Re: IMA appraisal master plan?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/20/2017 11:20 AM, Patrick Ohly wrote:
On Mon, 2017-11-20 at 07:47 +1100, James Morris wrote:
On Fri, 17 Nov 2017, Roberto Sassu wrote:

LSMs are responsible to enforce a security policy at run-time,
while IMA/EVM protect data and metadata against offline attacks.

In my view, IMA can also protect against making an online attack
persistent across boots, and that would be the most compelling use of
it for many general purpose applications.

It would be possible, if IMA knows when the system is in the expected
state. For example, if the system is in the expected state after digest
lists have been loaded, IMA could erase the EVM key, sealed to that
state, when a file with unknown digest is measured. The system won't be
able to produce valid HMACs, and files modified after the attack can be
identified at the next boot, due to the invalid HMAC. Also accessing
files with invalid HMAC will cause the EVM key to be zeroed.

Since IMA would erase the EVM key when a new measurement entry is
created, digests of mutable files with valid HMAC should not be added to
the measurement list (the initial digest must be provided with a digest
list, or files must be signed). This requires that the integrity of
mutable files is guaranteed by LSMs or by IMA, with the patch set 'ima:
preserve integrity of dynamic data'.


I do not quite buy that interpretation. If the online attack succeeds
in bypassing the run-time checks, for example with a full root exploit,
then he has pretty much the same capabilities to make persistent file
changes as during an offline attack.

If the full root exploit modifies the current system state, persistent
changes can be detected, as I explained above. The effectiveness of the
solution depends on which checks are done by the system. For example, in
addition to checking if the digest of measured files is in a digest
list, IMA could check that a specific application is running (e.g.
antivirus) and that the firewall has been started before network
services. More checks increase the likelihood that the full root exploit
causes a system state change.

Roberto


When allowing local hashing, it's actually worse: during an offline
attack, the attacker might not have access to the TPM and thus cannot
easily update the EVM HMAC. During an online attack, the kernel will
happily update that and the IMA hash for the attacker, resulting in a
file that passes appraisal after a reboot.


--
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Bo PENG, Qiuen PENG, Shengli WANG



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux