search

CTSRD-CHERI / FETT

Issue only repo to support the FETT project
0 stars 0 forks source link

Port forked galois application stack to CHERI: #2

Closed brooksdavis closed 4 years ago

brooksdavis commented 4 years ago

Known issues listed in (parentheses)

jrtc27 commented 4 years ago

Also talks of using FastCGI for nginx to communicate with their web server, either with fcgi2 (which has C++ in it, but purely as a thin wrapper around the C API that can just be patched out of the Makefile) or with kcgi (which only needs C++ for building its samples, which aren't built by default). I think the latter is preferable for us as it looks like a slightly cleaner code base that also has a sandboxing focus, making use of capsicum already. I have already voiced this opinion in https://github.com/DARPA-SSITH-Demonstrators/SSITH-FETT-Voting/issues/4.

rwatson commented 4 years ago

Just so that it’s recorded with this issue, here are the contents of the 29 April 2020 email from Galois identifying applications and versions:

All,

Below are details on the application stacks Galois is developing for use in FETT. Please share with members of your teams not copied on this email.

Application options are detailed in this README. LANDO specs, including features and requirements, can be found in this directory. Here is a short summary of applications under development:

  1. FreeRTOS: a. HTTPS Server: We will use the basic HTTP server from the FreeRTOS demos, and wrap it with TLSv.1.2 from WolfSSL v.3.6.0. b. OTA: We are NOT going to use the standard amazon-freertos method using AWS IoT flow. We are going to use a simple TFTP client, and payloads signed by Ed25519 (using WolfSSL v.3.6.0), then stored on a FAT filesystem.

  2. FreeBSD/Debian: a. OpenSSH: OpenSSH v.7.3.0. [Build and dependencies] b. Database: Sqlite v.3.22.0 [Build and dependencies] c. Webserver: Nginx v.1.13.2 [Build and dependencies]

We are working on getting a first version of the "features smoke-test" of all the apps working on qemu (for Unix) and FPGA (the usual VCU118 setup). Progress is documented on GitHub. The current estimate is to have our applications feature-complete by the end of Sprint #3 (May 22nd).

Feel free to reach out with any questions via email, Mattermost, or GitHub issues.

Thanks! -the Galois team

rwatson commented 4 years ago

(Although not relevant to us, later issues in Galois’s issue tracker suggests that they may have backed off using HTTPS for FreeRTOS due to trouble finding a suitable existing web server.)

rwatson commented 4 years ago

Other links from the Galois email:

Individual application build and dependencies:

rwatson commented 4 years ago

Tagging @trasz, @bsdjhb, @brettferdosi, @bukinr, @arichardson so that they are aware of this information (@jrtc27 is obviously already keeping an eye!).

rwatson commented 4 years ago

Also relevant issues from the Galois GitHub issue tracker, in which @jrtc27 points out to Galois that GCC build instructions aren’t very useful to us:

https://github.com/DARPA-SSITH-Demonstrators/SSITH-FETT-Target/issues/176

brooksdavis commented 4 years ago

Note that in #1 I forked all the relevant repos (or in one case forked a repo rather than using the tarball and added a fett branch at the correct point.

brooksdavis commented 4 years ago

The OpenSSL in question predates constant-time-conditional XORs of pointers that we had to disable in CTSRD-CHERI/cheribsd@a0eac17db0649fe134bed192bff305da84c4125d. Otherwise it just needed a a small tweak in CTSRD-CHERI/openssl@7a024156ca695b976f486d765bde098b6eb11573 to avoid round-tripping pointers through size_t.

brooksdavis commented 4 years ago

No diffs to zlib in FreeBSD base (sys/contrib/zlib) so assume no changes are needed.

brooksdavis commented 4 years ago

CSTRD-CHERI/openssh-portable#1 shows an issue that needs to be resolved to allow ordinary users to log in.