Subject: Re: TPE for NetBSD
To: Brett Lymn <blymn@baesystems.com.au>
From: Jason R. Fink <jrf@cyberspace.org>
List: tech-kern
Date: 06/03/2001 13:05:00
 
> Uhhhhh I did something that was almost akin to this about a year ago
> (I had not heard of Stephanie until just now).  What I did was have an
> in kernel list of md5 hashes associated with executables.  When an
> exec was done the md5 hash of the on disk executable was evaluated and
> compared with the in kernel one.  If the hashes matched then the exec
> proceeded.  If it did not match it would either just log the event or
> refuse execution depending on the secure level.  My patches would not
> only prevent an unknown executable from running (depending on the
> secure level) but also would refuse to run a trojan'ed copy of a
> binary on the trusted path.  Not only this, my patch would allow you
> to have shell scripts using a particular shell interpreter but
> _prevent_you_running_the_interpreter_directly_ so if you had
> /usr/local/bin/perl you could run perl scripts (as long as they had a
> valid md5 hash) but attempting to invoke /usr/local/bin/perl from the
> command line would fail.  The major flaws of what I have done (and, at
> a cursory look, Stephanie shares these faults):
> 
> 1) evil code can still be run by buffer overflowing an allowed program
> and then mmap'ing in evil cracker code and jumping in to it.
> 
> 2) the scheme only works properly for static binaries, if you can
> overwrite a system library then you are hosed.
> 
> I believe I can fix both of these holes with some changes to mmap and
> maybe open (hacking the open call has some other interesting side
> effects such as being able to validate arbitrary files for
> correctness).

I think I remember that.

> Note carefully that my scheme has a nearly indetectable impact on
> system performance despite evaluating a md5 hash for a binary (I do
> this only once and cache the result).  I have an ascii text document
> on what I have done (I did a talk on my scheme at a conference last
> year) if anyone is interested.
> 
> Some aspects of Stephanie do sound interesting - the multiple role
> facility could be something worth looking in to.
> 
> FootNote: the only reason there is no patch for this today is that it
> got kicked around by an "I don't like it" crowd - not unlike what is
> happening with the console scrollback idea at the moment.  I have not
> dropped the idea totally I think (as do some others) that it is a cool
> idea to have.  If I thought that I could get this into the kernel
> source as an _option_ without getting the living sh*t kicked out of me
> for no valid _technical_ reason on the mailing lists then I would dust
> off the mod and send-pr it.

do you have the code and the docs up anywhere I can get to them?
it could not possibly hurt to look at them.

	jrf

--
Jason R. Fink
Email: jrf@cyberspace.org Web Page: http://www.cyberspace.org/~jrf/