Date: Thu, 2 Sep 1999 16:59:21 -0400 (EDT) From: Steve Kiernan <stevek@tislabs.com> To: freebsd-security@freebsd.org Subject: Generic Software Wrappers 1.2.1 now available... Message-ID: <Pine.BSF.4.10.9909021650310.53289-100000@mufasa.va.tislabs.com>
next in thread | raw e-mail | index | archive | help
Some time ago there was some discussion of adding security policies to the
FreeBSD kernel. ("Using capabilties aaginst shell code" August 1998) In
that thread, Robert Watson had referered to the Generic Software Wrappers
Toolkit which we at NAI Labs (formerly TIS Labs) were working on. We now
have a release available for use. The current source release contains
support for FreeBSD 2.2.x on Intel x86 and Solaris 2.6 on UltraSPARC, and
preliminary support for FreeBSD 3.x on Intel x86 (not all syscalls are
characterized and the code is not SMP-safe) and Windows NT on Intel x86
(the implementation is in user-space and not complete).
The following is an excerpt from the readme file (you can grab a copy of
the Toolkit from ftp://ftp.tislabs.com/pub/wrappers):
Generic Software Wrappers
Large-scale critical information systems increasingly are built by
combining Commercial Off The Shelf (COTS) software components.
Unfortunately, security and reliability requirements of critical
information systems may not be apparent until such systems are near
deployment: COTS software cannot be designed to anticipate all such
requirements. Additionally, cost factors dictate that COTS software
is developed with ``commercial-grade'' assurance. For these reasons,
technologies are needed both to add security and reliability
functionality to COTS software, and to increase general assurance of
systems composed of COTS components.
This DARPA-sponsored research (under contract F30602-96-C-0333) is
developing techniques and tools for specifying and implementing
generic software wrappers. Generic software wrappers intercept COTS
component interactions and bind them with additional functions that
implement practical security (e.g., restricting, filtering) and
reliability (e.g., redundancy, crash data recovery) policies. This
research is organized into three tasks:
1) Formulate both a preliminary Wrapper Definition Language
(WDL) for specifying security and reliability software
wrappers and a preliminary Wrapper Support Interface (WSI)
that provides operating system services needed by wrappers.
Prototype a WDL compiler and develop a WSI simulator to
provide experimental feedback during the formulation of the
2) Develop a wrapper-supporting FreeBSD UNIX prototype system.
Develop a Wrapper Support Subsystem (WSS) suitable for
inclusion in mainstream kernelized UNIX systems, and develop
WDL wrapper tools for conveniently wrapping/unwrapping
selected UNIX system components.
3) Develop Sun Solaris and Windows NT wrapper-supporting
prototype systems. Adjust the WDL and the WSI as needed to
support these environments. By developing multiple
prototypes, demonstrate that wrapper concepts are portable to
dissimilar systems.
Task one and two are complete. Task three is partially complete, with
the Windows NT port still under development.
This software is a proof of concept. It has bugs. Since it adds
functionality to the kernel, those bugs may trash your system. Do Not
Use This Software on systems you can not afford to trash. We know
there are unfixed bugs that can and will crash the operating system.
You have been warned.
--
Stephen Kiernan
stevek@tislabs.com
NAI Labs, A Division of Network Associates, Inc.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9909021650310.53289-100000>