[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Security Tools : Medusa DS9

Program name: Medusa DS9
Author: Zelem, Pikula, and Ockajak
Date: 18th August 2000
Homepage: http://medusa.fornax.sk/
Download: http://medusa.fornax.sk/Download/

			Medusa DS9 Security System

Medusa is a package that improves the overall security of the Linux OS by

extending the standard Linux (Unix) security architecture while preserving

backward compatibility. Briefly, it supports, at the kernel level, a user-space

authorization server (and is thus fully transparent to any user space

applications). Before the execution of certain operations, the kernel asks the

authorization server for confirmation.  The authorization server then permits

or forbids the operation. The authorization server can also affect the way an

operation is executed in some cases, which are described later. This method

allows the use of almost any security architecture. When the authorization

server is properly configured, it can determine access rights within the system

to a very fine level and do very good auditing.


Currently, Medusa consists of two basic parts: a small patch to the Linux

kernel and a user space security daemon called "Constable". Constable is the

current implementation of an authorization server. User space implementation

allows kernel changes to be simpler and smaller and thus easier to port to

new versions of the Linux kernel and to be more flexible, so improvements to the

authorization server should not require changes in the kernel.

Communication between Constable and kernel goes through the special device

"/dev/medusa" (char major 111 minor 0), because it should be both fast and

flexible. When the kernel needs confirmation, it writes data to this device,

makes the current process sleep and wakes up Constable. Constable reads the

data from /dev/medusa, chooses a response (depending on his configuration, which

is discussed in doc/Constable), sends it back to the kernel and sleeps. The

kernel gets the data, wakes up the process and determine the result of the

operation. Constable can also send certain commands to the kernel (even if the

kernel doesn't require them), which are then executed by the kernel. The

security daemon has to use a specific communication protocol defined in kernel,

so it is possible to implement a full-featured authorization server by only

knowing this protocol and knowing that the kernel supports it, without worrying

what's really happening in the kernel. Constable is only one example of such an

authorization server. The protocol allows communication in the form of packets

which carry all necessary data.


The current implementation of Medusa in the kernel, in cooperation with the

security daemon in user space, has these features:

	o  full access control to any file in the system (via VFS)

	o  ability to redirect access to the selected file or to another one

	o  complete control of signal sending/receiving

	o  direct control of important process actions

	o  control of execution of any syscalls for specified processes

	o  every process or file is a member of a specified virtual subsystems

	   and every process has assigned access rights to VS. (It is possible

	   to completely hide processes or files from other processes this way.)

        o  every process has a login uid (luid), which is set only on the first

	   call of set{re,s}uid

	o  ability to force execution of specified code for any process

	   (similar to signal handling, see doc/Code_forcing for details)

	o  low level control of any system call

Use of these features depends on the implementation of the security daemon and

details of its configuration. At least Constable can use all of them. These

features are described in detail in doc/Features. To learn more about the

implementation of Medusa in the Linux kernel see doc/Kernel or the patched

kernel sources. Constable is currently implemented as an interpreter of its own

configuration language (very similar to C), so it is possible to implement

theoretically any system security model. With Medusa (and Constable), you can

almost completely override the current Linux security model, and you can create

a small subset of extensions to it, as well. Currently, Medusa works only on

the i386 architecture, but we plan to support other architectures that are

supported by Linux, as soon as these CPUs are made available to us.


The entire Medusa package is distributed under under GNU GPL v2 license.

See doc/COPYING for details.


	Programming and everything else:

		Marek Zelem 

		Milan Pikula 

		Martin Ockajak 

	Helpful testing, bugreports and comments:

		Jan Varga 

		Robert Varga 

		Robert Dobozy 



** 	You are strongly encouraged to join Medusa mailing list by

** sending an e-mail with "subscribe medusa" in the body of message

** to listserv@medusa.fornax.sk.


Homepage of Medusa is at http://medusa.fornax.sk.

Medusa was not thoroughly tested on multiprocessor systems,

but it seems to work well.

Feel free to post any questions, comments, ideas, critics or very nice

Constable configuration files to the Medusa mailing list at


(C) 1999-2000 All rights reserved.