Exciting project

[Robert Watson]

On 9 Dec 2001, Dr. Evil wrote:

> This project is very exciting.  It seems to me that the end goal of any
> security hack on a Unix system is "get root".  With TrustedBSD, there is
> no more root to get, so all these hacks become impossible, right? 

Well, within limits.  A lot of the work so far has been more about
reducing the need for root privileges through providing access to services
via better defined mechanisms.  For example, Thomas Moestl has invested
substantial energy to make a large pool of the setgid kmem utilities run
without privilege: previously, they had to read live kernel memory to
generate system statistics, but now those are exported through the system
MIB.  While there is on-going work to support POSIX.1e capabilities in
FreeBSD, I suspect the most important accomplishments will be the ability
to enforce mandatory access control policies, and provide system auditing
services.

> I have a few general questions about TrustedBSD:
> 
> Will TrustedBSD become merged with FreeBSD (as many of the patches so
> far have been), or will it be a fork off from FreeBSD (so there will
> then be FreeBSD, NetBSD, OpenBSD, BSDi, and TrustedBSD)?  I hope it will
> be merged.  I know many people would worry that it will make Unix more
> complicated but I think it will actually simplify many things, because
> right now they try to achieve partitioning using things like file perms,
> and it's a mess. 

Originally, the TrustedBSD extensions were targetted specifically at the
FreeBSD platform, and FreeBSD is still the primary target for this work.
TrustedBSD features are begin integrated back into the base FreeBSD
source, and a number of them will be available in FreeBSD 5.0-RELEASE next
year.

However, there's also been substantial interest in porting to other
platforms.  There's on-going work to bring some of the basic features
(such as file system extended attributes, discretionary access control
lists on files) to both OpenBSD and Apple's Darwin/OS X.  I've also had
interest in several other BSD platforms, but those are the two where work
is actually taking place. 

> What is the difference between TrustedBSD and EROS?  Obviously, one is
> BSD and the other is not, so TrustedBSD will be able to run a lot of
> software right away, but beyond that, what are the design theory
> differences? 

TrustedBSD takes FreeBSD as a starting point, giving it access to a rich
suite of functionality.  It derives a number of its key sets of
functionality from the relatively well-trodden ground of trusted UNIX
systems, including its approaches to features such as ACLs.  In other
areas, it diverges, with work on pluggable mandatory access control,
re-architecting of aspects of the BSD credential model, and integration
with the FreeBSD scheduler-activiation derived threading model.

> And finally, when can we try this out in beta? 

Some of the TrustedBSD features are already accessible in development
snapshots of FreeBSD 5.0.  The FreeBSD Project currently plans to release
a full development snapshot in late January, although the release itself
isn't due out until late 2002.  Support for file system extended
attributes, file system ACLs, and reasonable support for POSIX.1e
capabilities (privileges) will be in that snapshot.  We're currently
working on getting the MAC code into shape for inclusion also.  The level
of integration will be relatively low for some of these features:
Capabilities and MAC will likely include large parts of the kernel
support, but be poor in terms of userland integration into applications.
Management may also not be pretty.  We hope to see this mature over the
following couple of quarters such that the features will be relatively
usable in 5.0-RELEASE, modulo a requirement that the user know what to do
with the features :-).

NAI Labs is about to bring online a sub-contractor, Chris Costello, to
work to improve documentation of the features, programmer's documentation,
as well as provide tutorials on configuring and using the new features.
That work starts sometime this week.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org      NAI Labs, Safeport Network Services




To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message