From owner-freebsd-security@FreeBSD.ORG Mon May 28 12:15:36 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8A5CA16A521 for ; Mon, 28 May 2007 12:15:36 +0000 (UTC) (envelope-from zhouzhouyi@ercist.iscas.ac.cn) Received: from ercist.iscas.ac.cn (ercist.iscas.ac.cn [124.16.138.3]) by mx1.freebsd.org (Postfix) with SMTP id EB27713C44B for ; Mon, 28 May 2007 12:15:30 +0000 (UTC) (envelope-from zhouzhouyi@ercist.iscas.ac.cn) Received: (qmail 38931 invoked by uid 98); 28 May 2007 12:13:11 -0000 Received: from 210.77.2.28 by ercist.iscas.ac.cn (envelope-from , uid 89) with qmail-scanner-1.25 (spamassassin: 3.1.0. Clear:RC:1(210.77.2.28):SA:0(0.0/10.0):. Processed in 12.95072 secs); 28 May 2007 12:13:11 -0000 X-Spam-Status: No, hits=0.0 required=10.0 X-Qmail-Scanner-Mail-From: zhouzhouyi@ercist.iscas.ac.cn via ercist.iscas.ac.cn X-Qmail-Scanner: 1.25 (Clear:RC:1(210.77.2.28):SA:0(0.0/10.0):. Processed in 12.95072 secs) Received: from unknown (HELO iosdf17a8152bc) (zhouzhouyi@ercist.iscas.ac.cn@210.77.2.28) by 0 with SMTP; 28 May 2007 12:12:58 -0000 Message-ID: <007001c7a122$38fd41b0$1c024dd2@iosdf17a8152bc> From: "Zhouyi Zhou" To: Date: Mon, 28 May 2007 20:17:52 +0800 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 X-RFC2646: Format=Flowed; Original Cc: mlaier@FreeBSD.org Subject: have anyone configured "synproxy state" beforce (Sorry for the previouly base64 encode mail caused by M$ outlook) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 May 2007 12:15:36 -0000 high everyone,( in pariticular Max :-)) The configuration line in my pf.conf is: pass in quick on lo0 proto tcp from any to any port 21 flags S/SA synproxy state But: the connection is established, but the control did not seams to pass to the ftpd Sincerely yours Zhouyi Zhou From owner-freebsd-security@FreeBSD.ORG Mon May 28 12:24:40 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B8EF516A476 for ; Mon, 28 May 2007 12:24:40 +0000 (UTC) (envelope-from zhouzhouyi@ercist.iscas.ac.cn) Received: from ercist.iscas.ac.cn (ercist.iscas.ac.cn [124.16.138.3]) by mx1.freebsd.org (Postfix) with SMTP id 029F513C44B for ; Mon, 28 May 2007 12:24:38 +0000 (UTC) (envelope-from zhouzhouyi@ercist.iscas.ac.cn) Received: (qmail 31748 invoked by uid 98); 28 May 2007 11:55:50 -0000 Received: from 210.77.2.28 by ercist.iscas.ac.cn (envelope-from , uid 89) with qmail-scanner-1.25 (spamassassin: 3.1.0. Clear:RC:1(210.77.2.28):SA:0(3.7/10.0):. Processed in 1.518983 secs); 28 May 2007 11:55:50 -0000 X-Spam-Status: No, hits=3.7 required=10.0 X-Spam-Level: +++ X-Qmail-Scanner-Mail-From: zhouzhouyi@ercist.iscas.ac.cn via ercist.iscas.ac.cn X-Qmail-Scanner: 1.25 (Clear:RC:1(210.77.2.28):SA:0(3.7/10.0):. Processed in 1.518983 secs) Received: from unknown (HELO iosdf17a8152bc) (zhouzhouyi@ercist.iscas.ac.cn@210.77.2.28) by 0 with SMTP; 28 May 2007 11:55:49 -0000 Message-ID: <001701c7a11f$d352de30$1c024dd2@iosdf17a8152bc> From: "Zhouyi Zhou" To: Date: Mon, 28 May 2007 20:00:44 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: base64 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Subject: have anyone configured "synproxy state" beforce X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 May 2007 12:24:40 -0000 aGlnaCBldmVyeW9uZQ0KcGFzcyBpbiBxdWljayBvbiBsbzAgcHJvdG8gdGNwIGZyb20gYW55IHRv IGFueSBwb3J0IDIxIGZsYWdzIFMvU0Egc3lucHJveHkgc3RhdGUNCnRoZSBjb25uZWN0aW9uIGlz IGVzdGFibGlzaGVkLCBidXQgdGhlIGNvbnRyb2wgZGlkIG5vdCBzZWFtcyB0byBwYXNzIHRvIHRo ZSBmdHBk From owner-freebsd-security@FreeBSD.ORG Tue May 29 10:49:00 