FreeBSD trusted execution system: beta testers wanted
Christian S.J. Peron
csjp at freebsd.org
Fri Mar 11 07:29:52 PST 2005
All,
I have written a trusted execution module and would appreciate if anyone could
help in testing. This module provides a functionality similar to NetBSD's
verified exec mechanism. Once the design details of this security policy has
been solidified, I will be releasing a white paper which describes the
technical implementation in greater detail.
The mac_chkexec policy logic can be found here:
http://people.freebsd.org/~csjp/mac/trustedexec.png
Q: What is mac_chkexec?
A: It's a mandatory access control policy which ensures that if the code
contained in a binary, shell script, shared object or kernel module has
been modified from it's "trusted" form, it can not be executed. It also
ensures that untrusted code can not be executed. I.E. If an adversary
uploads an agent or rogue program, it should not be executed.
In addition, dependencies are supported. Since configuration files,
system databases or other files can alter how a program runs, it is
possible to make the policy verify the integrity of these dependencies
before allowing the execution of the object.
Q: What is required to run mac_chkexec?
A: This policy requires that options MAC be compiled into your kernel.
Since it depends on extended attributes for dependency and checksum
storage, it also requires UFS2. This security policy requires
FreeBSD 5.X
Q: How do I set this up and test it?
A:
cd /usr/src/sys
fetch http://people.freebsd.org/~csjp/mac/mac_vnode_mmap.1106783302.diff
patch < mac_vnode_mmap.1106783302.diff
NOTE: Patch should work against -CURRENT or RELENG_5
Add the following line to your kernel config:
options MAC
Now Recompile and install your kernel.
Download, build and install the mac_chkexec kernel module:
fetch http://people.freebsd.org/~csjp/mac/mac_chkexec.1110510616.tar.gz
tar zxvf mac_chkexec.1110510616.tar.gz
cd mac_chkexec
make
make install
The policy can be loaded using:
kldload mac_chkexec
Download, build and install the set{get}fhash user-space utility:
cd /usr/src/usr.sbin
fetch http://people.freebsd.org/~csjp/mac/getfhash.1110501625.shar
sh getfhash.1110501625.shar
cd getfhash
make
make install
ln -s /usr/sbin/getfhash /usr/sbin/setfhash
Q: I have everything installed, how do I generate my baseline?
A: Easy, load the module and run your system like you would any other day. By
default when you load the module without "enforcing" the policy, the trusted
exec system is in "learning" mode. Which means anytime an object gets
executed, a checksum is computed and stored with the object.
If you do not want to wait for nature to take it course, you can always
force the calculation and storage of checksums using setfhash.
setfhash /bin/ls
Q: How can I see what checksum is currently registered for an object?
A:
getfhash /bin/ls
Q: How can I set dependencies for an object?
A:
setfhash -m /etc/rc.firewall /bin/ipfw
Executables can have more then one dependency. You can use a colon to
separate them:
setfhash -m /path/foo:/path/foo/test /bin/ls
NOTE: DEPENDENCIES PATHNAMES ARE RELATIVE TO THE CALLING PROCESS WITH
COMPLICATES THINGS IS CHROOT OR JAIL ENVIRONMENTS.
Q: OK, I've generated my baseline, now how do I start enforcing the policy?
A:
sysctl security.mac.chkexec.enforce=1
NOTE: If you plan on doing a buildworld, you might want to increase the
cache size to something like 1024
sysctl security.mac.chkexec.cache.objmax=1024
Good luck & Thanks!
--
Christian S.J. Peron
csjp at FreeBSD.ORG
FreeBSD Committer
More information about the freebsd-security
mailing list