On Thu, 2017-11-16 at 11:20 +0100, Patrick Ohly wrote: > On Thu, 2017-11-16 at 10:23 +0100, Roberto Sassu wrote: > > Me and Matthew are considering policies based on subject criteria > > rather than object criteria. The integrity of a process can be > > guaranteed because everything that process reads or executes will be > > appraised. > > Even then you still have the problem that the integrity of the process > may also depend on the presence (or absence) of files. My favorite > example for that is systemd: suppose that the integrity of the system > depends on starting a certain service via systemd. It's trivial for an > attacker to remove the corresponding unit file when the system is > offline. > > Adding a custom service written by an attacker gets prevented, but an > attacker can still install unit files prepared by the vendor. For > example, suppose a device is not supposed to have an ssh daemon, but > there is a package for OpenSSH properly signed by the vendor. Then an > attacker can take those files and add them to the device while offline. > It could get even worse (telnet? A debugging service?), so a vendor > has to be very careful about what is getting signed. > > Another attack vector that also remains open is replacing files with > other files from the vendor. Suppose there's a binary that does some > check and signals the result to the calling process with its exit code. > An attacker can control the result of the check by replacing the binary > with /bin/true or /bin/false, depending on what result is desired. Right, both of these examples can be detected by protecting the directory information. Mimi