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A5F8316A566 for ; Tue, 29 May 2007 10:49:00 +0000 (UTC) (envelope-from zhouzhouyi@ercist.iscas.ac.cn) Received: from ercist.iscas.ac.cn (ercist.iscas.ac.cn [124.16.138.3]) by mx1.freebsd.org (Postfix) with SMTP id 317DE13C457 for ; Tue, 29 May 2007 10:48:57 +0000 (UTC) (envelope-from zhouzhouyi@ercist.iscas.ac.cn) Received: (qmail 18221 invoked by uid 98); 29 May 2007 10:46:45 -0000 Received: from 124.16.138.62 by ercist.iscas.ac.cn (envelope-from , uid 89) with qmail-scanner-1.25 (spamassassin: 3.1.0. Clear:RC:1(124.16.138.62):SA:0(0.0/10.0):. Processed in 0.613765 secs); 29 May 2007 10:46:45 -0000 X-Spam-Status: No, hits=0.0 required=10.0 X-Qmail-Scanner-Mail-From: zhouzhouyi@ercist.iscas.ac.cn via ercist.iscas.ac.cn X-Qmail-Scanner: 1.25 (Clear:RC:1(124.16.138.62):SA:0(0.0/10.0):. Processed in 0.613765 secs) Received: from unknown (HELO zzy.H.qngy.gscas) (zhouzhouyi@ercist.iscas.ac.cn@124.16.138.62) by 0 with SMTP; 29 May 2007 10:46:44 -0000 Date: Tue, 29 May 2007 18:50:33 +0800 From: zhouyi zhou To: freebsd-pf@freebsd.org Message-Id: <20070529185033.39bf3222.zhouzhouyi@ercist.iscas.ac.cn> In-Reply-To: <20070528120029.DFCCB16A5BC@hub.freebsd.org> References: <20070528120029.DFCCB16A5BC@hub.freebsd.org> Organization: Institute of Software X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=GB2312 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: (Security Regression Testsuites)Request for comments X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2007 10:49:00 -0000 Dear All, I am a student enrolled google summer code 2007. My job is to write security regression testsuites for FreeBSD under the guidance of my mentor Dr. Robert Watson. Under his encourage, I write following request for comments RFC :-) ////////////////////////////////////////////////////////////// What I plan to do: 1) to test the stability of Mandatory Access Control and Audit Subsystem for FreeBSD and TrustedBSD. Backgroud: a) there are many other modules in FreeBSD such as PF¡¢IPFW and IPSec and VIMAGE have had ignored the existance of Mandatory Access Control, they generate mbuf without a tag for Mandatory Access Control. Many of these has been corrected. b) The audit subsystem's handling of auditing disk full is wrong in locking vnodes 2) to test the correct enforement of various of access control (Mandatory Access Control, ACL, and priviledges in jail). Goal: To prevent the access right violation of the designer's intension 3) the consistency between the Mandatory Access Control Label generated by userland application and the label kernel actually handles. 4) to test the various of Firewalls and IPSec /////////////////////////////////////////////////////////////// What I have done: 1) investigate the Linux Test Project, especially for SeLinux 2) investigate the stress2 package for FreeBSD 3) summary the reason and the settlement of the confliction between Mandatory Access Control and PF, IPFW, IPSEC and VIMAGE 4) write a pair of pseudo ethernet pairs following the idea of another Socer Dr. Nanjun Li and Oreilly's , so that the network tests can be done in a single machine /////////////////////////////////////////////////////////////// Where I am still confused: 1) Which area and direction should I focus. The security subsystem in FreeBSD is large, which area deserves a testsuite in higher priority. 