Trusted Execution - Core Concepts PDF Print E-mail
User Rating: / 5
Written by Michael Felt   

Trusted Execution is collection of features in AIX that can be applied to enhance (or specify) the degree of trust for applications running on AIX. Trust is a central concept for IT security. One might say that TRUST is a way of expressing how certain a user or administrator can be that malicious user(s) have not been able to access and modify applications, kernel extensions, or system configurations.

In other words, Trusted Execution provides the SA (system administrator) the tools needed to specify executables, kernel executables and files that need to be verified before they are used. Unlike the old TCB (trusted computing base) methods, Trusted Execution verification occurs in realtime - or runtime - when the (un)trusted object is accessed. Files that do not meet verification standards/tests are not loaded/opened by AIX.

Trusted Signature Database Management

Similar to that of Trusted Computing Base (TCB) there exists a database which is used to store critical security parameters of trusted files present on the system. This database, called Trusted Signature Database (TSD), resides in the /etc/security/tsd/tsd.dat.

A trusted file is a file that is critical from the security perspective of the system, and if compromised, can jeopardize the security of the entire system. Typically the files that match this description are the following:

Kernel (operating system)
All setuid root programs
All setgid root programs
Any program that is exclusively run by the root user or by a member of the system group
Any program that must be run by the administrator while on the trusted communication path (for example, the ls command)
The configuration files that control system operation
Any program that is run with the privilege or access rights to alter the kernel or the system configuration files

Every trusted file should ideally have an associated stanza or a file definition stored in the Trusted Signature Database (TSD). A file can be marked as trusted by adding its definition in the TSD using the trustchk command. The trustchk command can be used to add, delete, or list entries from the TSD.

Auditing the integrity of Trusted Signature Database

The trustchk command can be used to audit the integrity state of the file definitions in the Trusted Signature Database (TSD) against the actual files.

If the trustchk command identifies an anomaly, then it can be made to automatically correct it or prompt the user before attempting correction. If anomalies like size, signature, cert_tag or hash_value mismatch, the correction is not possible. In such cases, the trustchk command would make the file inaccessible, thereby rendering it useless and containing any damage. 

Security policies configuration

The Trusted Execution (TE) feature provides you with a run-time file integrity verification mechanism. Using this mechanism, the system can be configured to check the integrity of the trusted files before every request to access those file, effectively allowing only the trusted files that pass the integrity check to be accessed on the system.

When a file is marked as trusted (by adding its definition to Trusted Signature Database), the TE feature can be made to monitor its integrity on every access. TE can continuously monitor the system and is capable of detecting tampering of any trusted file (by a malicious user or application) present on the system at run-time (for example, at load time). If the file is found to be tampered, TE can take corrective actions based on pre-configured policies, such as disallow execution, access to the file, or logging error. If a file being opened or executed, and has an entry in the Trusted Signature Database (TSD), the TE performs as follows: 

Before loading the binary, the component responsible for loading the file (system loader) invokes the Trusted Execution subsystem, and calculates the hash value using the SHA-256 algorithm (configurable).
This run-time calculated hash value is matched with the one stored in the TSD.
If the values match, the file opening or execution is permitted.
If the values do not match, either the binary is tampered, or somehow compromised. It is up to the user to decide the action to be taken. The TE mechanism provides options for users to configure their own policies for the actions to be taken if the hash values do not match. 

Trusted Execution Path and Trusted Library Path

Trusted Execution Path (TEP) defines a list of directories that contain the trusted executables. Once TEP verification is enabled, the system loader allows only binaries in the specified paths to execute. Trusted Library Path (TLP) has the same functionality, except that it is used to define the directories that contain trusted libraries of the system. Once TLP is enabled, the system loader allows only the libraries from this path to be linked to the binaries. The trustchk command can be used to enable or disable the TEP or TLP, as well as set the colon separated path list for both, using TEP and TLP command line attributes of the trustchk command.

Trusted Shell and Secure Attention Key

Trusted Shell and Secure Attention Key (SAK) perform similarly to the Trusted Computing Base (TCB), except that if Trusted Execution is enabled on the system instead of TCB, the Trusted Shell executes files belonging only to the Trusted Signature Database. 

Do not forget to check my other article with information on Trusted Execution.

< Prev   Next >