Subject: Re: Systrace policy fingerprints? (Re: finer grained IPNOPRIVPORTing)
To: Thor Lancelot Simon <tls@rek.tjls.com>
From: Brett Lymn <blymn@baesystems.com.au>
List: tech-security
Date: 05/26/2005 23:31:39
On Thu, May 26, 2005 at 09:08:50AM -0400, Thor Lancelot Simon wrote:
> 
> I can think of an _elegant_ way to solve this, involving combining
> veriexec and systrace, with some minor tweak to allow setuid operation
> (perhaps, since root would have to load the fingerprints of all the
> systrace policies into the kernel, in this case systrace should _always_
> behave as if invoked by root with -c uid of the actual invoking
>user).

Hmmm do you mean use veriexec to ensure the policy files are not
modified and only load files that have veriexec fingerprints loaded?
If you do then Elad may have already done what you need - part of what
he has done recently was add some sysctl knobs that give finer grain
control over veriexec - one of those knobs (the "strict" knob) can be
set such that files without fingerprints cannot be read.

> 
> However, if you think about the possibilities, I think you'll see what
> a powerful combination it would be.  For example, in the future, if
> veriexec knew about signatures instead of just fingerprints, one could
> associate default policies with executable signers...
>

I actually did have a look at doing this* but, unless I am mistaken,
this means dragging into the kernel a whole bunch more crypto stuff.
One alternative is to do the signature verification stuff at the
userland and pass in a struct to the kernel that indicates the
fingerprint was signed.  The big assumption with this is that the
fingerprint/signature loader has not been subverted (or replaced or
someone running some rogue code) in such a way as arbitrary data can
be passed into the kernel.

* sort of - at the time I was thinking about doing public key
encryption and allowing encrypted fingerprints to be loaded when
securelevel had been raised.  The idea being you could encrypt the
fingerprints offline with a private key, embed the public key into the
target kernel so the fingerprints could be decrypted and loaded.  We
would need asymmetric crypto in the kernel to do that though which I
didn't think was good.  Oh yeah, before anyone tells me, yes I do know
encryption is not the same as authentication (but successfully loading
valid fingerprints would prove the person knew the private secret) and
yes there is more to signing than just encryption :)

-- 
Brett Lymn