On 1/2/2020 6:22 PM, Mimi Zohar wrote:
However, d-modsig is a hash. How should a parser interpret a missing
[file data] hash? Under what conditions would that be legal / illegal /
something to flag to an admin UI?
The "d-modsig" is the hash of the file without the appended signature.
That hash is needed to verify the appended signature. If there isn't
an appended signature, then there would be no reason for "d-modsig".
I'd like to make the leap from "no reason to" to what is permissible,
what a verifier would treat as legal or an error case.
E.g., should the IMA log specification say:
If the sig length is zero, the d-modsig length MUST be zero.
Or might it be a MAY, and then state
If the signature length is zero and the d-modsig length is non-zero,
then the contents MUST be the same as the d-ng value.
What if the template has no 'd-ng', but it has a d-modsig?
What happens if the template has no 'sig'. I.e. the sig
is absent, then ... perhaps absent is the same as length zero?
Would we enforce that the d-ng hash algorithm MUST be the same as
that of the d-modsig, or could they be different?
What if there are two 'sig' fields, one is zero and the other is not.
~~
While the above are clearly not the normal case:
1 - An attacker can use a custom IMA template to find a vulnerability in
the IMA implementation, or
2 - An attacker could send a malformed log to a verifier. To the
verifier, the received IMA log is unvalidated input, so the parser has
to be fastidious.
