Merge pull request #17 from WhiteBeamSec/dev

0.2.0: See release notes

CHANGELOG.md

@@ -0,0 +1,216 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+
+- N/A
+
+## [0.2.0] - 2021-04-20
+
+### Added
+
+- Project changelog
+- Linux LD_PRELOAD/LD_AUDIT library: Generic hook
+- Linux LD_PRELOAD/LD_AUDIT library: Support for 40 hooks including Execution and Filesystem hooks
+- Database-driven design
+- Settings
+- Commands to modify WhiteBeam settings, toggle hooks, and load SQL
+- Modular action framework (compile time reflection), 12 actions
+- Modular hash framework (compile time reflection), added hashing algorithms (ARGON2ID, BLAKE3, SHA-3)
+- Hybrid hashing
+- Recovery secret
+
+### Changed
+
+- Linux LD_PRELOAD/LD_AUDIT library: LD_AUDIT loader
+- Replaced SodiumOxide with pure Rust audited cryptography library (RustCrypto)
+- Improved whitelisting system
+- Updated to latest dependencies
+
+### Removed
+
+- SHA-2 hash family
+
+### Security
+- A user with local access to a server running WhiteBeam could bypass whitelisting functionality
+  Fixed in 0.2.0: https://github.com/WhiteBeamSec/WhiteBeam/security/advisories/GHSA-7wf6-3j4p-jm8x
+
+## [0.1.3] - 2020-03-25
+
+### Added
+
+- Linux installer
+- Linux LD_PRELOAD library: tests
+
+### Changed
+
+- Linux LD_PRELOAD library: refactored fexecve
+- Project is now fully Rust
+- Relicensed as CC-BY-NC
+- Updated to latest dependencies
+
+### Removed
+
+- Dependency on GNU Make
+
+### Fixed
+
+- execl* corrected
+
+## [0.1.2] - 2020-03-08
+
+### Added
+
+- Baselines
+- Copyright, organization
+- Hashing standardized to libsodium default (SHA3 removed)
+- Linux LD_PRELOAD library: new hook templates, refactored hooks
+
+### Removed
+
+- Linux LD_PRELOAD library: original hook template
+
+## [0.1.1] - 2020-02-01
+
+### Added
+
+- Exception handling
+- Many new CLI arguments
+- WhiteBeam service: updated to be asynchronous
+
+### Changed
+
+- Updated to latest dependencies
+
+### Fixed
+
+- Correct OS encoding of strings
+- WhiteBeam service: execution log API restricted to localhost
+
+## [0.1.0] - 2019-12-26
+
+### Added
+
+- libsodium cryptography
+- Project code restructured into workspaces
+- WhiteBeam service: encrypted API route, public key API route
+
+### Changed
+
+- Updated to latest dependencies
+
+### Fixed
+
+- Linux LD_PRELOAD library: warn on seccomp usage (fix scheduled)
+- Optimized memory usage
+
+## [0.0.9] - 2019-11-20
+
+### Added
+
+- CLI --status argument for monitoring service health
+- Database initialization routines
+- Dynamic whitelists
+- Initial release binaries provided
+
+### Changed
+
+- Updated to latest dependencies
+
+### Fixed
+
+- execl* corrected
+
+## [0.0.8] - 2019-10-15
+
+### Added
+
+- Cross platform support for uptime, locating data files
+- Database functions, objects are now platform-independent
+- Linux LD_PRELOAD library: hooks structured to be modular
+- Prototype whitelist functionality working
+- WhiteBeam library targets nightly Rust for variadic function support
+- WhiteBeam service: startup script for Linux
+
+## [0.0.7] - 2019-09-02
+
+### Added
+
+- Linux LD_PRELOAD library: file descriptor support
+- Linux LD_PRELOAD library: hooks for exec family
+
+### Fixed
+
+- Error handling for hashing
+
+## [0.0.6] - 2019-08-31
+
+### Added
+
+- Whitelisting and hashing of authorized executables
+
+### Fixed
+
+- Refactored library HTTP requests to reduce crashes
+
+### Security
+- If the LD_PRELOAD/LD_AUDIT environment variables were defined to a nonexecutable
+  shared object library, execution of non-whitelisted library functions was possible.
+  Fixed in 0.0.6: https://github.com/WhiteBeamSec/WhiteBeam/security/advisories/GHSA-mm3f-f5hg-p2hv
+
+## [0.0.5] - 2019-08-26
+
+### Added
+
+- Created bug bounty
+- Linux LD_PRELOAD library: Execution logging
+- Reduced file size of release binaries
+- WhiteBeam service: API endpoint to process executions (log/exec)
+
+## [0.0.4] - 2019-08-10
+
+### Added
+
+- WhiteBeam service/CLI
+
+## [0.0.3] - 2019-06-23
+
+### Added
+
+- Linux LD_PRELOAD library: execve support
+- Linux LD_PRELOAD library: test case for execve
+
+## [0.0.2] - 2019-05-20
+
+### Added
+
+- Linux LD_PRELOAD library: working function interposition
+- Project code structured to be modular
+
+## [0.0.1] - 2019-05-20
+
+### Added
+
+- Project license
+
+[unreleased]: https://github.com/WhiteBeamSec/WhiteBeam/compare/v0.2.0...HEAD
+[0.2.0]: https://github.com/WhiteBeamSec/WhiteBeam/compare/v0.1.3...v0.2.0
+[0.1.3]: https://github.com/WhiteBeamSec/WhiteBeam/compare/v0.1.2...v0.1.3
+[0.1.2]: https://github.com/WhiteBeamSec/WhiteBeam/compare/v0.1.1...v0.1.2
+[0.1.1]: https://github.com/WhiteBeamSec/WhiteBeam/compare/v0.1.0...v0.1.1
+[0.1.0]: https://github.com/WhiteBeamSec/WhiteBeam/compare/v0.0.9...v0.1.0
+[0.0.9]: https://github.com/WhiteBeamSec/WhiteBeam/compare/v0.0.8...v0.0.9
+[0.0.8]: https://github.com/WhiteBeamSec/WhiteBeam/compare/v0.0.7...v0.0.8
+[0.0.7]: https://github.com/WhiteBeamSec/WhiteBeam/compare/v0.0.6...v0.0.7
+[0.0.6]: https://github.com/WhiteBeamSec/WhiteBeam/compare/v0.0.5...v0.0.6
+[0.0.5]: https://github.com/WhiteBeamSec/WhiteBeam/compare/v0.0.4...v0.0.5
+[0.0.4]: https://github.com/WhiteBeamSec/WhiteBeam/compare/v0.0.3...v0.0.4
+[0.0.3]: https://github.com/WhiteBeamSec/WhiteBeam/compare/v0.0.2...v0.0.3
+[0.0.2]: https://github.com/WhiteBeamSec/WhiteBeam/compare/v0.0.1...v0.0.2
+[0.0.1]: https://github.com/WhiteBeamSec/WhiteBeam/releases/tag/v0.0.1

README.md

@@ -18,4 +18,62 @@ Transparent endpoint security
 
 ---
 
-<p align="center"><b>Coming soon: 0.2</b></p>
+## Features
+
+* Block and detect advanced attacks
+* Modern audited cryptography: [RustCrypto](https://github.com/RustCrypto) for hashing and encryption
+* Highly compatible: Development focused on all platforms (incl. legacy) and architectures
+* Source available: Audits welcome
+* Reviewed by security researchers with combined 100+ years of experience
+
+## In Action
+
+* [Video demonstration of detection and prevention capabilities](TODO)
+* [Recorded attacks against the WhiteBeam 0.2 honeypot](TODO) <font color="red">[ LIVE ]</font>
+
+TODO: New video coming soon!
+
+[![asciicast](https://asciinema.org/a/296135.svg)](https://asciinema.org/a/296135)
+
+## Installation
+
+### From Repositories
+
+TODO: Repositories
+
+### From Packages (Linux)
+
+TODO: Using your package manager of choice (on Ubuntu/Debian (apt/snap classic)/Gentoo (emerge)/Arch (pacman AUR)/RHEL/Amazon Linux/Rocky Linux (yum)/OpenSUSE/etc.), details on installing `whitebeam` package.
+
+**Important**: Always ensure the downloaded file hash matches official hashes ([How-to](https://github.com/WhiteBeamSec/WhiteBeam/wiki/Verifying-file-hashes)).
+
+https://github.com/WhiteBeamSec/WhiteBeam/releases
+
+### From Source (Linux)
+
+1. Run tests (_Optional_):
+    * `cargo run test`
+2. Compile:
+    * `cargo run build`
+3. Install WhiteBeam:
+    * `cargo run install`
+
+## Quick start
+1. Become root (`sudo -s`/`su root`)
+2. Set a recovery secret. You'll be able to use this with `whitebeam --auth` to make changes to the system: `whitebeam --setting RecoverySecret mask`
+
+### How to Detect Attacks with WhiteBeam
+Multiple guides are provided depending on your preference. [Contact us]([email protected]) so we can help you integrate WhiteBeam with your environment.
+1. [Serverless guide](TODO), for passive review
+2. [osquery Fleet setup guide](TODO), for passive review
+3. [WhiteBeam Server setup guide](TODO), for active response
+
+### How to Prevent Attacks with WhiteBeam
+1. Become root (`sudo -s`/`su root`)
+2. Download default whitelists for your platform:
+    * `whitebeam --load Base`
+3. Review the baseline after a minimum of 24 hours:
+    * `whitebeam --baseline`
+4. Add trusted behavior to the whitelist, following the [whitelisting guide](TODO)
+5. Enable WhiteBeam prevention:
+    * `whitebeam --setting Prevention true`

SECURITY.md

@@ -12,19 +12,24 @@ Please email us at [email protected]. We request at least the following
 
 gpg --keyserver hkp://pgp.mit.edu:80 --recv-keys 4A3F1233C01563F808B8355125ECFD172151528B
 
-**Current security vulnerability rewards** (will be provided at the discretion of the lead developers):
+**Current security vulnerability rewards**
 
