Someone asked about the ZKS Freedom product "open source" release of some Linux code. This is based on a couple of hours' review of the material that was released. ZKShim is "a kernel driver that intercepts and redirects network packets for use by the Zero-Knowledge Freedom client. It is not the Freedom client, and it is not functional end-user software. This code is intended for developers and those curious about the Freedom kernel interface," according to the release notes. A "shim" in engineering terms is a thin layer that interfaces between larger parts of your design. In this case, ZKS provides a shim which handles network packets and provides some simple firewall and routing functions. -rw-r--r-- 1 root root 1659 Jul 20 12:19 Makefile -rw-r--r-- 1 root root 2697 Jul 20 12:19 zkshim.h -rw-r--r-- 1 root root 6531 Jul 20 12:19 zkshim_cache.c -rw-r--r-- 1 root root 1138 Jul 20 12:19 zkshim_cache.h -rw-r--r-- 1 root root 29298 Jul 20 12:19 zkshim_drv.c -rw-r--r-- 1 root root 12881 Jul 20 12:19 zkshim_frag.c -rw-r--r-- 1 root root 1641 Jul 20 12:19 zkshim_frag.h -rw-r--r-- 1 root root 3447 Jul 20 12:19 zkshim_os.h -rw-r--r-- 1 root root 875 Jul 20 12:19 zkshim_priv.h -rw-r--r-- 1 root root 14554 Jul 20 12:19 zkshim_rules.c -rw-r--r-- 1 root root 798 Jul 20 12:19 zkshim_rules.h The main module here is zkshim_drv.c. It provides a device driver for a device, /dev/clientshim, which provides an interface to the network routing functions. The main purpose of this device seems to be to allow ioctl's which will set routing and firewall rules. It also seems to be possible to directly read and write the device to get low-level access to IP packets. It's not clear whether this latter functionality is important or secondary to firewalling which is done in the kernel. zkshim_rules.c maintains a set of rules for how packets should be handled. Packets can be filtered based on source and destination address, port, and other information. If a packet matches one of the rules, it can either be allowed to pass through, deleted, or it can be re-routed to some other IP/port address. Again, the ioctl provided by /dev/clientshim is used by client software to set the rules. zkshim_cache.c provides a cache of recently used rule entries, apparently for performance optimization. zkshim_frag.c deals with the complexity of keeping track of packet streams. That's about it. There is no crypto. Presumably the way this is used, say the ZKS product wants to protect HTTP sessions, which will be recognized as connections to port 80 or other commonly used ports. A rule can be installed by the ZKS client which will cause any connections to port 80 to be redirected to one of the ZKS servers. From there it can be forwarded through the Freedom network. This redirection is all that is done by ZKShim. This means that a considerable amount of other processing on each connection must be done outside the kernel (or there is more kernel code yet to be released). It's not clear how ZKS would hook into, say, a Netscape browser and intercept its socket connection calls so that it can add crypto and do other functionality beyond the simple redirection being done by ZKShim. Perhaps it can use a shared library which somehow lies between Netscape and the real system shared library? But if it did that, why couldn't it do the redirection there as well? It certainly sounds easier to do it in user space where fragmentation issues won't arise. One other point: a substantial part of the code in zkshim_drv appears to be non-functional. shim_inet_stream_connect and shim_inet_dgram_connect appear to do a lot of the firewalling and redirection work, but they are static functions pointed to by static structs which are never exported. There doesn't seem to be any way to enter these functions, which amount to some 20% of the zkshim_drv.c file. Either it's old code which they never got around to removing, or it's new code which hasn't been used yet. This suggests that this is far from a finished product and substantial work remains to be done on the Linux port. We really can't complain - the release notes did say that this was 'not functional end-user software'. We may have thought it meant that other pieces were still to be released, but maybe it actually means that the damned thing doesn't work yet.
