Introduction

In system security, internal threats are considered of higher severity than external threats. In a system there are system commands, kernel extension modules, and the files that require root privileges to execute. All these govern the overall security model of the system. These are system-critical files and loss of their integrity threatens overall system security.

The loss of integrity could be that you executed the ls command and instead of listing the contents of the directory, it deleted all the files present there. A worse situation could be that when you ran an integrity-compromised telnet command, it opened a telnet session to a remote machine, but at the same time, it stored your credentials (username and password) and sent them to a third party.

These scenarios give rise to the demand for a secure operating system, where only the trusted binaries (or libraries/scripts/shells) are allowed to run. AIX V6.1 provides such a security feature, the Trusted Execution (TE) environment.

What is Trusted Execution?

Trusted Execution can be considered a collection of a set of features that supervise the integrity of the system. The Trusted Execution environment maintains a trusted database, where the trust values of the system-critical files are stored. Along with this database, the TE implements security policies that add another level to system security. These features are explained in detail in the later sections of this article.

Trusted Execution environment over Trusted Computing Base

Trusted Computing Base (TCB) is the security feature available with IBM AIX versions later than version 4.1. Trusted Computing Base is about periodically checking the integrity of the system, which is implemented using the cron job mechanism, so that it checks the integrity of the system after a specific time interval.

Checking the integrity of the files at run time is very crucial; therefore, using the Trusted Execution is recommended. The run-time Trusted Execution verifies the various important attributes of the commands each time they are executed.

The Trusted Execution environment is the advanced security feature of IBM AIX V6.1, which provides the following advantages over TCB:

• Trusted Computing Base is an install-time option only and to enable TCB on an existing AIX machine, you need to reinstall the entire AIX operating system. On the other hand, TE allows you to enable or disable the integrity-checking feature at any time.
• Trusted Execution supports the run-time integrity check whenever any command is executed, whereas the TCB mostly does the periodic checking of system integrity.

In all, TE has more capabilities than what TCB provides.

How to enable the Trusted Execution environment

The Trusted Execution environment feature requires AIX V6.1 as the operating system. It is part the base operating system fileset bos.rte.security. Also, make sure that you have CryptoLite for C Library (CLiC) and its kernel extensions installed on it. These file sets are needed for TE to work. Use the following lslpp command to check whether CLiC and its kernel extensions are installed:

bash-2.05b# lslpp -l  "clic*"
Fileset                      Level  State      Description
---------------------------------------------------------------------
Path: /usr/lib/objrepos
clic.rte.includes          4.3.0.0  COMMITTED  CryptoLite for C Library
Include File
clic.rte.kernext           4.3.0.0  COMMITTED  CryptoLite for C Kernel
clic.rte.lib               4.3.0.0  COMMITTED  CryptoLite for C Library
clic.rte.pkcs11            4.3.0.0  COMMITTED  PKCS11 Software Token Support

Path: /etc/objrepos
clic.rte.kernext           4.3.0.0  COMMITTED  CryptoLite for C Kernel

If they are not installed, then install them using the smitty command. You can get these file sets from AIX Expansion pack CDs or download it from the AIX Web Download Pack program (See Resources for the link). After installing the file sets on the system, load them into the kernel with the following command:

bash-2.05b# /usr/lib/methods/loadkclic

Once this is done, run the following command to turn on the Trusted Execution.

bash-2.05b# trustchk -p te=on

Features of the Trusted Execution environment

1. Trusted Signature Database (TSD)

   This database stores all the necessary information about system-critical files, including kernel extension modules or the files that require root privilege to execute. This database by default is located at /etc/security/tsd/tsd.dat.

   The entity (command / binary / library / script / shell) whose entry is there in the TSD is called a trusted entity and for such a trusted entity, a unique cryptographic hash and digital signature is stored. The cryptographic hash is calculated using the SHA-256 algorithm and the digital signature is generated using the RSA algorithm.

   For such a trusted entity, the hash value and signature are calculated and shipped as part of the their AIX installables and stored in TSD on the destination system.

