Closed brooksdavis closed 4 years ago
Also talks of using FastCGI for nginx to communicate with their web server, either with fcgi2 (which has C++ in it, but purely as a thin wrapper around the C API that can just be patched out of the Makefile) or with kcgi (which only needs C++ for building its samples, which aren't built by default). I think the latter is preferable for us as it looks like a slightly cleaner code base that also has a sandboxing focus, making use of capsicum already. I have already voiced this opinion in https://github.com/DARPA-SSITH-Demonstrators/SSITH-FETT-Voting/issues/4.
Just so that it’s recorded with this issue, here are the contents of the 29 April 2020 email from Galois identifying applications and versions:
All,
Below are details on the application stacks Galois is developing for use in FETT. Please share with members of your teams not copied on this email.
Application options are detailed in this README. LANDO specs, including features and requirements, can be found in this directory. Here is a short summary of applications under development:
FreeRTOS: a. HTTPS Server: We will use the basic HTTP server from the FreeRTOS demos, and wrap it with TLSv.1.2 from WolfSSL v.3.6.0. b. OTA: We are NOT going to use the standard amazon-freertos method using AWS IoT flow. We are going to use a simple TFTP client, and payloads signed by Ed25519 (using WolfSSL v.3.6.0), then stored on a FAT filesystem.
FreeBSD/Debian: a. OpenSSH: OpenSSH v.7.3.0. [Build and dependencies] b. Database: Sqlite v.3.22.0 [Build and dependencies] c. Webserver: Nginx v.1.13.2 [Build and dependencies]
We are working on getting a first version of the "features smoke-test" of all the apps working on qemu (for Unix) and FPGA (the usual VCU118 setup). Progress is documented on GitHub. The current estimate is to have our applications feature-complete by the end of Sprint #3 (May 22nd).
Feel free to reach out with any questions via email, Mattermost, or GitHub issues.
Thanks! -the Galois team
(Although not relevant to us, later issues in Galois’s issue tracker suggests that they may have backed off using HTTPS for FreeRTOS due to trouble finding a suitable existing web server.)
Other links from the Galois email:
Individual application build and dependencies:
Tagging @trasz, @bsdjhb, @brettferdosi, @bukinr, @arichardson so that they are aware of this information (@jrtc27 is obviously already keeping an eye!).
Also relevant issues from the Galois GitHub issue tracker, in which @jrtc27 points out to Galois that GCC build instructions aren’t very useful to us:
https://github.com/DARPA-SSITH-Demonstrators/SSITH-FETT-Target/issues/176
Note that in #1 I forked all the relevant repos (or in one case forked a repo rather than using the tarball and added a fett
branch at the correct point.
The OpenSSL in question predates constant-time-conditional XORs of pointers that we had to disable in CTSRD-CHERI/cheribsd@a0eac17db0649fe134bed192bff305da84c4125d. Otherwise it just needed a a small tweak in CTSRD-CHERI/openssl@7a024156ca695b976f486d765bde098b6eb11573 to avoid round-tripping pointers through size_t.
No diffs to zlib in FreeBSD base (sys/contrib/zlib
) so assume no changes are needed.
CSTRD-CHERI/openssh-portable#1 shows an issue that needs to be resolved to allow ordinary users to log in.
Known issues listed in (parentheses)