March 5th 2009, This project is no longer maintained. Please contact one of the project's admins if you wish to work on DSI or DigSig. Thanks !
This project page hosts two different (but related) projects:
- DigSig. This is a Linux kernel module, which checks RSA digital signatures of ELF binaries and libraries before they are run. Binaries are to be signed with BSign.
- DSI (Distributed Security Infrastructure). It is a security framework which
targets distributed environments, and is meant to address any specific
security issue such platforms may be concerned with. More particularly,
it is meant to address security needs of carrier-grade Linux clusters,
for the telecommunication domain.
DSI is an ongoing research project, supported
by Ericsson Research Canada
(Open Systems Lab).
DigSig currently offers:
Its latest stable release is digsig-1.5.
- run time signature verification of ELF binaries and shared libraries.
- support for file's signature revocation.
- a signature caching mechanism to enhance performances.
DSI currently offers user space tools, a kernel module and the following security services:
- a Distributed Access Control service (DisAC)
- a Distributed communications' Confidentiality and Integrity
Other services are being investigated (such
as secure distributed logging service - DisLog) but not yet
Currently, the latest
stable release of DSI is disec-0.3.
unstable release of DSI is disec-0.4
The DSI and the DigSig source code are being
released under the GNU Public License (GPL),
DSI documentation -
September 2003 [pdf] (newest
version available in CVS).
[R2] OSDL Carrier-Grade Linux Working Group, Security Requirements Definition,
Public Draft 0.1.
[R3] A. Apvrille - Evaluation of a
few security audit tools for Linux [pdf],
v0.4, April 2003.
[R4] The DigSig development team - The DigSig project [pdf], July 2005.
A. Apvrille, D. Gordon, DigSig novelties, Libre Software Meeting (LSM 2005), Security Topic, July 4-9 2005, Dijon, France [slides].
C. Leangsuksun, A. Tikotekar, M. Pourzandi, I. Haddad, Feasibility Study and Early Experimental Results Toward Cluster Survivability, to appear at Cluster Security Workshop (CCGrid 2005 Workshop 2), 2005 [pdf].
M. Pourzandi, D. Gordon, W. Yurcik, G. Koenig, Clusters and Security: Toward Distributed Security for Distributed Systems, to appear at Cluster Security Workshop (CCGrid 2005 Workshop 2), 2005 [pdf].
A. Apvrille, M. Pourzandi, XML Distributed Security Policy for Clusters, Computers & Security Journal (COSE91), Elsevier, vol.23, no.8, pp. 649-658, December 2004.
A. Apvrille, D. Gordon, S. Hallyn, M. Pourzandi, V. Roy, DigSig: Run-time authentication of binaries at kernel level, in the Proceedings of the 18th Large Installation System Administration Conference (LISA'04), pp. 59-66, Atlanta, November 14-19, 2004 [Abstract].
M. Pourzandi, A. Apvrille, Setting up
Virtual Security Zones in a Linux Cluster, Linux Journal, issue 126, October 2004.
M. Pourzandi, A New Distributed Security Model for Linux Clusters, in the Proceedings of the USENIX 2004 Annual Technical Conference, Extreme Linux Special Interest Group, pp. 231-236, June 27-July 2, 2004, [pdf].
A. Apvrille, M. Pourzandi, D. Gordon, V. Roy, Stop Malicious Code Execution at Kernel Level, Linux World, Vol.2, No.1, January 2004 [pdf][txt].
M. Pourzandi, A. Apvrille, E. Gingras, A. Medenou, D. Gordon, Distributed Access Control for Carrier
Class Clusters [pdf][slides], in the Proceedings of the
Distributed Processing Techniques and Applications (PDPTA'03),
Vegas, June 2003.
A. Apvrille, M. Pourzandi, Proteger
un reseau de machines distribuees contre un debordement de buffer...
d'un seul coup, in Multi System & Internet Security Cookbook
magazine, No. 7, May-June 2003, in French.
M. Zakrezewski, I. Haddad, Kernel
Korner: Linux Distributed Security Module [pdf], in Linux
Journal, October 2002.
I. Haddad, C. Levert, M. Pourzandi, M. Zakrezewski, DSI: a New Architecture for Secure
Carrier-Class Linux Clusters, in Linux Journal [html],
M. Pourzandi, I.
Haddad, C. Levert, M. Zakrezewski, M. Dagenais, DSI: a New Architecture for Secure
Carrier-Class Clusters [pdf],
in the Proceedings of IEEE Cluster
Haddad, C. Levert, M. Zakrezewski, M. Dagenais, A Distributed Security Infrastructure for
Carrier Class Linux Clusters [pdf][slides], in the Proceedings of Ottawa
Linux Symposium 2002.