   Let’s see the stanza of one of the trusted file:

   bash-2.05b# /usr/sbin/trustchk -q /usr/bin/chown /usr/bin/chown: owner = root group = bin mode = 555 type = FILE hardlinks = symlinks = size = 9598 cert_tag = 00af4b62b878aa47f7 signature = 4f5c5a0438148947b716a8fb744f50913f89c1fb38246e8cdcd017533a103aec 7ecc43b31c210b69b7915f961b440bc94124d198bfc6ef1594c62b0cdeedb8917cc08969a460 f686c8abda4cab15ccaf29a2740e5c42c862320a8a88e5073143466738affecbb3129a1689a0 d91cd1da98582425f23512dffa7590113cbca753 hash_value = 2c4e3308996ea6846e67847c47009e0d5d0516b4fed37a0e673c4b835f58958 cd91cd1da98582425f23512dffa7590113cbca753 minslabel = maxslabel = intlabel = accessauths = aix.fs.object.owner innateprivs = PV_DAC_O,PV_DAC_X,PV_FS_CHOWN inheritprivs = authprivs = secflags = FSF_EPS t_innateprivs = PV_MAC_R,PV_MAC_W,PV_MIC

   
   

   Since all the above information for a trusted file is stored in TSD, securing TSD is vital. For the security of theTSD, the database can be locked using the following command:

   bash-2.05b# /usr/sbin/trustchk -p tsd_lock=on

   
   

   Apart from the default TSD file (/etc/security/tsd/tsd.dat), an alternate database can also be referred to check the trusted file integrity (using the -F option in the above command), which can be kept at a secure location.

2. Auditing the integrity of TSD (system integrity check)

   In order to perform a system integrity check, the /usr/sbin/trustchk command is used to check the integrity for all the trusted files by matching the actual file attribute values (like signature, hash, and etc.) with the values in the database.

   /usr/sbin/trustchk [-l] [-r] {-n | -t | -y}{filename...| ALL}

   
   

   These are the command arguments that specify the system auditing modes:

   • –n
     In this auditing mode, for the specified single trusted file or all files, all the discrepancies between the actual values and the values stored in TSD are reported, not fixed.
   • –t
     In this auditing mode, for the specified single trusted file or all files, all the discrepancies are reported with a prompt asking whether errors should be fixed.
   • –y
     In this auditing mode, for the specified single trusted file or all files, discrepancies are fixed and reported.Only a few common discrepancies can be fixed, not all. For instance, if there is a mismatch in the hash value, this mode is not going to repair that; instead it will make that file inaccessible. This mode should be used with caution, as it might make the file inaccessible if any serious discrepancy is found.

   Note: Along with each option, the keyword ALL can be used to check integrity of all the entries in TSD.

   This feature is basically a system audit that can be exercised periodically by the system administrator.

   In the following example, we are going check the integrity of the /usr/bin/hostname command, which is a system command and its entry is already in the TSD.

   -bash-2.05b# ls -l /usr/bin/hostname -r-xr-xr-x 1 bin bin 4288 Oct 05 2007 /usr/bin/hostname -bash-2.05b# trustchk -y /usr/bin/hostname -bash-2.05b#

   
   

   Please note that trustchk -y did not give any messages in the above execution, which means that the command integrity is preserved.

   Now, replace the /usr/bin/hostname command with /usr/bin/cd command and then try to check the integrity:

   -bash-2.05b# cp /usr/bin/hostname /usr/bin/hostname.orig -bash-2.05b# cp /usr/bin/cd /usr/bin/hostname -bash-2.05b# /usr/sbin/trustchk -y /usr/bin/hostname Verification of attributes failed: size Verification of attributes failed: hash Verification of attributes failed: signature Verification of stanza failed: /usr/bin/hostname -bash-2.05b#

   
   

   The above messages shows that the integrity of the command /usr/bin/hostname has been compromised.

   It is also important to notice that the mode of the /usr/bin/hostname command has been changed and it has become inaccessible. This happened because of the '-y' flag. The only solution is to remove the bad command binary and copy the new binary.

   -bash-2.05b# ls -l /usr/bin/hostname ---------T 1 bin bin 1457 May 29 08:09 /usr/bin/hostname -bash-2.05b#

   
   

3. Run-time integrity check by configuring security policies

   One of the crucial features of the Trusted Execution is to check the integrity of the trusted files at run time. When the run-time integrity check is enabled, the following steps are taken when you execute the command.

   1. During binary loading, the TE sub system is called by the system loader, which calculates the hash using the SHA-256 hash algorithm.
   2. Now for this same binary, the hash value stored in TSD is extracted and matched with the run-time calculated hash value.
   3. Binary will be allowed to execute if the values match.
   4. If the values don’t match, that means that either the file has been tampered with or changed. In this case, the action will be taken on the basis of the policy configured.

