FreeBSD trusted execution system: beta testers wanted

Fri Mar 11 07:29:52 PST 2005

All,

I have written a trusted execution module and would appreciate if anyone could
help in testing. This module provides a functionality similar to NetBSD's
verified exec mechanism. Once the design details of this security policy has
been solidified, I will be releasing a white paper which describes the
technical implementation in greater detail.

The mac_chkexec policy logic can be found here:

	http://people.freebsd.org/~csjp/mac/trustedexec.png

Q: What is mac_chkexec?
A: It's a mandatory access control policy which ensures that if the code
   contained in a binary, shell script, shared object or kernel module has
   been modified from it's "trusted" form, it can not be executed. It also
   ensures that untrusted code can not be executed. I.E. If an adversary
   uploads an agent or rogue program, it should not be executed.

   In addition, dependencies are supported. Since configuration files,
   system databases or other files can alter how a program runs, it is
   possible to make the policy verify the integrity of these dependencies
   before allowing the execution of the object.

Q: What is required to run mac_chkexec?
A: This policy requires that options MAC be compiled into your kernel.
   Since it depends on extended attributes for dependency and checksum
   storage, it also requires UFS2. This security policy requires
   FreeBSD 5.X

Q: How do I set this up and test it?
A:
    cd /usr/src/sys
    fetch http://people.freebsd.org/~csjp/mac/mac_vnode_mmap.1106783302.diff
    patch < mac_vnode_mmap.1106783302.diff

NOTE: Patch should work against -CURRENT or RELENG_5

   Add the following line to your kernel config:

	options MAC

   Now Recompile and install your kernel.

   Download, build and install the mac_chkexec kernel module:

    fetch http://people.freebsd.org/~csjp/mac/mac_chkexec.1110510616.tar.gz
    tar zxvf mac_chkexec.1110510616.tar.gz
    cd mac_chkexec
    make
    make install

   The policy can be loaded using:

    kldload mac_chkexec

   Download, build and install the set{get}fhash user-space utility:

    cd /usr/src/usr.sbin
    fetch http://people.freebsd.org/~csjp/mac/getfhash.1110501625.shar
    sh getfhash.1110501625.shar
    cd getfhash
    make
    make install
    ln -s /usr/sbin/getfhash /usr/sbin/setfhash

Q: I have everything installed, how do I generate my baseline?
A: Easy, load the module and run your system like you would any other day. By
   default when you load the module without "enforcing" the policy, the trusted
   exec system is in "learning" mode. Which means anytime an object gets
   executed, a checksum is computed and stored with the object.

   If you do not want to wait for nature to take it course, you can always
   force the calculation and storage of checksums using setfhash.

    setfhash /bin/ls

Q: How can I see what checksum is currently registered for an object?
A:
    getfhash /bin/ls

Q: How can I set dependencies for an object?
A:
    setfhash -m /etc/rc.firewall /bin/ipfw

   Executables can have more then one dependency. You can use a colon to
   separate them:

    setfhash -m /path/foo:/path/foo/test /bin/ls

NOTE: DEPENDENCIES PATHNAMES ARE RELATIVE TO THE CALLING PROCESS WITH
      COMPLICATES THINGS IS CHROOT OR JAIL ENVIRONMENTS.

Q: OK, I've generated my baseline, now how do I start enforcing the policy?
A:
	sysctl security.mac.chkexec.enforce=1

NOTE: If you plan on doing a buildworld, you might want to increase the
      cache size to something like 1024

	sysctl security.mac.chkexec.cache.objmax=1024

Good luck & Thanks!

-- 
Christian S.J. Peron
csjp at FreeBSD.ORG
FreeBSD Committer