Hi,
Currently I am working on a project which intends to stop unauthorized
processes sending emails or messages to the internet. The goal of the
project is to tackle the Distributed Service Denial problem.
>From the experience on telecommunication at socket level, it is natural
for me to look at sys_connect().
My idea is that: every time when a process tries to make a connection,
the kernel checks whether the process has the permission to make such
connection. It requires:
1. The identification of the process. I chose the absolute path since
it is unique, can't be tempted.
2. A config file which contains connection rules for processes.
Currently, there are only two fields in a connection rule: <cmd path>
and <ip mask> e.g.
# <cmdpath> <mask>
/home/stao/test1 192.168.2.2
/usr/bin/ftp 255.255.255.255
where test1 can connect any port on local host 192.168.2.2 and ftp can
connect to ports of any ip address.
The <cmd path> does not have to be an absolute path in the config file,
but it has to be converted to it before the kernel can against it with
the current process identification.
I did not put any port restriction here in order to simplify the config
file. The drawback is that any process that wants to make connection
through socket has to have a rule in the config file. Another approach
is to borrow apache's authentication mechanism. In that case, we can
configure that all processes under one directory can make or to be
denied a socket connection.
It is true that sys_connect() only handle tcp and udp (and only in unix
and linux world :-)), but it should be able to block some flooded
emails sent by unauthorized processes.
I am not sure that it is a good idea to mess around sys_connect() or any
one want to put such restriction on their computer. I don't see amy
problem for the people who just use applications on their computers
though. Any suggestion?
Sen
--
Senhua Tao
Intensional Software Inc.
> I am not sure that it is a good idea to mess around sys_connect() or any
> one want to put such restriction on their computer. I don't see amy
> problem for the people who just use applications on their computers
> though. Any suggestion?
Most systems do this by role based security. You might want to have a look
at the LSM patch and the NSA security module, as well perhaps at the RSBAC
security project. The LSM and NSA modules can I suspect not only deal with
connect based cases but a lot more
In article <[email protected]> you write:
>Hi,
>
>Currently I am working on a project which intends to stop unauthorized
>processes sending emails or messages to the internet. The goal of the
>project is to tackle the Distributed Service Denial problem.
>
>From the experience on telecommunication at socket level, it is natural
>for me to look at sys_connect().
>My idea is that: every time when a process tries to make a connection,
>the kernel checks whether the process has the permission to make such
>connection. It requires:
>1. The identification of the process. I chose the absolute path since
>it is unique, can't be tempted.
Identification of processes is hard. Even if you identify which
program was execed (eg. via /proc/<pid>/exe), that doesn't help
you. For example, if I set LD_PRELOAD or LD_LIBRARY_PATH to cause the
program to link with a library that I control, then I have complete
control over what code gets run. Alternatively, I can control the
process by attaching to it with ptrace.
If you're going to stick with something approximating unix, then you
can prevent tampering by making the program privileged (eg. by making
the program setuid). Having done that, you're in a much better
position to enforce policy. You can use netfilter to firewall out
connections to port 25 from your users, and to enable the privileged
user (ie. the uid used by your MTA during remote deliveries) to make
connections.
>2. A config file which contains connection rules for processes.
>Currently, there are only two fields in a connection rule: <cmd path>
>and <ip mask> e.g.
> # <cmdpath> <mask>
> /home/stao/test1 192.168.2.2
> /usr/bin/ftp 255.255.255.255
>
>where test1 can connect any port on local host 192.168.2.2 and ftp can
>connect to ports of any ip address.
Access control based on program filenames in unix is in the class of
problems where you "don't start from here." The mechanisms used by
unix for access control are almost entirely based on uids and gids,
and you are much better off working within this constraint. If you
don't, you may end up with code that's very hard to check for
correctness.
Peter