   The run-time integrity check is configured using the -p option of the trustchk command. Use the following syntax:

   trustchk -p { [ TE [= ON | OFF ] ] [ CHKEXEC [=ON | OFF ] ] [ CHKSHLIB [ =ON | OFF ] ] [ CHKSCRIPT [ =ON | OFF ] ] [ CHKKERNEXT [ = ON | OFF ] ] [ STOP_UNTRUSTD [ = ON | OFF ] ] [ STOP_ON_CHKFAIL [ = ON | OFF ] ] [ TEP [ = ON | OFF | PathList ] ] [ TLP [ = ON | OFF | PathList ] ] [ TSD_FILES_LOCK [ = ON | OFF ] ] [ TSD_LOCK [ = ON | OFF ] ] }

   
   

   Policies for run-time integrity checking

   There are certain policies provided by IBM AIX V6.1 that can be configured for run-time integrity checking. These policies decide the fate of the binaries/libraries/scripts and kernel extensions for which the integrity check has failed.

   The following policies can be configured:

   TE

   This is the main policy that enables or disables the trusted execution functionality. Only after enabling this policy, the other policies can be realized.
   To activate the TE policy, execute the following command:

   bash-2.05b# /usr/sbin/trustchk -p te=on

   
   

   CHKEXEC

   This policy makes sure that integrity of the trusted binaries is check during load time.

   CHKSHLIB

   The integrity of the trusted shared libraries is checked before loading them into the memory for execution.

   CHKSCRIPT

   The integrity of the trusted shell scripts is checked before loading them into the memory.

   CHKKERNEXt

   The integrity of the kernel extensions is checked before loading them into memory.

   STOP_UNTRUSTED

   This policy blocks the entities (which can be executable/libraries/scripts or kernel extensions) from loading if they are not in TSD. Hence, it works in combination with CHK* policies. For example, if CHKSCRIPT=ON and STOP_UNTRUSTED=ON, then those scripts that do not belong to TSD will not be executed.

   STOP_ON_CHKFAIL

   This policy stops the loading of the trusted files (same as the entities above) if integrity checks fail for them. It works in combination with CHK* policies. For instance, CHKEXEC=ON and STOP_ON_CHKFAIL=ON. then any executable for an integrity check has failed will not be loaded.

   TSD_LOCK

   This policy will lock the TSD and after that it will not be possible to manipulate it through the /usr/sbin/trustchk command.

   TSD_FILES_LOCK

   All the trusted files are locked and no change can be made to them once this policy is realized.

   TEP

   Using this policy, we can set the value of the trusted execution path, enable it, or disable it. The TE path is a list of directory paths separated by a colon. Once this policy is configured, then only the executables belonging to the set path are allowed to execute.

   TLP

   Like TEP, using this policy we can set the value of the trusted library path, enable, it or disable it. TLP is colon-separated directory path. Once it is enabled, then only the libraries that belong to the TLP will be loaded into the memory.

   The TEP and TLP are TE policies; they are different from the 'Trusted Execution Path' and 'Trusted Library Path' features that are covered in the next section. In order to use these policies, you need to turn ON the main TE policy.

   Let's look at one example of how to turn on the run-time integrity check by configuring the policy TE, CHKEXEC, and STOP_ON_CHKFAIL. First, we are going to check the current status of the policies and then turn ON these policies.

   -bash-2.05b# /usr/sbin/trustchk -p TE CHKEXEC STOP_ON_CHKFAIL TE=OFF CHKEXEC=OFF STOP_ON_CHKFAIL=OFF -bash-2.05b# /usr/sbin/trustchk -p TE=ON CHKEXEC=ON STOP_ON_CHKFAIL=ON -bash-2.05b# /usr/sbin/trustchk -p TE CHKEXEC STOP_ON_CHKFAIL TE=ON CHKEXEC=ON STOP_ON_CHKFAIL=ON -bash-2.05b#

   
   

   Now, we will run the /usr/bin/ls command (whose entry is already in the TSD), just to make sure that the command execution is permitted.

   -bash-2.05b# /usr/bin/ls .bash_history bin mnt tftpboot .profile dev opt tmp .rnd etc proc u .sh_history home sbin unix .vi_history lib smit.log usr admin lost+found smit.script var audit lpp smit.transaction -bash-2.05b#

   
   

   Replace the /usr/bin/ls binary with the /usr/bin/chmod binary. Try to run the /usr/bin/ls command. This time, the execution should fail. See the below sequence:

   -bash-2.05b# cp /usr/bin/ls /usr/bin/ls.orig -bash-2.05b# cp /usr/bin/chmod /usr/bin/ls -bash-2.05b# /usr/bin/ls -bash: /usr/bin/ls: Cannot run the specified program in a trusted environment. -bash-2.05b#

   
   

   Hence, the run-time integrity check is working on the system. If there are any Trojans or other viruses who changed any binary, then its execution will be denied.

4. Trusted Execution Path and Trusted Library Path

   Along with the trusted commands, the TE environment also supports the Trusted Execution Path and Trusted Library Path. Also, it supports the concept of trusted shell and Secure Attention Key (SAK) as it is in the Trusted Computing Base.

