ce0ef6cfc4
fileassoc.diff adds a fileassoc_table_run() routine that allows you to pass a callback to be called with every entry on a given mount. veriexec.diff adds some raw device access policies: if raw disk is opened at strict level 1, all fingerprints on this disk will be invalidated as a safety measure. level 2 will not allow opening disk for raw writing if we monitor it, and prevent raw writes to memory. level 3 will not allow opening any disk for raw writing. both update all relevant documentation. veriexec concept is okay blymn@.
368 lines
11 KiB
Groff
368 lines
11 KiB
Groff
.\" $NetBSD: veriexec.9,v 1.4 2006/08/11 19:17:47 christos Exp $
|
|
.\"
|
|
.\" Copyright 2006 Elad Efrat <elad@NetBSD.org>
|
|
.\" Copyright 2006 Brett Lymn <blymn@NetBSD.org>
|
|
.\"
|
|
.\" This code is derived from software contributed to The NetBSD Foundation
|
|
.\" by Brett Lymn and Elad Efrat
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Neither the name of The NetBSD Foundation nor the names of its
|
|
.\" contributors may be used to endorse or promote products derived
|
|
.\" from this software without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
|
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
|
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
.\" POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.Dd August 10, 2006
|
|
.Dt VERIEXEC 9
|
|
.Os
|
|
.Sh NAME
|
|
.Nm veriexec
|
|
.Nd in-kernel file integrity subsystem KPI
|
|
.Sh SYNOPSIS
|
|
.In sys/verified_exec.h
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
is the KPI for Veriexec,
|
|
the
|
|
.Nx
|
|
in-kernel file integrity subsystem.
|
|
It is responsible for managing the supported hashing algorithms, fingerprint
|
|
calculation and comparison, file monitoring tables, and relevant hooks to
|
|
enforce the Veriexec policy.
|
|
.Pp
|
|
This manual divides the
|
|
.Nm
|
|
KPI to four main areas: core, fingerprint related, table management, and hook
|
|
handlers.
|
|
.Ss Data-structures
|
|
.Nm
|
|
uses several data-structures to manage its data:
|
|
.Bl -tag -width "123456"
|
|
.It Ft "struct veriexec_fp_ops"
|
|
Describes a hashing algorithm, for example MD5, SHA1, RMD160.
|
|
Contains the following members:
|
|
.Bl -tag -width "123456"
|
|
.It Ft "char type[VERIEXEC_TYPE_MAXLEN]"
|
|
Name of the hashing algorithm.
|
|
.It Ft size_t hash_len
|
|
Length, in bytes,
|
|
.It Ft size_t context_size
|
|
Size, in bytes, of the calculation context.
|
|
.It Ft VERIEXEC_INIT_FN Ar init
|
|
.It Ft VERIEXEC_UPDATE_FN Ar update
|
|
.It Ft VERIEXEC_FINAL_FN Ar final
|
|
Routines used to calculate the fingerprint.
|
|
.El
|
|
.Pp
|
|
.Nm
|
|
provides a macro,
|
|
.Fn VERIEXEC_OPINIT ,
|
|
to ease initialization of a
|
|
.Ft "struct veriexec_fp_ops"
|
|
(see below).
|
|
.It Ft "struct veriexec_file_entry"
|
|
Describes Veriexec data associated with a single file.
|
|
Contains the following members:
|
|
.Bl -tag -width "123456"
|
|
.It Ft u_char Ar type
|
|
The entry type, indicating what valid access types are allowed for this file.
|
|
Can be a binary-OR'd combination of the following:
|
|
.Bl -tag -width "123456"
|
|
.It Dv VERIEXEC_DIRECT
|
|
The file can be executed directly.
|
|
.It Dv VERIEXEC_INDIRECT
|
|
The file can be executed indirectly, for example, as a script interpreter.
|
|
.It Dv VERIEXEC_FILE
|
|
The file can be opened, for example for reading and/or writing.
