Skip to content

TECH.md

Latest commit

 

History

History
264 lines (178 loc) · 5.37 KB

TECH.md

File metadata and controls

264 lines (178 loc) · 5.37 KB

Technologies & Concepts

This document details all technologies, tools, libraries, and concepts used in the Secure Boot and Kernel Integrity Verification System.

Programming Languages

Language Purpose Files
C Core implementation (crypto, signing, verification) src/**/*.c
Shell Script (Bash) Automation, testing, demos scripts/*.sh, tests/*.sh
HTML/CSS Test report generation generate_html_report.sh
Makefile Build system Makefile

Libraries & Dependencies

OpenSSL

  • Version: 1.1.x / 3.x compatible
  • Purpose: Cryptographic operations
  • Components Used:
    • libssl - SSL/TLS implementation
    • libcrypto - Cryptographic primitives

Specific APIs Used:

// Hash functions
#include <openssl/sha.h>      // SHA256_Init, SHA256_Update, SHA256_Final

// RSA operations
#include <openssl/rsa.h>      // RSA key operations
#include <openssl/pem.h>      // PEM file I/O
#include <openssl/evp.h>      // High-level crypto interface
#include <openssl/err.h>      // Error handling

Standard C Libraries

  • stdio.h - File I/O operations
  • stdlib.h - Memory management
  • string.h - String manipulation
  • time.h - Timestamps
  • sys/stat.h - File attributes

Cryptographic Algorithms

SHA-256 (Secure Hash Algorithm 256-bit)

Property Value
Output Size 256 bits (32 bytes)
Block Size 512 bits
Security 128-bit collision resistance
Standard FIPS 180-4

Purpose: Create unique fingerprint of kernel binary

RSA-2048 (Rivest-Shamir-Adleman)

Property Value
Key Size 2048 bits
Security Level ~112 bits
Signature Size 256 bytes
Standard PKCS#1 v2.1

Purpose: Digital signature generation and verification

Signature Scheme

RSASSA-PKCS1-v1_5 with SHA-256
Signature = RSA_Sign(SHA256(Kernel), PrivateKey)

Security Concepts

1. Chain of Trust

Sequential verification where each component verifies the next before execution.

Firmware → Bootloader → Kernel → OS
   ↓           ↓          ↓
 Verify     Verify     Verify

2. Digital Signatures

Cryptographic proof of authenticity and integrity using asymmetric key pairs.

3. Key Revocation

Mechanism to invalidate compromised keys by maintaining a blocklist.

4. Anti-Replay Protection

Timestamps embedded in signatures to prevent reuse of old valid signatures.

5. Integrity Verification

Hash-based verification to detect any modification to protected files.

Design Patterns

1. Modular Architecture

Separation of concerns across distinct modules:

  • Crypto module
  • Logger module
  • Signer module
  • Verifier module

2. Defense in Depth

Multiple validation layers:

  1. File existence check
  2. File size validation
  3. Format verification
  4. Suspicious pattern detection
  5. Signature verification

3. Fail-Secure Design

System denies boot on any verification failure.

Tools & Utilities

Build Tools

Tool Purpose
GCC C compiler
Make Build automation
ld Linker

Testing Tools

Tool Purpose
Bash Test automation
dd Binary file creation
diff File comparison
stat File information

Security Tools (Kali Linux)

Tool Purpose
chkrootkit Rootkit detection
rkhunter Rootkit hunter
openssl Key/signature operations

File Formats

PEM (Privacy-Enhanced Mail)

Base64 encoded format for cryptographic keys.

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA...
-----END RSA PRIVATE KEY-----

Signature File (.sig)

Raw binary RSA signature (256 bytes for RSA-2048).

Log Format

[TIMESTAMP] [LEVEL] MESSAGE
[2024-12-09 15:30:45] [SUCCESS] Kernel verified

Concepts from Operating Systems Theory

1. Boot Process

  • BIOS/UEFI firmware initialization
  • Bootloader execution (GRUB)
  • Kernel loading and execution
  • User-space initialization

2. Kernel Security

  • Ring 0 privilege level
  • Kernel integrity importance
  • Rootkit/bootkit threats

3. Access Control

  • File permissions (chmod)
  • User/group ownership
  • Principle of least privilege

Industry Standards Referenced

Standard Description
UEFI Secure Boot Industry secure boot specification
FIPS 180-4 SHA-2 hash standard
PKCS#1 RSA cryptography standard
X.509 Public key certificate format
TPM 2.0 Hardware security module spec

Development Environment

Recommended Setup

  • OS: Kali Linux (in VirtualBox)
  • IDE: VS Code, Vim, or any C editor
  • Debugger: GDB
  • Version Control: Git

VirtualBox Configuration

  • RAM: 4GB minimum
  • CPU: 2 cores
  • Storage: 40GB
  • Network: NAT

Performance Characteristics

Operation Complexity Time (typical)
SHA-256 Hash O(n) ~5ms per 512KB
RSA Sign O(1) ~15ms
RSA Verify O(1) ~2ms

References

  1. OpenSSL Documentation - https://www.openssl.org/docs/
  2. UEFI Specification - https://uefi.org/specifications
  3. Linux Kernel Documentation - https://www.kernel.org/doc/
  4. NIST Cryptographic Standards - https://csrc.nist.gov/
  5. Modern Operating Systems by Andrew S. Tanenbaum