DigSig (Digital Signature... in the Kernel) and DSI (Distributed Security Infrastructure)



Project


Status

Project Page

Mailing Lists

CVS


Source Code


Packages


Documentation


Reports

Articles

Demos

Information


Links

Contacts


Overview

March 5th 2009, This project is no longer maintained. Please contact one of the project's admins if you wish to work on DSI or DigSig. Thanks !

This project page hosts two different (but related) projects:

  • DigSig. This is a Linux kernel module, which checks RSA digital signatures of ELF binaries and libraries before they are run. Binaries are to be signed with BSign.
  • DSI (Distributed Security Infrastructure). It is a security framework which targets distributed environments, and is meant to address any specific security issue such platforms may be concerned with. More particularly, it is meant to address security needs of carrier-grade Linux clusters, for the telecommunication domain.

DSI is an ongoing research project, supported by Ericsson Research Canada (Open Systems Lab).

Status and Packages

DigSig currently offers:
  • run time signature verification of ELF binaries and shared libraries.
  • support for file's signature revocation.
  • a signature caching mechanism to enhance performances.
Its latest stable release is digsig-1.5.
DSI currently offers user space tools, a kernel module and the following security services:
  • a Distributed Access Control service (DisAC)
  • a Distributed communications' Confidentiality and Integrity service (DisCI)

Other services are being investigated (such as  secure distributed logging service - DisLog) but not yet implemented.


Currently, the latest stable release of DSI is disec-0.3.
The latest unstable release of DSI is disec-0.4 (development).

License
The DSI and the DigSig source code are being released under the GNU Public License (GPL), version 2.

Reports
[R1] DSI documentation - September 2003 [pdf] (newest version available in CVS).
[R2] OSDL Carrier-Grade Linux Working Group, Security Requirements Definition, Public Draft 0.1.
[R3] A. Apvrille - Evaluation of a few security audit tools for Linux [pdf], v0.4, April 2003.
[R4] The DigSig development team - The DigSig project [pdf], July 2005.

Articles/Conferences
2005

A. Apvrille, D. Gordon, DigSig novelties, Libre Software Meeting (LSM 2005), Security Topic, July 4-9 2005, Dijon, France [slides].
C. Leangsuksun, A. Tikotekar, M. Pourzandi, I. Haddad, Feasibility Study and Early Experimental Results Toward Cluster Survivability, to appear at Cluster Security Workshop (CCGrid 2005 Workshop 2), 2005 [pdf].
M. Pourzandi, D. Gordon, W. Yurcik, G. Koenig, Clusters and Security: Toward Distributed Security for Distributed Systems, to appear at Cluster Security Workshop (CCGrid 2005 Workshop 2), 2005 [pdf].

2004

A. Apvrille, M. Pourzandi, XML Distributed Security Policy for Clusters, Computers & Security Journal (COSE91), Elsevier, vol.23, no.8, pp. 649-658, December 2004.
A. Apvrille, D. Gordon, S. Hallyn, M. Pourzandi, V. Roy, DigSig: Run-time authentication of binaries at kernel level, in the Proceedings of the 18th Large Installation System Administration Conference (LISA'04), pp. 59-66, Atlanta, November 14-19, 2004 [Abstract].
M. Pourzandi, A. Apvrille, Setting up Virtual Security Zones in a Linux Cluster, Linux Journal, issue 126, October 2004.
M. Pourzandi, A New Distributed Security Model for Linux Clusters, in the Proceedings of the USENIX 2004 Annual Technical Conference, Extreme Linux Special Interest Group, pp. 231-236, June 27-July 2, 2004, [pdf].
A. Apvrille, M. Pourzandi, D. Gordon, V. Roy, Stop Malicious Code Execution at Kernel Level, Linux World, Vol.2, No.1, January 2004 [pdf][txt].

2003
M. Pourzandi, A. Apvrille, E. Gingras, A. Medenou, D. Gordon, Distributed Access Control for Carrier Class Clusters [pdf][slides], in the Proceedings of the Parallel and Distributed Processing Techniques and Applications (PDPTA'03), Las Vegas, June 2003.
A. Apvrille, M. Pourzandi, Proteger un reseau de machines distribuees contre un debordement de buffer... d'un seul coup, in Multi System & Internet Security Cookbook (MISC) magazine, No. 7, May-June 2003, in French.

2002

M. Zakrezewski, I. Haddad, Kernel Korner: Linux Distributed Security Module [pdf], in Linux Journal, October 2002.
I. Haddad, C. Levert, M. Pourzandi,
M. Zakrezewski, DSI: a New Architecture for Secure Carrier-Class Linux Clusters, in Linux Journal [html], June 2002.
M. Pourzandi,
I. Haddad, C. Levert, M. Zakrezewski, M. Dagenais, DSI: a New Architecture for Secure Carrier-Class Clusters [pdf], in the Proceedings of IEEE Cluster 2002 Conference.
M. Pourzandi, I. Haddad, C. Levert, M. Zakrezewski, M. Dagenais, A Distributed Security Infrastructure for Carrier Class Linux Clusters [pdf][slides], in the Proceedings of Ottawa Linux Symposium 2002.
M. Zakrezewski, Mandatory Access Control for Linux Clustered Servers [pdf][slides], in the Proceedings of Ottawa Linux Symposium 2002.
C. Levert, M. Dagenais, Security Policy Generation through Package Management [pdf][slides], in the Proceedings of Ottawa Linux Symposium 2002.