   The Trusted Execution Path (TEP) specifies a list of trusted directory paths. Only those executables that belong to these paths are allowed to execute.

   To check the current list of trusted paths and the status of TEP, run the following command:

   bash-2.05b# /usr/sbin/trustchk -p tep TEP=OFF TEP=/usr/bin:/usr/sbin:/etc:/bin:/sbin:/sbin/helpers/jfs2:/usr/lib/instl:/usr/ccs/bin

   
   

   To enable the TEP, execute the following command:

   bash-2.05b# /usr/sbin/trustchk -p tep=on

   
   

   Once TEP is enabled, it should show something like this:

   bash-2.05b# /usr/sbin/trustchk -p tep TEP=ON TEP=/usr/bin:/usr/sbin:/etc:/bin:/sbin:/sbin/helpers/jfs2:/usr/lib/instl:/usr/ccs/bin

   
   

   Trusted Library Path (TLP) specifies a list of trusted directory paths. Only those libraries that are in TLP are loaded in memory for execution. The status of TLP can be checked like this:

   bash-2.05b# /usr/sbin/trustchk -p tlp TLP=OFF TLP=/usr/lib:/usr/ccs/lib:/lib:/var/lib

   
   

   To enable TLP, execute the following command:

   bash-2.05b# /usr/sbin/trustchk -p tep=on

   
   

   When TLP is enabled, the status should show this:

   bash-2.05b# /usr/sbin/trustchk -p tlp TLP=ON TLP=/usr/lib:/usr/ccs/lib:/lib:/var/lib

   
   

How does Trusted Execution work?

The Trusted Execution can be exercised in the real-time execution of the trusted commands. Whenever a trusted command is entered at the command prompt (or for that matter, called by some script), first of all a hash is calculated by the operating system (see 2 in the figure) and the actual hash of the trusted command is extracted from the TSD (3). Only when both the hash values are matched, the execution of the command is allowed.

Conclusion

The Trusted Execution environment is a much-awaited security feature offered in IBM AIX V6.1. This article takes you through the essentials of this feature, covering the basic functionality and examples. It allows AIX system administrators to hone their security skills to exploit this feature further.

Resources

Learn

• "AIX and UNIX": The AIX and UNIX developerWorks zone provides a wealth of information relating to all aspects of AIX systems administration and expanding your UNIX skills.
  
  
• Check out the following IBM Redbooks:
  "The AIX 6 Advanced Security Features, Introduction and Configuration Guide": highlights and explains the security features enhancements of AIX 6.1.
  "Elements of Security: AIX 4.1": Get more information on the Trusted Computing Base feature of AIX.
  
  
• New to AIX and UNIX? Visit the New to AIX and UNIX page to learn more.
  
  
• developerWorks technical events and webcasts: Stay current with developerWorks technical events and webcasts.
  
  
• AIX: Visit this collaborative environment for technical information related to AIX.
  
  
• Podcasts: Tune in and catch up with IBM technical experts.
  
  

Get products and technologies

• AIX 5L Expansion Pack and Web Download Pack: Start downloading now.
  
  
• IBM trial software: Build your next development project with software for download directly from developerWorks.
  
  

Discuss

• Participate in the AIX and UNIX forums:
  • AIX Forum
  • AIX Forum for Developers
  • Cluster Systems Management
  • IBM Support Assistant Forum
  • Performance Tools Forum
  • More AIX and UNIX forums
  
  

About the authors

Vipin Rathor, in his two years with IBM India Software Lab, has been working for IBM Network Authentication Service (IBM Kerberos) Development and Support activities. His areas of interest include Kerberos and LDAP integration, network security, authentication protocols, and PKI.

Sandeep Singh works at the IBM India Software Lab. Currently he is engaged in IBM Network authentication service L3 support and development activities. Network security and UNIXinternals are his areas of interest. He holds a bachelor of technology degree from Pune University, India.

Comments (Undergoing maintenance)

Back to top

Trademarks  |  My developerWorks terms and conditions

Table of contents

• Introduction
• Trusted Execution environment over Trusted Computing Base
• How to enable the Trusted Execution environment
• Features of the Trusted Execution environment
• How does Trusted Execution work?
• Conclusion
• Resources
• About the authors
• Comments

Local resources

• IBM Innovation Center - Austin, TX
• IBM Innovation Center - Chicago, IL
• IBM Innovation Center - Dallas, TX
• IBM Innovation Center - San Mateo, CA
• IBM Innovation Center - Waltham, MA
• Technical Briefings in North America

My developerWorks community

Dig deeper into AIX and UNIX on developerWorks

Calling all developers

Download no charge Lotus Domino Designer

Special offers