|
|
.El
|
|
.It Ft u_char Ar status
|
|
The evaluation status.
|
|
Can be one of the following:
|
|
.Bl -tag -width "123456"
|
|
.It Dv FINGERPRINT_NOTEVAL
|
|
Fingerprint hasn't been evaluated yet.
|
|
.It Dv FINGERPRINT_VALID
|
|
The fingerprint was found to be valid.
|
|
.It Dv FINGERPRINT_NOMATCH
|
|
There was a fingerprint mismatch.
|
|
.El
|
|
.It Ft u_char Ar page_fp_status
|
|
Unused.
|
|
.It Ft "u_char *" Ar fp
|
|
The fingerprint for the file.
|
|
.It Ft "void *" Ar page_fp
|
|
.It Ft size_t Ar npages
|
|
.It Ft size_t Ar last_page_size
|
|
Unused.
|
|
.It Ft "struct veriexec_fp_ops *" Ar ops
|
|
Algorithm used to calculate the fingerprint for this file.
|
|
.El
|
|
.It Ft "struct veriexec_table_entry"
|
|
Describes Veriexec data associated with a mount.
|
|
Contains the following members:
|
|
.Bl -tag -width "123456"
|
|
.It Ft uint64_t Ar vte_count
|
|
Number of Veriexec entries (monitored files) on the mount.
|
|
.It Ft "const struct sysctlnode *" Ar vte_node
|
|
The
|
|
.Xr sysctl 9
|
|
node for the mount, with information about the number of monitored files,
|
|
file-system type, and mount point.
|
|
.El
|
|
.El
|
|
.Ss Core Routines
|
|
.Bl -tag -width "123456"
|
|
.It Ft "struct veriexec_file_entry *vfe" Fn veriexec_lookup "struct vnode *vp"
|
|
Lookup private Veriexec data associated with
|
|
.Ar vp .
|
|
Returns
|
|
.Dv NULL
|
|
if file is not monitored by Veriexec.
|
|
.It Ft int Fn veriexec_verify "struct lwp *l" "struct vnode *vp" \
|
|
"u_char *name" "int flag" "struct veriexec_file_entry **vfep"
|
|
Verifies the digital fingerprint of
|
|
.Ar vp .
|
|
.Ar name
|
|
is the filename, and
|
|
.Ar flag
|
|
is the access flag.
|
|
The access flag can be one of:
|
|
.Bl -tag -width "123456"
|
|
.It Dv VERIEXEC_DIRECT
|
|
The file was executed directly via
|
|
.Xr execve 2 .
|
|
.It Dv VERIEXEC_INDIRECT
|
|
The file was executed indirectly, most likely as an interpreter for a script.
|
|
.It Dv VERIEXEC_FILE
|
|
The file was opened, most chances are by
|
|
.Xr open 2 .
|
|
.El
|
|
.Pp
|
|
.Ar l
|
|
is the LWP for the request context.
|
|
.Pp
|
|
An optional argument,
|
|
.Ar vfep ,
|
|
is a pointer to return the Veriexec file entry, if one was found.
|
|
.It Ft void Fn veriexec_report "const u_char *msg" "u_char *name" \
|
|
"struct lwp *l" "int flags"
|
|
Log a Veriexec message in
|
|
.Ar msg
|
|
for file
|
|
.Ar name .
|
|
.Ar l
|
|
is optionally the LWP context in question.
|
|
.Pp
|
|
.Ar flags
|
|
control how the message will be formatted, where will it be logged to, and
|
|
whether the system should panic after posting it.
|
|
Flags can be binary-OR'd together.
|
|
Available flags include:
|
|
.Bl -tag -width "123456"
|
|
.It Dv REPORT_ALWAYS
|
|
The message should always be printed.
|
|
This is a synonym for 0.
|
|
.It Dv REPORT_VERBOSE
|
|
The message should be printed only if Veriexec is in verbose mode.
|
|
.It Dv REPORT_DEBUG
|
|
The message should be printed only if Veriexec is in debug verbosity.