-| Vulnerability                                 | Reward         |
-| --------------------------------------------- | -------------- |
-| Remote code execution (RCE)                   | $1000, Credits |
-| Local privilege escalation (LPE)              | $500, Credits  |
-| Bypass whitelisting on chal.whitebeamsec.com  | $250, Credits  |
-| Cryptographic vulnerability                   | $150, Credits  |
-| Remote denial of service (DoS), service crash | $25            |
+Rewards will be provided at the discretion of the lead developers. All vulnerabilities must be demonstrated in the challenge environment to be eligible for payment.
+
+| Vulnerability                                                                               | Reward         |
+| ------------------------------------------------------------------------------------------- | -------------- |
+| Remote code execution (RCE)                                                                 | $5000, Credits |
+| Local privilege escalation (LPE)                                                            | $2000, Credits |
+| Bypass whitelisting<sup>\*</sup> ([Try the challenge!](https://challenge.whitebeamsec.com)) | $1000, Credits |
+| Cryptographic vulnerability                                                                 | $250, Credits  |
+| WhiteBeam service crash (DoS)                                                               | $50            |
+
+<sup>\* Must be a program presently whitelisted by WhiteBeam Security, Inc. exhibiting documented behavior or a common OS kernel/dynamic linker feature that bypasses WhiteBeam. Please report vulnerabilities in third party software to their respective vendors.</sup>
 
 Past security advisories can be found here: https://github.com/WhiteBeamSec/WhiteBeam/security/advisories
 
 We would like to thank the following security researchers for their contributions to WhiteBeam's security:
 
-* gemini
-* brianx
+| Researchers          | Date        | :trophy:           |
+| -------------------- | ----------- | ------------------ |
+| *gemini*, *brianx*   | Nov 6, 2019 | [WhiteBeam 0.0.5](https://github.com/WhiteBeamSec/WhiteBeam/security/advisories/GHSA-mm3f-f5hg-p2hv)  |

src/application/Cargo.toml

@@ -1,7 +1,7 @@
 # General info
 [package]
 name = "whitebeam"
-version = "0.1.3"
+version = "0.2.0"
 authors = ["WhiteBeam Security, Inc."]
 edition = "2018"
 
@@ -13,18 +13,26 @@ path = "main.rs"
 # Cross-platform dependencies
 [dependencies]
 libc = { version = "0.2" }
-sodiumoxide = { version = "0.2" }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = { version = "1.0" }
-rusqlite = { version = "0.21", features = ["bundled"] }
+rusqlite = { version = "0.25", features = ["bundled"] }
 hex = { version = "0.4" }
 clap = { version = "2.33" }
-tokio = { version = "0.2", features = ["macros"] }
-warp = { version = "0.2" }
-rpassword = { version = "4.0" }
-cli-table = { version = "0.3" }
+tokio = { version = "1", features = ["rt-multi-thread", "macros"] }
+warp = { version = "0.3" }
+reqwest = { version = "0.11", features = ["blocking"] }
+rpassword = { version = "5.0" }
+cli-table = { version = "0.4" }
+linkme = { version = "0.2" }
+automod = { version = "1.0" }
+rand = { version = "0.7" }
+glob = { version = "0.3" }
+goblin = { version = "0.4" }
+# Cryptographic dependencies
+sha3 = { version = "0.9" }
+blake3 = { version = "0.3" }
+argon2 = { version = "0.1" }
+crypto_box = { version = "0.5" }
 
-# Windows dependencies
-[target.'cfg(target_os = "windows")'.dependencies.kernel32-sys]
-version = "0.2"
-default-features = false
+[features]
+whitelist_test = []

src/application/common/api/log.rs

@@ -1,9 +1,10 @@
+// TODO: Log failures
 // Database
 use std::net::{IpAddr, Ipv4Addr, SocketAddr};
 use crate::common::db;
 
-// POST /log/exec
-pub async fn log_exec(exec: db::LogExecObject, addr: Option<SocketAddr>) -> Result<impl warp::Reply, warp::Rejection> {
+// POST /log
+pub async fn log(log: db::LogObject, addr: Option<SocketAddr>) -> Result<impl warp::Reply, warp::Rejection> {
     let localhost = IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1));
     let remote_addr = match addr {
         Some(inetaddr)  => inetaddr.ip(),
@@ -13,7 +14,16 @@ pub async fn log_exec(exec: db::LogExecObject, addr: Option<SocketAddr>) -> Resu
         return Err(warp::reject::not_found());
     }
     // Input to this function is untrusted
-    let conn: rusqlite::Connection = db::db_open();
-    db::insert_exec(&conn, exec);
+    let conn: rusqlite::Connection = match db::db_open(false) {
+        Ok(c) => c,
+        Err(_) => return Err(warp::reject::not_found())
+    };
+    let log_level = match db::get_log_level(&conn) {
+        Ok(l) => l,
+        Err(_) => return Err(warp::reject::not_found())
+    };
+    if log_level >= log.class {
+        let _res = db::insert_log(&conn, log);
+    }
     return Ok(warp::reply());
 }