Subject: Re: TPE for NetBSD
To: Jason R. Fink <firstname.lastname@example.org>
From: Brett Lymn <email@example.com>
Date: 06/03/2001 18:43:14
According to Jason R. Fink:
>I stumbled across this:
>is there any interest in this sort of thing for NetBSD?
Uhhhhh I did something that was almost akin to this about a year ago
(I had not heard of Stephanie until just now). What I did was have an
in kernel list of md5 hashes associated with executables. When an
exec was done the md5 hash of the on disk executable was evaluated and
compared with the in kernel one. If the hashes matched then the exec
proceeded. If it did not match it would either just log the event or
refuse execution depending on the secure level. My patches would not
only prevent an unknown executable from running (depending on the
secure level) but also would refuse to run a trojan'ed copy of a
binary on the trusted path. Not only this, my patch would allow you
to have shell scripts using a particular shell interpreter but
_prevent_you_running_the_interpreter_directly_ so if you had
/usr/local/bin/perl you could run perl scripts (as long as they had a
valid md5 hash) but attempting to invoke /usr/local/bin/perl from the
command line would fail. The major flaws of what I have done (and, at
a cursory look, Stephanie shares these faults):
1) evil code can still be run by buffer overflowing an allowed program
and then mmap'ing in evil cracker code and jumping in to it.
2) the scheme only works properly for static binaries, if you can
overwrite a system library then you are hosed.
I believe I can fix both of these holes with some changes to mmap and
maybe open (hacking the open call has some other interesting side
effects such as being able to validate arbitrary files for
Note carefully that my scheme has a nearly indetectable impact on
system performance despite evaluating a md5 hash for a binary (I do
this only once and cache the result). I have an ascii text document
on what I have done (I did a talk on my scheme at a conference last
year) if anyone is interested.
Some aspects of Stephanie do sound interesting - the multiple role
facility could be something worth looking in to.
FootNote: the only reason there is no patch for this today is that it
got kicked around by an "I don't like it" crowd - not unlike what is
happening with the console scrollback idea at the moment. I have not
dropped the idea totally I think (as do some others) that it is a cool
idea to have. If I thought that I could get this into the kernel
source as an _option_ without getting the living sh*t kicked out of me
for no valid _technical_ reason on the mailing lists then I would dust
off the mod and send-pr it.
Brett Lymn, Computer Systems Administrator, BAE SYSTEMS