Re: [RFC][Patch 5/5]integrity: IMA as an integrity service provider

From: Pavel Machek
Date: Tue Aug 05 2008 - 14:02:20 EST

Next message: Arjan van de Ven: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfaceforon access scanning"
Previous message: Adrian Bunk: "[2.6 patch] remove the dead CONFIG_RADIO_MIROPCM20{,_RDS} code"
In reply to: Pavel Machek: "Re: [RFC][Patch 5/5]integrity: IMA as an integrity service provider"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue 2008-06-24 12:28:55, david safford wrote:
> On Sat, 2008-05-31 at 09:54 +0200, Pavel Machek wrote:
> > On Wed 2008-05-28 01:22:42, Andrew Morton wrote:
> > > On Fri, 23 May 2008 11:05:45 -0400 Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
> > >
> > > > This is a re-release of Integrity Measurement Architecture(IMA) as an
> > > > independent Linunx Integrity Module(LIM) service provider, which implements
> > > > the new LIM must_measure(), collect_measurement(), store_measurement(), and
> > > > display_template() API calls. The store_measurement() call supports two
> > > > types of data, IMA (i.e. file data) and generic template data.
> > ...
> > ...also, it would be nice to see explanation 'what is this good for'.
> >
> > Closest explanation I remember was 'it will protect you by making
> > system unbootable if someone stole disk with your /usr filesystem --
> > but not / filesystem -- added some rootkit, and then stealthily
> > returned it'. That seems a) very unlikely scenario and b) probably
> > better solved by encrypting /usr.
> > Pavel
>
> Sorry about this delayed response - we are about to repost for RFC, and
> noticed we missed responding to this.
>
> You are thinking about a related project, EVM, which HMAC's a file's
> metadata, to protect against off-line attacks, (which admittedly
> many users are not concerned about.)
>
> This submission, IMA, provides hardware (TPM) based measurement and
> attestation, which measures all files before they are accessed in
> any way (on the inode_permission, bprm and mmap hooks), and
> commits the measurements to the TPM. The TPM can sign these
> measurement lists, and thus the system can prove to itself and

System can never proof to itself.

> to a third party these measurements in a way that cannot be
> circumvented by malicious or compromised software. IMA is just one
> part of integrity detection, as it does not detect purely in-memory
> attacks, such as worms.

And proofing to third party is useful for what....? Given that it can
be worked around by modifying files in memory, or by special
hardware...? Disney?

Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Arjan van de Ven: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfaceforon access scanning"
Previous message: Adrian Bunk: "[2.6 patch] remove the dead CONFIG_RADIO_MIROPCM20{,_RDS} code"
In reply to: Pavel Machek: "Re: [RFC][Patch 5/5]integrity: IMA as an integrity service provider"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]