The Design of KuangPlus

Introduction

Here is a top-level diagram for KuangPlus.

We assume that everything in the trusted environment is trustworthy, and nothing in this environment can be tampered with. Unfortunately, as KuangPlus is written in Perl, this also includes the Perl interpreter and its environment. More on this later.

Everything else is assumed to be untrustworthy. We assume that all data, programs and sources of information are susceptible to corruption, malicious or otherwise.

Main Components

Before KuangPlus can do anything, the Rule Downloading Software must download some rules from various parts of the Internet or from other media. We don't intend to write this part of the system: instead, you can use FTP or HTTP clients, rsync, CVSup, rdist, or any mechanism you like to obtain rules. The rules must be stored in a directory structure than can be accessed by KuangPlus.

Initially, we expect rules to be single files signed using PGP 2.6.x or PGP 5.x. This generally tends to compress and encode the files, so that the source code for each rule is not easily readable.

When KuangPlus is invoked, the Rule Verification and Loading component decodes and verifies the digital signature on each rule file, according to the database of public keys in the trusted environment. Once verified, each rule can then be invoked to find a configuration deficiency.

We expect that each rule will only look for a single configuration deficiency, e.g a known insecure version of Sendmail. However, a rule may indeed look for a set of common deficiencies in a general area, e.g problems with the password and group files.

As with Kuang, if the rules find any configuration problems, they pass on the details of the intial and final states, plus the cause, to the Induction Engine. The engine then attempts to chain rule outputs together, in order to find combinations of flaws which could lead to a security vulnerability. In many cases, the chain is of length 1, but the engine will find chains of any length.

Note that the Induction Engine has no implicit knowledge of system security. It uses the output from the rules in order to build chains of consequences.

Wrapped around all of this is the KuangPlus User Interface, which is what the administrator uses to run KuangPlus.

Trusting the Trusted Environment

We must be able to trust the trusted environment. This means either preventing it from being tampered with, or being able to detect when it has been tampered with. In the latter case, we must make the tamper-detector itself tamper-proof.

The design here could be either, but we will probably go for a design where the database of public keys, the tamper-detector and the main components (Induction Engine, User Interface, Rule Loading) are on read-only media, such as a CD-ROM or a write-protected floppy disk.

The tamper detector will have to verify everything else in the trusted environment which isn't on write-only media: PGP binaries, the Perl interpreter, the configuration file. This will be painful but hopefully not too hard to get right.


Warren Toomey
1999-06-01