On 1/7/2020 3:53 AM, Roberto Sassu wrote:
Defining a specification for which combinations
are legitimate would definitely help.
That's my goal.
There are 8-9 different possible IMA log fields, and we have to assume
the attacker will corrupt any or all of them.
Template data is protected by the TPM. Any corruption can be detected
by comparing the quoted PCRs with the PCRs calculated from the template
digest.
An attacker can create a custom template or even modify the IMA source
so that the hashes and PCRs match. Then they send the malformed log to
the verifier to try to exploit a vulnerability.
E.g., the custom template 'd-ng|d-ng| ...' repeated 1,000,000,000 times.
What it remains to be done is to include the template name in the
calculation of the template digest.
There's a backward compatibility issue for old templates. Is it
feasible for new templates and new names - start creating tags and
include them in the template data so they gets hashed?