|
|
.It Dv REPORT_ALARM
|
|
The message is an alarm.
|
|
If
|
|
.Ar l
|
|
is not
|
|
.Dv NULL ,
|
|
user and process ids will be printed.
|
|
The log will be sent to the
|
|
.Em LOG_ALERT
|
|
syslog facility.
|
|
.It Dv REPORT_PANIC
|
|
The system should
|
|
.Xr panic 9
|
|
after posting the message.
|
|
.El
|
|
.El
|
|
.Ss Fingerprint Related Routines
|
|
These routines manage the supported fingerprinting algorithms, as well as
|
|
fingerprint calculation and comparison.
|
|
.Bl -tag -width "123456"
|
|
.It Ft void Fn veriexec_init_fp_ops "void"
|
|
Initialize the supported fingerprinting algorithms database.
|
|
Should be called only once during system startup.
|
|
.It Ft Fn veriexec_add_fp_ops "struct veriexec_fp_ops *ops"
|
|
Add fingerprinting ops
|
|
.Ar ops .
|
|
.Pp
|
|
.Nm
|
|
provides a macro to initialize
|
|
.Ar ops ,
|
|
called
|
|
.Fn VERIEXEC_OPINIT .
|
|
It takes seven parameters: a pointer to a
|
|
.Ft "struct veriexec_fp_ops" ,
|
|
a
|
|
.Ft "const char *"
|
|
describing the algorithm name (will be copied), the byte length of a binary
|
|
representation of a fingerprint as a
|
|
.Ft size_t ,
|
|
the size of the fingerprint calculation context (usually the
|
|
.Em _CTX
|
|
types),
|
|
and pointers to the initialization, update, and final routines, used to
|
|
calculate the fingerprint.
|
|
.It Ft "struct veriexec_fp_ops *" Fn veriexec_find_ops "u_char *name"
|
|
Lookup fingerprinting ops for algorithm
|
|
.Ar name .
|
|
.It Ft int Fn veriexec_fp_calc "struct lwp *l" "struct vnode *vp" \
|
|
"u_char *name" "struct veriexec_file_entry *vfe"
|
|
Calculate fingerprint and store evaluation for
|
|
.Ar vp .
|
|
.Ar name
|
|
is the filename,
|
|
.Ar vfe
|
|
is the Veriexec-private data for the file.
|
|
.It Ft int Fn veriexec_fp_cmp "struct veriexec_fp_ops *ops" "u_char *fp1" \
|
|
"u_char *fp2"
|
|
Compare two fingerprints in
|
|
.Ar fp1
|
|
and
|
|
.Ar fp2
|
|
using the common fingerprint ops in
|
|
.Ar ops .
|
|
.Pp
|
|
Two fingerprints must have been generated by the same algorithm.
|
|
.It Ft void Fn veriexec_purge "struct veriexec_file_entry *vfe"
|
|
Purge the file entry
|
|
.Ar vfe .
|
|
This invalidates the fingerprint so it will be evaluated next time the file
|
|
is accessed.
|
|
.El
|
|
.Ss Table Management Routines
|
|
.Bl -tag -width "123456"
|
|
.It Ft int Fn veriexec_hashadd "struct vnode *vp" \
|
|
"struct veriexec_file_entry *vfe"
|
|
Add a Veriexec entry for
|
|
.Ar vp
|
|
with data in
|
|
.Ar vfe .
|
|
.It Ft "struct veriexec_table_entry *vte" Fn veriexec_tblfind "struct vnode *vp"
|
|
Lookup table data for the mount
|
|
.Ar vp
|
|
is on.
|
|
.\" .It Ft Fn veriexec_newtable
|
|
.\" .It Ft Fn veriexec_load
|
|
.\" .It Ft Fn veriexec_delete
|
|
.\" .It Ft Fn veriexec_query
|
|
.El
|
|
.Ss Hook Handlers
|
|
Below are the routines called from code where Veriexec policy enforcement is
|
|
required.
