crypto -I. -I@ -I@/contrib/altq -I@/../include -I/usr/obj/usr/src/i386/usr/include -I/usr/obj/usr/src/sys/fwall /usr/src/sys/crypto//sha1.c /usr/src/sys/modules/mac_chkexec/mac_chkexec.c /usr/src/sys/modules/mac_chkexec/mac_chkexec.c:61:25: mac_chkexec.h: No such file or directory mkdep: compile failed *** Error code 1 I also notice that the Makefile has /usr/src/sys hard-coded into it. Can I suggest the following patch: server# diff -u Makefile~ Makefile --- Makefile~ Fri Mar 11 14:09:20 2005 +++ Makefile Sun Mar 13 09:56:42 2005 @@ -1,5 +1,5 @@ -.PATH: /usr/src/sys/crypto/ -CFLAGS+= -I/usr/src/sys/crypto +.PATH: ${.CURDIR}/../../crypto +CFLAGS+= -I${.CURDIR} -I${.CURDIR}/../../crypto KMOD= mac_chkexec SRCS= vnode_if.h \ server# -- Peter Jeremy
Christian S.J. Peron wrote:> > I have written a trusted execution module and would appreciate if anyone could > help in testing. This module provides a functionality similar to NetBSD's > verified exec mechanism.Excellent! Sounds like something that could provide a lot of additional protection against trojans and worms. Wish I had time to play with it right now.... Tim
On Sat, 12 Mar 2005 15:38:17 +0200 owner-freebsd-security@freebsd.org wrote:> I have written a trusted execution module and would appreciate if anyone > could > help in testing. This module provides a functionality similar to NetBSD's > verified exec mechanism. Once the design details of this security policy > has > been solidified, I will be releasing a white paper which describes the > technical implementation in greater detail.It would be great to implement some logging to files with fixed tag. Thanks! -- Best regards, Palij Oleg, ISC (Pridn railway) jid: malik@jabber.te.ua
Hi! Thanks for developing such interesting feature :) ! But I have some problems, which I cant understand. # sysctl security.mac.chkexec.enforce=0 security.mac.chkexec.enforce: 1 -> 0 # setfhash /usr/local/sbin/logrotate # getfhash /usr/local/sbin/logrotate /usr/local/sbin/logrotate: sha1 78513a038cd9416f2be710b6732369b96874b364 # sysctl security.mac.chkexec.enforce=1 security.mac.chkexec.enforce: 0 -> 1 # /usr/local/sbin/logrotate bash: /usr/local/sbin/logrotate: Operation not permitted # getfhash /usr/local/sbin/logrotate /usr/local/sbin/logrotate: sha1 78513a038cd9416f2be710b6732369b96874b364 How can I see what exactly goes wrong ??? Oleg.
Christian S.J. Peron
2005-Mar-20 05:35 UTC
FreeBSD trusted execution system: beta testers wanted
All Thanks for all the input. I have updated the code as per some of the comments which came in around testing. The following changes were made: -modify setfhash/getfhash to use the filename of the pathname portion. this will un break set/getfhash if it was invoked using ./ or the complete pathname. -the kernel implementation of setfhash was a bad idea. It used to use the utimes syscall. This especially caused problems with various port or source builds on NFS file systems exiting with EIO or various other errors. I replaced the kernel implementation with a sysctl, and modified the setfhash utility to use this instead. -add additional printf's to tell people where/why things went wrong. It should be noted that these printfs are only executed if the module is compiled with DEBUG set. (See the Makefile). -change Makefiles and file locations to be more consistent with the system build practices. NOTE: IF YOU HAVE ALREADY PATCHED YOUR KERNEL SKIP THE KERNEL PATCH/REBUILD cd /usr/src/sys fetch http://www.freebsd.org/~csjp/mac/mac_vnode_mmap.1106783302.diff patch < mac_vnode_mmap.1106783302.diff # REBUILD YOUR KERNEL cd /usr/src/sys/modules mkdir /usr/src/sys/modules/mac_chkexec cd /usr/src/sys/modules/mac_chkexec fetch http://www.freebsd.org/~csjp/mac/Makefile cd /usr/src/usr.sbin fetch http://www.freebsd.org/~csjp/mac/getfhash.1111165779.shar sh getfhash.1111165779.shar cd getfhash make make install make clean cd /usr/src/sys/security fetch http://www.freebsd.org/~csjp/mac/mac_chkexec.1111165827.shar sh mac_chkexec.1111165827.shar cd /usr/src/sys/modules/mac_chkexec make make install make clean -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer