Cryptomentation

Ever had to read documentation that wasn’t well written, was full of gaps, or just didn’t make a whole lot of sense? I’ve created a word for documentation like this: cryptomentation. Because it’s documentation that’s cryptic.

A somewhat related random quote:

“Why would there be documentation? It’s called “code” for a reason.” -Unknown

AKARI – TOMOYO via LKM

I recently sent an abstract to LinuxCon / Kernel Security Summit, and the other day I heard back from one of the panel members. As I mentioned my thoughts on implementing AppArmor on CentOS/RHEL via LKM, he replied about a project that he threw together called AKARI. It’s a fork of TOMOYO, and inserts into the linux kernel in a very similar way to how I was planning on doing AppArmor, and have been recently been toying with in tpe-lkm.

All I can say is, that’s a whole lot of code I won’t have to figure out :) He’s already solved some of the problems I’ve been facing. I haven’t used TOMOYO before so I haven’t given this module a test yet beyond inserting it into one of my test systems, but so far it appears to work as advertised. As my time permits I’ll throw up a git repo called kmod-apparmor, which contains some of this code, and continue my work on it.

Updates to tpe-lkm dev branch for EL5

I previously talked about hijacking linux kernel pointers as an alternative method of implementing security features. At that point I had only tested it on my Ubuntu machine (linux-3.2.0) but I’ve since tested it on EL6 (2.6.32) and EL5 (2.6.18). While there weren’t any problems on EL6, EL5 had some problems and today I committed a bunch of fixes to address them. It looks like it’s stable now.

I’d like to have some other people test it though, and I’d like to expand on the regression testing some more. Once I’m confident that this other way to implement TPE won’t cause any issues, I’ll merge it into the main branch and cut a 2.0 release.

Judging a fish by its ability to climb a tree

You’re probably familiar with this quote:

“Everybody is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid.” ― Albert Einstein (src)

This past week I’ve had to deal with windows servers, something I neither excel in nor do I have the desire to excel in. So, to put a bit of a geeky spin on an Einstein quote, I rephrased it as this:

Don’t judge a penguin by its ability to clean a window.

tpe-lkm version 1.0.3 released

I’ve started to version my tpe-lkm project as it’s stable now, and today I released version 1.0.3. You can download the files from sourceforge.net or from github. This release contains some code cleanup, and a few bug fixes.

As for the meaning of the version number goes, the 3rd # is for bugfixes, a 2nd # is if new features are added, and if I ever increment the first #, it’ll be a major rewrite of the code. I may do that some day.

Anyway, happy TPE’ing!

Password length limits

I understand being strict and having the usual rules; need an upper and lower case character, a number, a special character, and a minimum password length. It just makes good sense to have a complicated passwords.

However, I’ve ran into a few places that limit the length of the password. What? Limit the length of the password to 12 characters? Are you kidding me? If I want a 30 character password, then I damn sure should be able to have one. Things such as Password Safe exist for that very purpose.

You know what a password length limit screams to me? Storing it in plain text. The only logical reason I can think of to limit the length of a password to such a short length is the field in the database for it isn’t very big. Hashes can get quite long, even more than 30 characters, so if you ever run into an authentication system that doesn’t accept long passwords, don’t use it.

tpe-lkm ported to linux 3.2.0

Today I installed Ubuntu 12.04 LTS on my laptop to give the Linux Desktop another go. So far I’m very impressed with it, they’ve done a very good job.

Anyway, I spent some time this evening and got tpe-lkm ported to the 3.x linux kernel. The code is now messier with more if/else kernel version statements, but that’s the way it is. It’ll be interesting to see what applications don’t work on a desktop with TPE enabled – so far I haven’t noticed anything broken.

Idea for a kernel integrity check module

This evening I pushed a commit for tpe-lkm that checks if the symbol is already hijacked. If it is, it doesn’t bother to hijack it, and spits out an error. This check was a side-effect of my thinking of implementation details for a kernel integrity check module. The basic idea; continually check certain “vital” areas of kernel memory for suspicious activity, and take predefined action upon discovery. Kind of an anti-rootkit kernel module. As I get some more time in the coming weeks, and after some google searches on the subject, I’ll give more details, and hopefully some code to go with it.