Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

FreeBSD trusted execution system: beta testers wanted

14 views
Skip to first unread message

Christian S.J. Peron

unread,
Mar 11, 2005, 10:30:04 AM3/11/05
to
All,

I have written a trusted execution module and would appreciate if anyone could
help in testing. This module provides a functionality similar to NetBSD's
verified exec mechanism. Once the design details of this security policy has
been solidified, I will be releasing a white paper which describes the
technical implementation in greater detail.

The mac_chkexec policy logic can be found here:

http://people.freebsd.org/~csjp/mac/trustedexec.png

Q: What is mac_chkexec?
A: It's a mandatory access control policy which ensures that if the code
contained in a binary, shell script, shared object or kernel module has
been modified from it's "trusted" form, it can not be executed. It also
ensures that untrusted code can not be executed. I.E. If an adversary
uploads an agent or rogue program, it should not be executed.

In addition, dependencies are supported. Since configuration files,
system databases or other files can alter how a program runs, it is
possible to make the policy verify the integrity of these dependencies
before allowing the execution of the object.

Q: What is required to run mac_chkexec?
A: This policy requires that options MAC be compiled into your kernel.
Since it depends on extended attributes for dependency and checksum
storage, it also requires UFS2. This security policy requires
FreeBSD 5.X

Q: How do I set this up and test it?
A:
cd /usr/src/sys
fetch http://people.freebsd.org/~csjp/mac/mac_vnode_mmap.1106783302.diff
patch < mac_vnode_mmap.1106783302.diff

NOTE: Patch should work against -CURRENT or RELENG_5

Add the following line to your kernel config:

options MAC

Now Recompile and install your kernel.

Download, build and install the mac_chkexec kernel module:

fetch http://people.freebsd.org/~csjp/mac/mac_chkexec.1110510616.tar.gz
tar zxvf mac_chkexec.1110510616.tar.gz
cd mac_chkexec
make
make install

The policy can be loaded using:

kldload mac_chkexec

Download, build and install the set{get}fhash user-space utility:

cd /usr/src/usr.sbin
fetch http://people.freebsd.org/~csjp/mac/getfhash.1110501625.shar
sh getfhash.1110501625.shar
cd getfhash
make
make install
ln -s /usr/sbin/getfhash /usr/sbin/setfhash

Q: I have everything installed, how do I generate my baseline?
A: Easy, load the module and run your system like you would any other day. By
default when you load the module without "enforcing" the policy, the trusted
exec system is in "learning" mode. Which means anytime an object gets
executed, a checksum is computed and stored with the object.

If you do not want to wait for nature to take it course, you can always
force the calculation and storage of checksums using setfhash.

setfhash /bin/ls

Q: How can I see what checksum is currently registered for an object?
A:
getfhash /bin/ls

Q: How can I set dependencies for an object?
A:
setfhash -m /etc/rc.firewall /bin/ipfw

Executables can have more then one dependency. You can use a colon to
separate them:

setfhash -m /path/foo:/path/foo/test /bin/ls

NOTE: DEPENDENCIES PATHNAMES ARE RELATIVE TO THE CALLING PROCESS WITH
COMPLICATES THINGS IS CHROOT OR JAIL ENVIRONMENTS.

Q: OK, I've generated my baseline, now how do I start enforcing the policy?
A:
sysctl security.mac.chkexec.enforce=1

NOTE: If you plan on doing a buildworld, you might want to increase the
cache size to something like 1024

sysctl security.mac.chkexec.cache.objmax=1024

Good luck & Thanks!

--
Christian S.J. Peron
cs...@FreeBSD.ORG
FreeBSD Committer
_______________________________________________
freebsd...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hacke...@freebsd.org"

Tim Kientzle

unread,
Mar 12, 2005, 2:17:19 PM3/12/05
to
Christian S.J. Peron wrote:
>
> I have written a trusted execution module and would appreciate if anyone could
> help in testing. This module provides a functionality similar to NetBSD's
> verified exec mechanism.

Excellent!

Sounds like something that could provide a
lot of additional protection against
trojans and worms.

Wish I had time to play with it right now....

Tim

Peter Jeremy

unread,
Mar 12, 2005, 6:07:35 PM3/12/05
to
On Fri, 2005-Mar-11 15:29:51 +0000, Christian S.J. Peron wrote:
>I have written a trusted execution module and would appreciate if anyone could
>help in testing. This module provides a functionality similar to NetBSD's
>verified exec mechanism. Once the design details of this security policy has
>been solidified, I will be releasing a white paper which describes the
>technical implementation in greater detail.

Sounds good.

