Stephanie for OpenBSD 3.6

News related to Stephanie for OpenBSD 3.6

With time this page will be populated with news about Stephanie for OpenBSD 3.6 - changes, bug reports and fixes, etc. as well as other related information.

Please note that sometimes bug fixes will require complete rebuild of Stephanie on a clean source tree. Also, patches are not accumulative. It is suggested that you always keep your system updated with the latest version.

April 26, 2005: END OF THE STEPHANIE PROJECT
For several reasons, I have decided to stop my involvement in Stephanie, the OpenBSD hardening project. The official end-of-life announcement is available here.

I'd like to thank the numerous individuals who, throughout the years, helped and supported in various ways. This has been a great experience.

February 7, 2005: [BUG]
The include directive is known to not work. There is no fix as this feature is not planned to remain in future versions.

January 29, 2005: [FEATURE]
New features in Stephanie for OpenBSD 3.7
What you can expect to see in the future:

Thanks a lot to the PaX developer for helping with this! Check out his homepage for the official version.

December 25, 2004: [FIX] Bug fix
One of the previous commits ommited a second flag check in kern_vexec.c:vexec_verify(). There are no security implications to this bug.

Download this patch and apply it: 

	# cp december_25.patch /usr/src/sys/kern/
	# cd /usr/src/sys/kern/
	# patch -p0 < december_25.patch

Then recompile, reinstall, and boot the new kernel.

December 10, 2004: [CRITICAL] Bug fixes
During the regular audit process several bugs were uncovered.

The update process for users running Stephanie for OpenBSD 3.6 requires too much work, so it is suggested that you download the latest tarball and run the installation script again.

Please contact me if you're having problems installing Stephanie.

November 29, 2004: [FEATURE] New keyword
Throughout all versions of Stephanie it was very hard (either very inconvenient or impossible) to maintain trust of scripts executed by interpreters if the interpreter was also a shell, and the script path was passed as to it as an argument; ie. sh script.sh.

Veriexec, in NetBSD, supported a clean solution for 'non-shell' interpreters by distinguishing between direct and indirect execution. This, however, was not so good for shells because during login the shell, which was also the interpreter, was being executed directly.

This latest feature addition to Stephanie for OpenBSD 3.6 adds another 'hybrid' type of execution, named 'shell'. It will verify arguments passed to the command line if they resolve to pathnames, but will not prevent direct execution. This means, in fact, that if TPE is enabled and you loaded a list of shells and interpreters, correctly distinguishing them using 'shells' and 'indirect' for the type field, (respectively) you will be able to maintain complete trust of the operations taking place on your system, execution-wide.

The latest Stephanie archive contains this feature. Users who already have Stephanie installed need to follow the detailed installation procedure below:

1) Download this patch to /usr and apply it: 

	# cp november_29.patch /usr/
	# cd /usr/
	# patch -p0 < november_29.patch

2) Download the latest Stephanie version to /root and extract it there. (into /root/Stephanie-3.6/)

3) Synchronize new files: 

	# cd /root/Stephanie-3.6/
	# cp kern/kern_vexec.c /usr/src/sys/kern/
	# cp sys/vexec.h /usr/src/sys/sys/
	# cp sys/vexec.h /usr/include/sys/

4) Recompile your kernel and reboot it.

5) Recompile vexecctl: 

	# cd /root/Stephanie-3.6/vexecctl/
	# make clean && make && make install && make clean

6) Make required modifications to /etc/vexec.conf (or whatever) to comply with new type keyword - 'shell' - to indicate shells or programs where you don't want to enforce indirect execution but still verify trusted-path for path elements in the argument list.

As always, if there are any problems, questions, and feeback in general, I'd be glad if you mailed me.

Note: The correct way to implement trusted arguments would be to create a hook inside kern/vfs_vnops.c:vn_open() that'll check for trusted path on opened files whenever a process that requires trusted arguments will make a call to it.

Track on which processes require trusted arguments can be made by keeping a flag indicating execution type (direct, indirect, shell, or ignore) in the process struct. (sys/proc.h:struct proc)

Unfortunately, at the moment I don't have the time to write it, though..

November 18, 2004: [FIX] Documentation fix
phlex noticed I left out 'make' in the INSTALL document in the previous fix.

November 5, 2004: [FIX] Documentation fix
The INSTALL document left out a required 'make depend' for compiling libkvm.

October 20, 2004: [CRITICAL] Bug fix
In kern/kern_vexec.c:vexec_hashadd(), there's code for getting the slot in the hash table for storing the new entry. The code is retrieving the slot pointer to a variable called 'vhh', but then checks 'vhe' (which is unused and uninitialized) for a NULL value - and panics (Stephanie-generated) in such a case: 

	panic: vexec_hashadd: vhe is NULL.

This can cause false panics depending on the arbitrary values that the uninitialized variable will get when entering the function. To fix that, apply this patch: 

	# cp october_20.patch /usr/src/sys/kern/
	# patch -p0 < october_20.patch

And then recompile and reinstall the new kernel, and reboot.

Thanks to resfilter for reporting the panic.

October 19, 2004: [FIX] Documentation fix
The INSTALL document contained a typo, dropping a mandatory 'c' when using mknod to create the Vexec pseudo-device. Also, change wording in the /etc/rc.securelevel snippet to make things even clearer. Thanks to resfilter.