2) The general structure of the testsuite: Will it be a userland application package like stress2, or include a kernel module cooperation (like security/mac_test) 3) How to write a testsuite that will prevent the furthor violation of security instead of test the cases which are already corrected. PF¡¢IPFW and IPSec have already corrected their confliction with Mandatory Access Control, I think the testcases for the already corrected problems will not discover the newly generated problems, for example: test case for the PF's synproxy state rule only verify PF have correctly add a correct tag for Mandatory access control in function pf_send_tcp, how we discover a problem which may create in the future by means of create a mbuf without a correct tag for Mandatory access control in a new function? /////////////////////////////////////////////////////////////////// Finally I owe greatly thanks for various kind of suggestions not limited to above Sincerely yours Zhouyi Zhou Insitute of Software Chinese Academy of Sciences From owner-freebsd-security@FreeBSD.ORG Tue May 29 22:57:04 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A141816A46B for ; Tue, 29 May 2007 22:57:04 +0000 (UTC) (envelope-from kirill.bolshakov@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.236]) by mx1.freebsd.org (Postfix) with ESMTP id 43B7013C45E for ; Tue, 29 May 2007 22:57:04 +0000 (UTC) (envelope-from kirill.bolshakov@gmail.com) Received: by nz-out-0506.google.com with SMTP id 14so714881nzn for ; Tue, 29 May 2007 15:57:03 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=mqCBScl1WBHdBvqf/yNy60O/+RaKzKeG/iXvOiUlNOqf9TnwgAqXiSUlWfqaMhWtG2gKktSDDUIWMZcYd3TKmasVTDby0CoasTl7qjc0NclaLG2w9jw0NOq/2lVrjUlFacOHHxreu/U/Q6BUkH70u5bhOsujf61ySWlHTn83wAw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=MrN9wwUO4jradkOOzlGd7qvR8ef1+7Hd2S820LJTBWJDlyO7Dk4z1QX+l0cM6+gaqvu0R+MekGuylIRxhpOoqUbx4KNheGTF4AU/ZQiNssSl0m+iXq6ESPK/oqp1Fh++MZ8AJZb2q76Ezt1bI7H98aSuo0f78mKItUjw7/vZXp8= Received: by 10.114.173.15 with SMTP id v15mr3626597wae.1180477964200; Tue, 29 May 2007 15:32:44 -0700 (PDT) Received: by 10.114.103.17 with HTTP; Tue, 29 May 2007 15:32:44 -0700 (PDT) Message-ID: <1ef87a7d0705291532v472a3c30i4bee07d0f502bc5b@mail.gmail.com> Date: Wed, 30 May 2007 02:32:44 +0400 From: "Kirill Bolshakov" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: LoMAC module: cannot get clearance level revoked X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2007 22:57:04 -0000 Hello Almighty All, I am trying to get the LoMAC module revoke user's privileges. In my test setup, the user with a higher clearance tries to open a lower clearance file for reading. After that the process label of the user's process is checked. As a final test, the user's process tries to write to a file with the higher integrity label. And he succeeds. Please find my test setup including the test program below. I will be grateful for any advice you may have. I am using FreeBSD 6.1. All MAC stuff enabled, the corresponding module loaded, and other models evaluated (Biba, MLS, combo). Thanks, Kirill === TEST PROGRAM === #include #include #include #include void printfilelabel(const char * fname) { mac_t filelabel; char *buf; if ( 0 != mac_prepare_file_label( &filelabel ) ) { fprintf( stderr, "printfilelabel(%s): failed to prepare label\n", fname ); exit( -1 ); } if ( 0 != mac_get_file( fname, filelabel ) ) { fprintf( stderr, "printfilelabel(%s): failed to get label\n", fname ); exit( -1 ); } if ( 0 != mac_to_text( filelabel, &buf ) ) { fprintf( stderr, "printfilelabel(%s): failed to convert label\n", fname ); exit( -1 ); } printf( "\tfilelabel(%s) is %s\n", fname, buf ); free( buf ); mac_free( filelabel ); } void printmylabel() { mac_t mylabel; char *buf; if ( 0 != mac_prepare_process_label( &mylabel ) ) { fprintf( stderr, "printmylabel: failed to prepare label" ); exit( -1 ); } if ( 0 != mac_get_proc( mylabel ) ) { fprintf( stderr, "printmylabel: failed to get label" ); exit( -1 ); } if ( 0 != mac_to_text( mylabel, &buf ) ) { fprintf( stderr, "printmylabel: failed to convert label" ); exit( -1 ); } printf( "\tMy label is %s\n", buf ); free( buf ); mac_free( mylabel ); } int main(int argc, char **argv) { if ( argc != 3 ) return -1; printmylabel(); printfilelabel( argv[1] ); printf( "Try to open %s for reading...\n", argv[1]); FILE * f = fopen( argv[1], "r" ); if ( f ) { /*printf( "Boo! read by lomac/high!\n" );*/ printf("Open for reading succeeded for %s\n", argv[1] ); printmylabel(); printfilelabel( argv[1] ); fclose(f); f = NULL; printmylabel(); printfilelabel( argv[2] ); printf( "Try to open %s for writing\n", argv[2] ); f = fopen(argv[2],"w"); if ( f ){ printmylabel(); printf( "Succeeded in opening %s for writing\n", argv[2] ); printfilelabel( argv[2] ); fclose( f ); printfilelabel( argv[2] ); printmylabel(); } else { printf( "Unable to open %s for writing!\n", argv[2] ); } } else { printf( "Unable to open %s for reading!\n", argv[1] ); } } === END OF TEST PROGRAM === === TWO TEST FILES === The program was run like this: ./lomactest testlow test and the files had these labels: testlow: lomac/low test: lomac/high === END OF TWO TEST FILES === === LOGIN CLASS === lmsecure:\ :copyright=/etc/COPYRIGHT:\ :welcome=/etc/motd:\ :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\ :path=~/bin:/sbin:/bin:/usr/sbin:/user/bin:/usr/local/sbin:usr/local/bin:\ :manpath=/usr/share/man /usr/local/man:\ :nologin=/usr/sbin/nologin:\ :cputime=1h30m:\ :datasize=8M:\ :vmemoryuse=100M:\ :stacksize=2M:\ :memorylocked=4M:\ :memoryuse=8M:\ :filesize=8M:\ :coredumpsize=8M:\ :openfiles=24:\ :maxproc=32:\ :priority=0:\ :requirehome:\ :passwordtime=91d:\ :umask=022:\ :ignoretime@:\ :label=lomac/high(high-high): === END OF LOGIN CLASS === PROGRAM RUN RESULT My label is lomac/high(high-high) filelabel(testlow) is lomac/low Try to open testlow for reading... Open for reading succeeded for testlow My label is lomac/high(high-high) filelabel(testlow) is lomac/low My label is lomac/high(high-high) filelabel(test) is lomac/high Try to open test for writing My label is lomac/high(high-high) Succeeded in open test for writing filelabel(test) is lomac/high filelabel(test) is lomac/high My label is lomac/high(high-high) === END OF PROGRAM RUN RESULT From owner-freebsd-security@FreeBSD.ORG Wed May 30 11:34:44 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 00A4516A400 for ; Wed, 30 May 2007 11:34:43 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 93A7B13C44C for ; Wed, 30 May 2007 11:34:43 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 2F34146F3A; Wed, 30 May 2007 07:08:52 -0400 (EDT) Date: Wed, 30 May 2007 12:08:52 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: zhouyi zhou In-Reply-To: <20070529154654.2d7d12ce.zhouzhouyi@ercist.iscas.ac.cn> Message-ID: <20070530120106.B56059@fledge.watson.org> References: <20070528120029.DFCCB16A5BC@hub.freebsd.org> <20070529154654.2d7d12ce.zhouzhouyi@ercist.iscas.ac.cn> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-278346229-1180523332=:56059" Cc: freebsd-security@freebsd.org, trustedbsd-discuss@FreeBSD.org Subject: Re: (Security Regression Testsuites)Request for comments