> Download, build and install the mac_chkexec kernel module:
>
> fetch http://people.freebsd.org/~csjp/mac/mac_chkexec.1110510616.tar.gz
> tar zxvf mac_chkexec.1110510616.tar.gz
> cd mac_chkexec
> make
> make install

Unfortunately, the existing file is incompatible with the "standard" kernel
building process. The instructions above seem to work but since it's a
separate step from buildkernel/installkernel, I'm sure to forget it at some
time. If I unpack it into /sys/modules and add "SUBDIR += mac_chkexec" to
/sys/modules/Makefile - it blows up with:

===> mac_chkexec
@ -> /usr/src/sys
machine -> /usr/src/sys/i386/include
awk -f @/tools/vnode_if.awk @/kern/vnode_if.src -h
rm -f .depend
mkdep -f .depend -a -nostdinc -I/usr/src/sys/crypto -D_KERNEL -DKLD_MODULE -I- -I/usr/src/sys/crypto -I. -I@ -I@/contrib/altq -I@/../include -I/usr/obj/usr/src/i386/usr/include -I/usr/obj/usr/src/sys/fwall /usr/src/sys/crypto//sha1.c /usr/src/sys/modules/mac_chkexec/mac_chkexec.c
/usr/src/sys/modules/mac_chkexec/mac_chkexec.c:61:25: mac_chkexec.h: No such file or directory
mkdep: compile failed
*** Error code 1

I also notice that the Makefile has /usr/src/sys hard-coded into it.

Can I suggest the following patch:

server# diff -u Makefile~ Makefile
--- Makefile~ Fri Mar 11 14:09:20 2005
+++ Makefile Sun Mar 13 09:56:42 2005
@@ -1,5 +1,5 @@
-.PATH: /usr/src/sys/crypto/
-CFLAGS+= -I/usr/src/sys/crypto
+.PATH: ${.CURDIR}/../../crypto
+CFLAGS+= -I${.CURDIR} -I${.CURDIR}/../../crypto

KMOD= mac_chkexec
SRCS= vnode_if.h \
server#

--
Peter Jeremy

vaida bogdan

unread,
Mar 16, 2005, 8:18:42 AM3/16/05
to
Hi, could you explain me how this error is related to mac_chkexec?

(after enforcing, I execute xchat and get:)
/libexec/ld-elf.so.1: /usr/X11R6/lib/libgdk-x11-2.0.so.400: mmap of
entire address space failed: Operation not permitted
(I set chkexec.enforce to 0, run xchat and enforce the policy again
and the error disappears)

It didn't tell me which executable it could not run.

On Sat, 12 Mar 2005 11:16:42 -0800, Tim Kientzle <kien...@freebsd.org> wrote:
> Christian S.J. Peron wrote:
> >
> > I have written a trusted execution module and would appreciate if anyone
> could
> > help in testing. This module provides a functionality similar to NetBSD's
> > verified exec mechanism.
>

> Excellent!
>
> Sounds like something that could provide a
> lot of additional protection against
> trojans and worms.
>
> Wish I had time to play with it right now....
>
> Tim
>
> _______________________________________________

> freebsd-...@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-securi...@freebsd.org"

Christian S.J. Peron

unread,
Mar 19, 2005, 6:27:44 PM3/19/05
to
All

Thanks for all the input. I have updated the code as per some of the comments
which came in around testing. The following changes were made:

-modify setfhash/getfhash to use the filename of the pathname portion.
this will un break set/getfhash if it was invoked using ./ or the complete
pathname.

-the kernel implementation of setfhash was a bad idea. It used to use
the utimes syscall. This especially caused problems with various port
or source builds on NFS file systems exiting with EIO or various other
errors. I replaced the kernel implementation with a sysctl, and modified
the setfhash utility to use this instead.

-add additional printf's to tell people where/why things went wrong. It
should be noted that these printfs are only executed if the module is
compiled with DEBUG set. (See the Makefile).

-change Makefiles and file locations to be more consistent with the
system build practices.

NOTE: IF YOU HAVE ALREADY PATCHED YOUR KERNEL SKIP THE KERNEL PATCH/REBUILD

cd /usr/src/sys
fetch http://www.freebsd.org/~csjp/mac/mac_vnode_mmap.1106783302.diff
patch < mac_vnode_mmap.1106783302.diff

# REBUILD YOUR KERNEL

cd /usr/src/sys/modules
mkdir /usr/src/sys/modules/mac_chkexec
cd /usr/src/sys/modules/mac_chkexec
fetch http://www.freebsd.org/~csjp/mac/Makefile

cd /usr/src/usr.sbin
fetch http://www.freebsd.org/~csjp/mac/getfhash.1111165779.shar
sh getfhash.1111165779.shar


cd getfhash
make
make install

make clean

cd /usr/src/sys/security
fetch http://www.freebsd.org/~csjp/mac/mac_chkexec.1111165827.shar
sh mac_chkexec.1111165827.shar
cd /usr/src/sys/modules/mac_chkexec
make
make install
make clean

--
Christian S.J. Peron
cs...@FreeBSD.ORG
FreeBSD Committer

0 new messages