Project History
The following table is used to follow up the evolution of DSI and related developments.

Project milestones
Date started
DigSig
DigSig is created
September 2003
DigSig uses sysfs (v0.3)
October 2003
DigSig checks signature of shared libraries too (v1.0)
November 2003
Caching mechanism (v1.2)
February 2004
Signature revocation mechanism (v1.3)
September 2004
DSI
DSI - Created. Janvier 2002
DSI hosted on Sourceforge.
November 2002
Design and implementation of the DisCI and DisAC service
December 2002
Design and implementation of the Distributed Security Policy (DSP) + major update to the DisAC service
March 2003
DSI ported to 2.5.66 kernels
July 2003
Design and implementation of the File Integrity service
August 2003
Other developments related to DSI
The Linux Secure Boot Kit 2002
Demos

Buffer overflow attack stopped by DSI [avi] - This small video demonstrates a possible use of DSI. It may be viewed with any AVI player. We use a demonstration cluster, containing two nodes: glacier and colby. First, we show, that initially, the vulnerable program is exploitable, and potentially gives root access to any user on both machines (from a lmcaxpr shell, we gain root access). To solve this problem, we suggest use of DSI on our cluster. Glacier acts as both a Security Server and a Security Manager, and Colby is another Security Manager. We initialize the CORBA layer, assign an ScID 5 to the vulnerable program, and load DSM in the kernel. At this point, if we try to run the 'vulnerable' program, it fails because DSI is too restrictive and does not allow a shell to spawn a process of ScID 5. So, we update the Distributed Security Policy (DSP), adding a rule to allow ScID 5 to be launched. It is then possible to run 'vulnerable', and we notice that the buffer overflow exploit does not work any longer ! So, with this DSP, we have been able to make buffer overflow exploits fail on all nodes of our cluster. Finally, just for curiosity, we show the rule to be added for the buffer overflow exploit to work again.
NB. We do not really stop buffer overflows exploits, but rather shell launching via a buffer overflow. .

Sharing a Linux cluster without DSI: resource theft exploit - The following screen captures illustrate a possible exploit where two companies share the same cluster, and one of them is illicitly capable of using resources owned by the other one.
image 1 - PhoneMania and RingBell share a Linux cluster made of two nodes: glacier and colby.
image 2 - Both companies offer a quoting service, which is made of an Entry Point (EP) server (to which customers connect), and a Back End (BE) server (which performs the actual job). We launch the Back End server of PhoneMania on glacier (172.0.0.1), and UDP port 8801.
image 3 - We also launch RingBell's back end server on glacier, but on UDP port 9001.
image 4 - Now, we work on colby: another node of the cluster. Its IP address is 172.0.0.2.
image 5 - We launch PhoneMania's entry point on colby (172.0.0.2). It shall receive incoming customer request on port 8800. BUT, the trick is that it doesn't like to its own back end server, but to RingBell's back end server (glacier on 172.0.0.1, port 9001). Connection succeeds without any problem.
image 6 - In this image, we are just searching through our directory to find our sample customer application: TelecomClient.
image 7 - On the bottom right xterm window, we launch the client application for PhoneMania. It basically communicates with PhoneMania's entry point server (colby on 172.0.0.2, port 8800). The customer sends several quotation requests.
Those requests are received by PhoneMania's entry point server (see bottom left xterm)... and they are forwared to RingBell's back end server ! (see upper right xterm). This is it: PhoneMania has been able to use illicitly resources owned by RingBell (back end server). There is no way to prevent this on an unsecure cluster.

In our article "Setting up Virtual Security Zones in a Linux Cluster" in Linux Journal (October 2004), we show how DSI handles such a situation, and shares securely a Linux cluster among several operators. In brief, this is done by setting different ScIDs to RingBell's and PhoneMania's executables, and enforcing a no-sharing policy on all nodes of the cluster.

Links
Past Contributors

  • Miroslaw Zakrzewski (Ericsson Research Canada)
  • Charles Levert (Ericsson Research Canada)
  • Marc Chatel (Ericsson Research Canada)
  • Prof. Michel Dagenais (Polytechnique de Montreal)
  • Dominic Pelerin (Sherbrooke University)
  • Sann Yan (Sherbrooke University)
  • Eric Gingras (UQAM)
  • Alain Patrick Medenou (University of Montreal)
  • Gabriel-Ioan Ivascu (Polytechnique de Montreal)
  • Jean-Guillaume Paradis (Sherbrooke University)
  • Radu Filip (Computer Science Faculty of Iasi)
  • Phil Conan (Polytechnique de Montreal)

Contacts
  • Makan Pourzandi (Ericsson Research Canada)
  • Axelle Apvrille (MISC Mag)
  • Serge Hallyn (IBM)
  • David Gordon (Ericsson Canada)
  • Anand Anil Tikotekar (Louisiana Tech University)
  • Box Leangsuksun (Louisiana Tech University)
  • Arpan Darivemula (Louisiana Tech University)
  • Ryan Bourgeois (Louisiana Tech University)
  • Marco Slaviero
  • Vincent Roy (Sherbrooke University)

Last update on April 1st, 2006.