On 1/6/2020 10:50 AM, Mimi Zohar wrote:
I did have a question about the 'd-ng | sig | sig' template. Is that an
error or could a file be signed with e.g. both RSA-2048 and RSA-3072?
Etc. You can see where I'm going - precise rules for an IMA log verifier.
The "sig" field is the original IMA signature, stored as an extended
attribute. If/when IMA fs-verity support is added, that signature
would require defining new digest and signature field types. A
template with two "sig" fields doesn't make sense.
We cannot prevent an attacker from creating the custom template 'd-ng |
sig | sig', nor can we prevent an attacker from sending such a log to a
verifier. Thus, we have to specify to a verifier what logs are valid
and what logs should be rejected and flagged as an attack.
I.e., the verifier cannot assume that it will only receive logs that
make sense. A secure parser has to handle any cleverly malformed event log.
There are 8-9 different possible IMA log fields, and we have to assume
the attacker will corrupt any or all of them.
