Exciting project

Richard Masoner richardm at masoner.net
Mon Dec 10 15:13:57 GMT 2001 

At 12:46 AM 12/9/2001 +0000, Dr. Evil wrote:
>This project is very exciting.  It seems to me that the end goal of
>any security hack on a Unix system is "get root".  With TrustedBSD,
>there is no more root to get, so all these hacks become impossible,
>right?


Goals of malicious hackers and crackers might include defacing web pages, 
getting customer credit card information and other private customer 
information, or stealing business secrets.  On a UNIX system, "root" can be 
a way to have the access to get all of this information, but it also may 
not be absolutely needed to become superuser to deface web pages or access 
an internal database.  root access is not usually the goal, but is often 
the means to the goal.

Multilevel operating systems can help to mitigate damage and make the goal 
harder by taking away root.

Operating systems give privileged access to something called the Trusted 
Computing Base (TCB).  These are programs like passwd and sendmail which 
need to read and modify files with restricted access (i.e. the shadow file 
and every users mail spool).  In UNIX, this is done by making them suid 
root.  Unfortunately, running as root gives them access to *every* 
privileged operation on the operating system.

A trusted operating system gives you the tools to limit the access given to 
programs like sendmail or apache.  The privileges are compartmented.  Thus, 
if a vulnerability in sendmail is exploited, the damage is limited to files 
that sendmail can write to.  Because sendmail has permission only to write 
to user mail spools, then the cracker is unable to write a web page or read 
customer database information.

Multilevel, trusted OS's are not a panacea.  It is possible to crack TOS's 
if the TCB (Trusted Computing Base) contains vulernable code or if the 
system improperly configured.  The TCB's of Trusted OS's should receive 
extra scrutiny in their code audits to ensure the code isn't broken.  Argus 
(which develops a trusted OS called Pitbull by modifying source code of 
existing commercial operating systems) was hacked during a hacking contest 
in Europe when a server running an *unaudited* version of their OS (Pitbull 
for Solaris/x86) was exploited through a kernel vulernability.  The code 
was not completely audited because the x86 version of Pitbull is meant for 
hobbyist use only, and it never should have been used in the hacking contest.

Richard Masoner


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list