On 1/4/2020 6:32 PM, Mimi Zohar wrote:
The "ima-modsig" template may include the "sig" and/or the "modsig"
fields. As the "d-modsig" and "modsig" are tied together, either both
are defined or neither are defined. The file hash ("d-ng") must
always exist.
That's clear for the predefined (is there a formal term for them?)
templates. How would this be specified when IMA permits custom templates?
E.g., I can create a template 'modsig', I have the signature but not the
file data hash. I can create a template 'd-modsig' that has the file
data hash but no signature.
With custom templates, the attacker can create any IMA log, and the
parser has to handle it.
Note: When you say "either both are defined or neither is defined",
this may be enforced by the official IMA code. However, the attacker is
free to modify the IMA code to send any log it likes. The parser has to
know what to do.
That is, an event log specification (which I'm trying to write) has to
state precisely that the dependencies are and what should be rejected.
For example, it might say (if this is corrct):
1 - If d-modsig is present, modsig MUST be present. Else error.
2 - If modsig is present, d-modsig MUST be present.
3 - If ???, d-ng MUST be present.
