This example demonstrates how to work with the KCFM component in a KasperskyOS-based solution. The KCFM component monitors the performance of the program performing web server functions.
Example directory in the SDK
The code of the example and build scripts are available at the following path:
/opt/KasperskyOS-Community-Edition-<platform>-<version>/examples/kcfm_http_server
List of programs
Klog – system program that performs a security audit.ExecMgrEntity – system program that manages the lifecycle of processes.BlobContainer – system program that is designed to load binary data into memory and is used by the ExecutionManager program to start processes.FlowChecker – KCFM component module program that detects anomalies in the behavior of the Server application based on a security audit. If an anomaly is detected, FlowChecker reports it to FlowMonitor.FlowMonitor – KCFM component module program that provides control over the execution of the Server application by starting the application and processing the message regarding the detected anomaly.VfsNet – system program that supports network protocols.Dhcpcd – system program that implements a DHCP client, which gets network interface parameters from an external DHCP server in the background and passes them to a virtual file system.VfsSdCardFs – system program that supports the file system of SD cards.Server – monitored application that performs web server functions.DCM – system program that lets you dynamically create IPC channels.EntropyEntity – system program that implements random number generation.DNetSrv – network card driver.SDCard – SD card driver.BSP is a hardware platform support package (Board Support Package). Provides cross-platform peripheral configuration.When you build an example for the target hardware platform, platform-specific drivers are automatically included in the solution:
NameServer: for Raspberry Pi 4 B and Radxa ROCK 3A.Bcm2711MboxArmToVc – driver for working with the VideoCore (VC6) coprocessor via mailbox technology for Raspberry Pi 4 B.Initialization description
The solution initialization description file named init.yaml is generated during the solution build process based on the ./einit/src/init.yaml.in template. Macros in @INIT_*@ format contained in the template are automatically expanded in the resulting init.yaml file. For more details, refer to init.yaml.in template.
Security policy description
The security.psl file contains the solution security policy description and is generated based on the following template during the solution build process:
./einit/src/security.psl.in
During the solution build, the @INIT_EXTERNAL_ENTITIES@ macro in the security.psl.in template is replaced with a list of system programs that are included in the KasperskyOS SDK.
The logrr.psl file contains a description of the security policy and is included in the security.psl.in template via the use declaration.
For more details, refer to security.psl.in template.
The solution security policy description in this example allows any interaction between different processes and between processes and the kernel. This policy can be used only as a stub during the early stages of a solution development so that the security module does not interfere with interactions.
Additionally, the CMake command kcfm_generate_default_policy() has been added to the hello/CMakeLists.txt file for building the Server program. This command automatically generates part of the solution security policy in the form of a PSL file based on the program source code. This PSL file lists and allows all IPC calls of core endpoints and VFS system program interfaces used in the program code. The security policy is formed so as to allow the program to access the IPC calls in use and deny access to all of the unused ones. The PSL file is created in the ./build/server/Server directory and is included in the solution security policy description by the following macro in the security.psl.in file:
@KCFM_DEFAULT_POLICY@
The CMake command kcfm_generate_audit_policy() has also been added to the hello/CMakeLists.txt file to build the Server program. This command creates the security audit profiles necessary for the KCFM component to gain access to the security audit data of the monitored program. These audit profiles are added to the solution security policy by the following macro in the security.psl.in file:
@KCFM_AUDIT_POLICY@
Resources
The ./resources/xdl/server directory contains the Server.edl file, which is the EDL description of the Server program.
The directory ./resources/hdd/etc contains the configuration files for the VfsNet and Dhcpcd programs: hosts and dhcpcd.conf, respectively.
The ./resources/hdd/var/db/dhcpcd directory is used by the Dhcpcd program to store network connection data.
The ./resources/hdd/certs directory contains certificates that can be used to support an https connection. This is possible only when the TLSTerminator component is connected. For details on how to set up a TLS connection, see Secure Login example.
The ./resources/hdd/www directory contains the files used by the Server program while the web server is running.
Operating scenario
hello/CMakeLists.txt file to build the Server program:kcfm_generate_audit_policy() to automatically generate part of the solution security policy.kcfm_generate_signature() to build a control flow graph.Server program, part of the information policy is generated in the file build/_headers_/hello/Hello/kcfmDefaultPolicy.psl and the files containing the control flow graph are generated in the build/hello/kcfm_generated directory.Server program starts a web server accessible at http://localhost:1106.http://localhost:1106, the browser opens a page with the following buttons:Info: opens https://www.kaspersky.com/.Data: opens the local data.html page.Stop: stops the Server program. The KCFM component detects if the program stops and restarts it, as this constitutes anomalous behavior.Hack: causes a buffer overflow in the Server program. The KCFM component detects an anomaly in the behavior of the program and restarts it.Static lib: calls a function from the fs_lib static library linked to the Server program. Building and running the example
The CMake system, which is included with KasperskyOS Community Edition, is used to build and run the example.
See Building and running examples section.
Page top