Zakrezewski, Mandatory Access Control
for Linux Clustered Servers [pdf][slides], in the Proceedings of Ottawa Linux
C. Levert, M. Dagenais, Security
Policy Generation through Package Management [pdf][slides], in the
Proceedings of Ottawa
Linux Symposium 2002.
following table is used to follow up the evolution of DSI and related
| Project milestones
| Date started
|DigSig is created
|DigSig uses sysfs (v0.3)
|DigSig checks signature of shared libraries too (v1.0)
|Caching mechanism (v1.2)
|Signature revocation mechanism (v1.3)
|DSI - Created.
|DSI hosted on Sourceforge.
and implementation of the DisCI and DisAC service
|Design and implementation
of the Distributed Security Policy (DSP) + major update to the DisAC
|DSI ported to 2.5.66 kernels
|Design and implementation
of the File Integrity service
|Other developments related to DSI
|The Linux Secure Boot Kit
Buffer overflow attack stopped by DSI
[avi] - This small video
demonstrates a possible use of DSI. It may be
viewed with any AVI player.
We use a demonstration cluster, containing two nodes: glacier and
colby. First, we show, that initially,
the vulnerable program is exploitable, and potentially gives root
access to any user on both
machines (from a lmcaxpr shell, we gain root access). To solve this
problem, we suggest use of DSI on our
cluster. Glacier acts as both a Security Server and a Security Manager,
and Colby is another Security Manager.
We initialize the CORBA layer, assign an ScID 5 to the vulnerable
program, and load DSM in the kernel.
At this point, if we try to run the 'vulnerable' program, it fails
because DSI is too restrictive and does not
allow a shell to spawn a process of ScID 5. So, we update the
Distributed Security Policy (DSP), adding a rule
to allow ScID 5 to be launched. It is then possible to run
'vulnerable', and we notice that the buffer
overflow exploit does not work any longer ! So, with this DSP, we have
been able to make buffer overflow
exploits fail on all nodes of our cluster.
Finally, just for curiosity, we show the rule to be added for the
buffer overflow exploit to work again.
NB. We do not really stop buffer overflows exploits, but rather shell launching via a buffer overflow.
Sharing a Linux
DSI: resource theft exploit - The following screen captures
illustrate a possible exploit where two companies share the same
cluster, and one of them is illicitly capable of using resources owned
by the other one.
image 1 - PhoneMania and
RingBell share a Linux cluster made of two nodes: glacier and colby.
image 2 - Both companies
offer a quoting service, which is made of an Entry Point (EP) server
(to which customers connect), and a Back End (BE) server (which
performs the actual job). We launch the Back End server of PhoneMania
on glacier (126.96.36.199), and UDP port 8801.
image 3 - We also launch
RingBell's back end server on glacier, but on UDP port 9001.
image 4 - Now, we work on
colby: another node of the cluster. Its IP address is 188.8.131.52.
image 5 - We launch
PhoneMania's entry point on colby (184.108.40.206). It shall receive
incoming customer request on port 8800. BUT, the trick is that it
doesn't like to its own back end server, but to RingBell's back end
server (glacier on 220.127.116.11, port 9001). Connection succeeds without
image 6 - In this image, we
are just searching through our directory to find our sample customer
image 7 - On the bottom
right xterm window, we launch the client application for PhoneMania. It
basically communicates with PhoneMania's entry point server (colby on
18.104.22.168, port 8800). The customer sends several quotation requests.
Those requests are received by PhoneMania's entry point server (see
bottom left xterm)... and they are forwared to RingBell's back end
server ! (see upper right xterm). This is it: PhoneMania has been able
to use illicitly resources owned by RingBell (back end server). There
is no way to prevent this on an unsecure cluster.
In our article "Setting up Virtual Security Zones in a Linux Cluster" in Linux
Journal (October 2004), we show
how DSI handles such a
situation, and shares securely a Linux cluster among several operators.
In brief, this is done by setting different ScIDs to RingBell's and
PhoneMania's executables, and enforcing a no-sharing policy on all
nodes of the cluster.
Zakrzewski (Ericsson Research Canada)
- Charles Levert (Ericsson Research Canada)
- Marc Chatel (Ericsson Research Canada)
- Prof. Michel Dagenais (Polytechnique de Montreal)
- Dominic Pelerin (Sherbrooke University)
- Sann Yan (Sherbrooke University)
- Eric Gingras (UQAM)
- Alain Patrick Medenou (University of Montreal)
- Gabriel-Ioan Ivascu (Polytechnique de Montreal)
- Jean-Guillaume Paradis (Sherbrooke University)
- Radu Filip (Computer Science Faculty of Iasi)
- Phil Conan
(Polytechnique de Montreal)
- Makan Pourzandi
(Ericsson Research Canada)
- Axelle Apvrille (MISC Mag)
- Serge Hallyn (IBM)
- Anand Anil Tikotekar (Louisiana Tech University)
- Box Leangsuksun (Louisiana Tech University)
- Arpan Darivemula (Louisiana Tech University)
- Ryan Bourgeois (Louisiana Tech University)
- Marco Slaviero
- Vincent Roy