Exciting project
Richard Masoner
richardm at masoner.net
Mon Dec 10 15:13:57 GMT 2001
At 12:46 AM 12/9/2001 +0000, Dr. Evil wrote:
>This project is very exciting. It seems to me that the end goal of
>any security hack on a Unix system is "get root". With TrustedBSD,
>there is no more root to get, so all these hacks become impossible,
>right?
Goals of malicious hackers and crackers might include defacing web pages,
getting customer credit card information and other private customer
information, or stealing business secrets. On a UNIX system, "root" can be
a way to have the access to get all of this information, but it also may
not be absolutely needed to become superuser to deface web pages or access
an internal database. root access is not usually the goal, but is often
the means to the goal.
Multilevel operating systems can help to mitigate damage and make the goal
harder by taking away root.
Operating systems give privileged access to something called the Trusted
Computing Base (TCB). These are programs like passwd and sendmail which
need to read and modify files with restricted access (i.e. the shadow file
and every users mail spool). In UNIX, this is done by making them suid
root. Unfortunately, running as root gives them access to *every*
privileged operation on the operating system.
A trusted operating system gives you the tools to limit the access given to
programs like sendmail or apache. The privileges are compartmented. Thus,
if a vulnerability in sendmail is exploited, the damage is limited to files
that sendmail can write to. Because sendmail has permission only to write
to user mail spools, then the cracker is unable to write a web page or read
customer database information.
Multilevel, trusted OS's are not a panacea. It is possible to crack TOS's
if the TCB (Trusted Computing Base) contains vulernable code or if the
system improperly configured. The TCB's of Trusted OS's should receive
extra scrutiny in their code audits to ensure the code isn't broken. Argus
(which develops a trusted OS called Pitbull by modifying source code of
existing commercial operating systems) was hacked during a hacking contest
in Europe when a server running an *unaudited* version of their OS (Pitbull
for Solaris/x86) was exploited through a kernel vulernability. The code
was not completely audited because the x86 version of Pitbull is meant for
hobbyist use only, and it never should have been used in the hacking contest.
Richard Masoner
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list