|
|
.Bl -tag -width "123456"
|
|
.It Ft int Fn veriexec_renamechk "struct vnode *fromvp" \
|
|
"const char *fromname" "struct vnode *tovp" "const char *toname" \
|
|
"struct lwp *l"
|
|
Called when a file is renamed.
|
|
.Pp
|
|
.Ar fromvp
|
|
and
|
|
.Ar fromname
|
|
are the vnode and filename of the file being renamed.
|
|
.Ar tovp
|
|
and
|
|
.Ar toname
|
|
are the vnode and filename of the target file.
|
|
.Ar l
|
|
is the LWP renaming the file.
|
|
.Pp
|
|
Depending on the strict level,
|
|
.Nm
|
|
will either track changes appropriately or prevent the rename.
|
|
.It Ft int Fn veriexec_removechk "struct vnode *vp" "const char *name" \
|
|
"struct lwp *l"
|
|
Called when a file is removed.
|
|
.Pp
|
|
.Ar vp
|
|
is the vnode of the file being removed, and
|
|
.Ar name
|
|
is the filename.
|
|
.Ar l
|
|
is the LWP removing the file,
|
|
.Pp
|
|
Depending on the strict level,
|
|
.Nm
|
|
will either clean-up after the file or prevent its removal.
|
|
.It Ft int Fn veriexec_clear "void *data" "int what"
|
|
Passed as the
|
|
.Xr fileassoc 9
|
|
clean-up callback routine,
|
|
.Fn veriexec_clear
|
|
is responsible for garbage collection of unnecessary
|
|
.Nm
|
|
objects.
|
|
It is not meant to be called directly.
|
|
.It Ft int Fn veriexec_rawchk "struct vnode *vp"
|
|
Enforce raw disk access policy.
|
|
.Ar vp
|
|
is the vnode of the mount-point for the disk, if any.
|
|
.El
|
|
.Sh FILES
|
|
.Pa src/sys/dev/verified_exec.c
|
|
.Pa src/sys/kern/kern_verifiedexec.c
|
|
.Pa src/sys/sys/verified_exec.h
|
|
.Sh SEE ALSO
|
|
.Xr sysctl 3 ,
|
|
.Xr veriexec 4 ,
|
|
.Xr sysctl 8 ,
|
|
.Xr veriexecctl 8 ,
|
|
.Xr fileassoc 9
|
|
.Sh AUTHORS
|
|
.An Brett Lymn Aq blymn@NetBSD.org
|
|
.An Elad Efrat Aq elad@NetBSD.org
|
|
.Sh CAVEATS
|
|
There are two known issues with Veriexec that should be considered when
|
|
using it.
|
|
.Ss Remote File-systems
|
|
There is an issue providing protection for files residing on mounts from
|
|
remote hosts.
|
|
Because access to the file-system does not necessarily go through
|
|
.Nm ,
|
|
there is no way to track on-disk changes.
|
|
While it is possible to minimize the effect by evaluating the file's
|
|
fingerprint on each access without caching the result, a problem arises when
|
|
a file is overwritten after its fingerprint has been evaluated and it is
|
|
running on the local host.
|
|
.Pp
|
|
An attacker could potentially overwrite the file contents in the remote host
|
|
at that point, and force a flush on the local host, resulting in paging in
|
|
of the files from the disk, introducing malicious code into a supposedly
|
|
safe address space.
|
|
.Pp
|
|
There is a fix for this issue, however due to dependencies on other work
|
|
that is still in progress it has not been commited yet.
|
|
.Ss Layered File-systems
|
|
Due to VFS limitations,
|
|
.Nm
|
|
cannot track the same on-disk file across multiple layers of overlay
|
|
file-systems.
|
|
Therefore, you cannot expect changes to files on overlay mounts will be
|
|
detected simply because the underlying mount is monitored by
|
|
.Nm .
|
|
.Pp
|
|
A workaround for this issue is listing all files, under all mounts, you want
|
|
monitored in the signature file.
|