On Mon, 20 Nov 2017, Mimi Zohar wrote: > On Mon, 2017-11-20 at 11:20 +0100, Patrick Ohly wrote: > > On Mon, 2017-11-20 at 07:47 +1100, James Morris wrote: > > > On Fri, 17 Nov 2017, Roberto Sassu wrote: > > > > > > > LSMs are responsible to enforce a security policy at run-time, > > > > while IMA/EVM protect data and metadata against offline attacks. > > > > > > In my view, IMA can also protect against making an online attack > > > persistent across boots, and that would be the most compelling use of > > > it for many general purpose applications. > > > > I do not quite buy that interpretation. If the online attack succeeds > > in bypassing the run-time checks, for example with a full root exploit, > > then he has pretty much the same capabilities to make persistent file > > changes as during an offline attack. > > In the face of a full root exploit, there is not much that one can do, > "other" than to detect it. This is why remote attestation is so > important. Right, although the consensus seems to be that RA is essential rather than simply important. -- James Morris <james.l.morris@xxxxxxxxxx>
