2008-06-01 14:47:22

by Pavel Machek

[permalink] [raw]
Subject: Re: [RFC][Patch 5/5]integrity: IMA as an integrity service provider

On Wed 2008-05-28 01:22:42, Andrew Morton wrote:
> On Fri, 23 May 2008 11:05:45 -0400 Mimi Zohar <[email protected]> wrote:
>
> > This is a re-release of Integrity Measurement Architecture(IMA) as an
> > independent Linunx Integrity Module(LIM) service provider, which implements
> > the new LIM must_measure(), collect_measurement(), store_measurement(), and
> > display_template() API calls. The store_measurement() call supports two
> > types of data, IMA (i.e. file data) and generic template data.
...
> Generally: the code is all moderately intrusive into the VFS and this
> sort of thing does need careful explanation and justification, please.
> Once we have some understanding of what you're trying to achieve here
> we will inevitably ask "can't that be done in userspace". So it would
> be best if your description were to preemptively answer all that.

...also, it would be nice to see explanation 'what is this good for'.

Closest explanation I remember was 'it will protect you by making
system unbootable if someone stole disk with your /usr filesystem --
but not / filesystem -- added some rootkit, and then stealthily
returned it'. That seems a) very unlikely scenario and b) probably
better solved by encrypting /usr.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


2008-06-24 16:31:14

by David Safford

[permalink] [raw]
Subject: Re: [RFC][Patch 5/5]integrity: IMA as an integrity service provider

On Sat, 2008-05-31 at 09:54 +0200, Pavel Machek wrote:
> On Wed 2008-05-28 01:22:42, Andrew Morton wrote:
> > On Fri, 23 May 2008 11:05:45 -0400 Mimi Zohar <[email protected]> wrote:
> >
> > > This is a re-release of Integrity Measurement Architecture(IMA) as an
> > > independent Linunx Integrity Module(LIM) service provider, which implements
> > > the new LIM must_measure(), collect_measurement(), store_measurement(), and
> > > display_template() API calls. The store_measurement() call supports two
> > > types of data, IMA (i.e. file data) and generic template data.
> ...
> ...also, it would be nice to see explanation 'what is this good for'.
>
> Closest explanation I remember was 'it will protect you by making
> system unbootable if someone stole disk with your /usr filesystem --
> but not / filesystem -- added some rootkit, and then stealthily
> returned it'. That seems a) very unlikely scenario and b) probably
> better solved by encrypting /usr.
> Pavel

Sorry about this delayed response - we are about to repost for RFC, and
noticed we missed responding to this.

You are thinking about a related project, EVM, which HMAC's a file's
metadata, to protect against off-line attacks, (which admittedly
many users are not concerned about.)

This submission, IMA, provides hardware (TPM) based measurement and
attestation, which measures all files before they are accessed in
any way (on the inode_permission, bprm and mmap hooks), and
commits the measurements to the TPM. The TPM can sign these
measurement lists, and thus the system can prove to itself and
to a third party these measurements in a way that cannot be
circumvented by malicious or compromised software. IMA is just one
part of integrity detection, as it does not detect purely in-memory
attacks, such as worms.

dave safford

2008-08-05 18:02:19

by Pavel Machek

[permalink] [raw]
Subject: Re: [RFC][Patch 5/5]integrity: IMA as an integrity service provider

On Tue 2008-06-24 12:28:55, david safford wrote:
> On Sat, 2008-05-31 at 09:54 +0200, Pavel Machek wrote:
> > On Wed 2008-05-28 01:22:42, Andrew Morton wrote:
> > > On Fri, 23 May 2008 11:05:45 -0400 Mimi Zohar <[email protected]> wrote:
> > >
> > > > This is a re-release of Integrity Measurement Architecture(IMA) as an
> > > > independent Linunx Integrity Module(LIM) service provider, which implements
> > > > the new LIM must_measure(), collect_measurement(), store_measurement(), and
> > > > display_template() API calls. The store_measurement() call supports two
> > > > types of data, IMA (i.e. file data) and generic template data.
> > ...
> > ...also, it would be nice to see explanation 'what is this good for'.
> >
> > Closest explanation I remember was 'it will protect you by making
> > system unbootable if someone stole disk with your /usr filesystem --
> > but not / filesystem -- added some rootkit, and then stealthily
> > returned it'. That seems a) very unlikely scenario and b) probably
> > better solved by encrypting /usr.
> > Pavel
>
> Sorry about this delayed response - we are about to repost for RFC, and
> noticed we missed responding to this.
>
> You are thinking about a related project, EVM, which HMAC's a file's
> metadata, to protect against off-line attacks, (which admittedly
> many users are not concerned about.)
>
> This submission, IMA, provides hardware (TPM) based measurement and
> attestation, which measures all files before they are accessed in
> any way (on the inode_permission, bprm and mmap hooks), and
> commits the measurements to the TPM. The TPM can sign these
> measurement lists, and thus the system can prove to itself and

System can never proof to itself.

> to a third party these measurements in a way that cannot be
> circumvented by malicious or compromised software. IMA is just one
> part of integrity detection, as it does not detect purely in-memory
> attacks, such as worms.

And proofing to third party is useful for what....? Given that it can
be worked around by modifying files in memory, or by special
hardware...? Disney?

Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html