2006-10-03
Article continued from Page 2
3. Overview of Recent NetBSD Security Enhancements
3.1 Kernel Authorization
The introduction of kernel authorization, often referred to as kauth(9), in the NetBSD kernel has been one of the larger-scale changes ever done in NetBSD. The interface is modeled after an interface of the same name developed by Apple for Mac OS X [ref 17], though unfortunately due to licensing issues it was impossible to make use of existing code, and so the NetBSD implementation was written completely from scratch.Kernel authorization redefines the way credentials are handled by the kernel, and offers a simple and easy to use - yet powerful and extensible - kernel programming interface to enforce security policies. It is important to emphasize that kernel authorization does not provide any additional security by itself, but rather provides an interface on top of which security policies can be easily implemented. The strength of the security directly depends on the strength of the policy used.
The kernel authorization infrastructure is required for supporting fine-grained capabilities, ACLs, and pluggable security models among other things. It will allow NetBSD administrators and users to maintain the existing traditional Unix security model, offer capabilities to replace set-user-id and set-group-id programs, and allow third-party developers and appliance manufacturers to implement a custom security model to either replace or sit on-top of the existing one.
3.1.1 Related Work
Similar infrastructures are Linux's LSM (discussed earlier) and TrustedBSD's (now in FreeBSD) MAC framework [ref 18]. Both have been in use for a couple of years, but like kernel authorization, are still very young to backup with real-world experiences.3.1.2 Design
Apple did most of the design work for the kernel authorization infrastructure. A large part of the design is available online, and it’s merely the implementation that was unavailable. Therefore, most of the design-related work in doing the native NetBSD port focused on completing the missing parts from the online documentation and taking care of compatibility issues.Kernel authorization maps the privilege landscape of the kernel to actions grouped as scopes. For example, the process scope groups actions such as “can trace”, “can see”, and “can signal” - which are all operations on processes.
When a request for an operation is made, the action is passed to the authorization wrapper of the relevant scope, together with related context. The context is variable: it is different for each request. The authorization wrapper dispatches the request and the context to the listeners associated with the scope. Each listener can return a decision - either allow, deny, or defer (indicating the decision should be left to the other listeners) - and the authorization wrapper evaluates the responses from all listeners to decide whether to allow or deny the request.
In order for a request to be allowed, no listener may return a deny decision. If all listeners return a defer decision, the request is denied.
3.1.3 Implementation
The implementation of kernel authorization in NetBSD was done in several stages. First, the backend was written. This included the majority of the code that worked behind the scenes to implement the credential memory management and reference counting, locking, and scope and listener management. It was then tested to ensure all parts work as a black-boxes, allowing initial integration in the NetBSD code. Part of that work included merging the contents of the ucred and pcred structs into a single, opaque (as possible) type called kauth_cred_t.The next step was a series of mechanical kernel programming interface changes. Credentials could no longer be allocated on the stack, and so a lot of code had to be modified to use the kauth(9) memory management routines. Additionally, code that directly referenced members of the ucred and pcred structures had to be modified to use the accessor and mutator routines provided by the kauth(9) interface. Existing interfaces such as suser(9) and groupmember(9) were deprecated in favor of calls to kernel authorization wrappers, and others such as sys_setgroups(2) and sys_getgroups(2) were modified to use the new interfaces.
The following step consisted of thorough testing - to ensure transparent integration and equivalent semantics - which uncovered some bugs with the kernel authorization code, most of them in the NFS portion of the kernel.
[ref 17] http://developer.apple.com/technotes/tn2005/tn2127.html
[ref 18] http://www.trustedbsd.org/trustedbsd-discex3.pdf
