External Email - Use Caution
Hi, Rob,
The call to crypt() appears to be in FreeSurfer's license validation
routine, since it is immediately after reading the license file. In the
sense that FreeSurfer cannot run without some sort of license, and that
license validation is using the native Unix crypt() function to validate,
it's not quite OpenSource. I think someone at FreeSurfer would need to
replace the single call to the crypt() function with some other function
that isn't marked as 'insecure' to bypass this.
I thought I saw something earlier on the mailing list about this, and that
there was a workaround, but I am unable to locate it again. Any chance
this could get passed to the developer who maintains the license validation
code? Depending on the code and their willingness to share, we might be
able to contribute an alternative for systems with the elevated security.
This currently may not be a bit issue, but we are seeing increasing
strictness on our end to comply with federal security guidelines, and it
may not just be our Medical Center and local VA that are pushing these
security measures.
This is what it looks like when it succeeds.
11527 open("/sw/arcts/centos7/freesurfer/6.0.0/license.txt", O_RDONLY) = 3
11527 fstat(3, {st_mode=S_IFREG|0644, st_size=52, ...}) = 0
11527 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x2b4bcc176000
11527 read(3, "ben...@umich.edu\n6925\n *CpU.rbF6"..., 8192) = 52
11527 read(3, "", 8192) = 0
11527 open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
11527 read(4, "0\n", 31) = 2
11527 close(4) = 0
11527 close(3) = 0
11527 munmap(0x2b4bcc176000, 8192) = 0
11527 getcwd("/home/bennet/tmp/freesurfer", 4096) = 28
11527 open("/home/bennet/tmp/freesurfer/sample-001.mgz", O_RDONLY) = 3
I do not believe that this is something that can be 'whitelisted', as this
is set in the Linux kernel at boot time.
Thanks, -- bennet
On Thu, Apr 12, 2018 at 11:29 AM, Dicamillo, Robert <
rdicami...@mgh.harvard.edu> wrote:
> Hello Bennet,
>
> Maybe someone else can chime in on this, as I have not worked on a system
> with FIPS, but perhaps there is a way for the FIPS administrator to white
> list
> all the Freesurfer binaries (and the license file), as security exempt.
>
> I know some Enterprise/business applications like Adobe’s Acrobat, etc.,
> (closed source) are built with code to work on FIPS compliant systems, but
> I don’t see there is currently anything in Freesurfer (essentially open
> source),
> code that knows about cryptographic modules, digital signatures, etc. to
> work on
> a secure system. Even turning on SElinux for linux OS can be an
> issue for some programs.
>
> Another thing to inquire about is if the IT folks maintain any non-secure
> servers,
> , i.e., I would not assume that any application will just work in a secure
> environment.
>
> - rob
>
> > On Apr 12, 2018, at 10:51 AM, Bennet Fauber <ben...@umich.edu> wrote:
> >
> > It appears that FreeSurfer is not compatible with systems for which
> > FIPS level security is mandated. In our case, I am told this is part
> > of our data use agreement with the VA.
> >
> > We tried to run it, and I get the following stack trace showing what
> > appears to be license validation using the crypt() function, which is
> > blacklisted by the Linux kernel by the FIPS configuration.
> >
> > 28063 open("/opt/apps/freesurfer-6.0/freesurfer/license.txt", O_RDONLY)
> = 3
> > 28063 fstat(3, {st_mode=S_IFREG|0644, st_size=59, ...}) = 0
> > 28063 mmap(NULL, 4096, PROT_READ|PROT_WRITE,
> > MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa319883000
> > 28063 read(3, "issc-sysad...@umich.edu\n23098\n*C"..., 4096) = 59
> > 28063 read(3, "", 4096) = 0
> > 28063 open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
> > 28063 read(4, "1\n", 31) = 2
> > 28063 close(4) = 0
> > 28063 write(1, "ERROR: crypt() returned null wit"..., 46) = 46
> > 28063 exit_group(1)
> >
> > Is there a workaround so we can run FreeSurfer FIPS-enabled systems?
> >
> > Appreciate your consideration of this question,
> >
> > -- bennet
> >
> >
> >
> > On Thu, Mar 29, 2018 at 5:05 PM, Bennet Fauber <ben...@umich.edu> wrote:
> >> I have a couple of users here who are reporting that on machines with
> >> FIPS enabled, which in turn disables certain cryptographic functions,
> >> FreeSurfer core dumps with a call to the crypt() function, which FIPS
> >> disables.
> >>
> >> Someone speculated based on output from strace that this is FreeSurfer
> >> possibly attempting to validate its license.
> >>
> >> Is this a known problem? Is there a solution?
> >>
> >> We have a university compliance office and possibly similar people
> >> from our local VA who are insisting that FIPS be enabled.
> >>
> >> If you need more information, please let me know and I will try to
> >> obtain it for you.
> >>
> >> Thanks, -- bennet
> > _______________________________________________
> > Freesurfer mailing list
> > Freesurfer@nmr.mgh.harvard.edu
> > https://mail.nmr.mgh.harvard.edu/mailman/listinfo/freesurfer
>
>
> _______________________________________________
> Freesurfer mailing list
> Freesurfer@nmr.mgh.harvard.edu
> https://mail.nmr.mgh.harvard.edu/mailman/listinfo/freesurfer
>
>
> The information in this e-mail is intended only for the person to whom it
> is
> addressed. If you believe this e-mail was sent to you in error and the
> e-mail
> contains patient information, please contact the Partners Compliance
> HelpLine at
> http://www.partners.org/complianceline . If the e-mail was sent to you in
> error
> but does not contain patient information, please contact the sender and
> properly
> dispose of the e-mail.
>
_______________________________________________
Freesurfer mailing list
Freesurfer@nmr.mgh.harvard.edu
https://mail.nmr.mgh.harvard.edu/mailman/listinfo/freesurfer
The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.
