Securing the execution environment for Net-BSD
Speaker | Bret Lynn |
---|---|
Time | 2004-01-15 12:00 |
Conference | LCA2004 |
Use Linux only for playing games
Net-BSD == Darkside
Signed Exec AUUG2K
Signed exec only worked with statically linked binaries
Exec path modified
- MD5 hash of disk binary
- compare calculate hash against list loaded into kernel memory
- allow exec if hashed match
- execution speed halved
- cached comparison result for greater speed
developments
- shared libraries
- other hash methods
- now in Net-BSD current kernel source
- name changed to Verified Exec
- nothing signed, just verified
discussion occurred
- verifying executables on untested media, such as NFS and SAN
- “the most vocal people are the ones who think your code is a pile of poo”
- NFS/SAN not in design spec
- In tree code assumes underlying media can be trusted, because of caching
untrusted media
- the kernel assumes that it has total control over everything
- trojan-proof, interesting, much like initial thoughts of verified exec (???)
- handles untrusted media by checking it every time
- sendmail from NFS, the check only happens at startup
- if binary overwritten, and pages forced out of virtual memory, page is loaded from changed binary
- demonstration code exists to exploit this
- verify pages as they are loaded
- need to track fingerprint of every single page
- [ prevent changes to executable file, require replacement instead??? No, need to trust file server ]
- Need to modify pager code
- when pager loads page from storage, the fingerprint is evaluated,
- if no match, horrible death
Implications
- no need to trust binaries on system
- don’t need to have control over the server
- files can be served from anywhere
- [ can kernel be replaced? ]
- [ can data files be tampered with to cause a security compromise? ]
- [ where is the verification data stored? ]
- kernel level trip wire
- ptrace????
- /dev/mem and /dev/kmem??? turned off with secure level setting
- =2 cannot open /dev/mem, can’t open raw disk device, etc
- increased => cannot change fingerprints
- PIC in libraries, no rewriting required
- upgrades to software?
- go into single user mode
- firewalls, routers, other stable systems
- not for development systems
- not useful for 24/7 systems??? Use multiple systems