X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 May 2007 11:34:44 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-278346229-1180523332=:56059 Content-Type: TEXT/PLAIN; charset=GB2312; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Tue, 29 May 2007, zhouyi zhou wrote: > Where I am still confused: > > 1) Which area and direction should I focus. The security subsystem in=20 > FreeBSD is large, which area deserves a testsuite in higher priority. Off-hand, my feeling is I'd like us to consider three areas of testing: - Correctness testing, in which we test general and edge cases in access control to make sure both the infrastructure and policies operate correc= tly. For example, using test policies to validate that the MAC Framework is correctly implemented, and using tests on real policies to determine tha= t the real policies implement the desired access control. Likewise, for audit, making sure that the right records are generated with the right tokens for the right events, that the selection model works, etc. - Stability testing, in which we test general and edge cases to make sure t= he system is stable, especially under load, etc. - ABI/API life cycle testing, in which we confirm that key data structures = in the ABI remain stable over time, and that the interpretation remains consistent. For example, the persisting data structures in on-disk labe= ls, audit record formats, etc. Obviously, doing all this in one summer is well out of scope, but I think s= ome=20 useful in-roads can be made in testing key areas, such as making sure that= =20 file system protections with MLS and Biba are correct, tests for audit, and= so=20 on. You may want to look at Pawel's and my existing file system test tools= =20 (src/tools/regression in 7-CURRENT) to see some areas and approaches to=20 testing. > 2) The general structure of the testsuite: Will it be a userland applicat= ion=20 > package like stress2, or include a kernel module cooperation (like=20 > security/mac_test) 3) How to write a testsuite that will prevent the furt= hor=20 > violation of security instead of test the cases which are already correct= ed.=20 > PF=A1=A2IPFW and IPSec have already corrected their confliction with Mand= atory=20 > Access Control, I think the testcases for the already corrected problems= =20 > will not discover the newly generated problems, for example: test case fo= r=20 > the PF's synproxy state rule only verify PF have correctly add a correct = tag=20 > for Mandatory access control in function pf_send_tcp, how we discover a= =20 > problem which may create in the future by means of create a mbuf without = a=20 > correct tag for Mandatory access control in a new function? I would suggest starting with a small set of test projects to evaluate=20 approaches. For example: (1) Consider adding a new test policy couple with userland tools to make su= re that access control checks occur as required for each system call. (2) Add a set of user space tests that confirm that MLS is properly implemented for each system call. (3) Add a set of user space tests that confirm that, for each system call, = the right audit records are generated with the right tokens. (4) Add a set of user space tests to confirm that audit record preselection= is properly implemented. These are a bit more bounded in scope, and should start to bring out common= =20 aspects to testing across security functions (i.e., "foreach system call"). Robert N M Watson Computer Laboratory University of Cambridge --0-278346229-1180523332=:56059--