trusted computing

trusted computing

[Tim Freeman]

not about Xen in particular, but as a side note, because I think some
people are interested in trusted computing and virtualization?  If
you're not, sorry for the intrusion!

http://www.research.ibm.com/secure_systems_department/projects/tcglinux/

"Currently, we experiment measuring the information flow on SELinux
systems to reason about isolation properties of a system. For this
purpose, we modified tcgLinux to run as an LSM kernel module stacked on
top of SELinux. We also envision to extend our attestation method to
integrate virtualization technology and partition the attestation space
of a system using the information flow policies enforced therein."



-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

USB with Xen2.0

[Sanjay Kumar]

Hi Folks,
Does usb devices works with Xen2.0, even when only domaim0 is present?
does it work with multiple domains?
if Yes, how to make it work?

Thanks,
Sanjay


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

Re: USB with Xen2.0

[Mark Williamson]

> Does usb devices works with Xen2.0, even when only domaim0 is present?

Yes, we've had success reports.

> does it work with multiple domains?

Depends what you mean.  Dom0 will by default control all the USB devices. 
If you want another domain to control a USB root hub device, you can 
assign it permissions, as for a driver domain.

If you have a USB disk or network device, you can share it with other 
domains just like you can for any other disk or network device.

My USB virtualisation stuff (give guests control of individual USB ports) 
is in progess but I keep getting distracted by other things (most recently 
the 2.0 release).

> if Yes, how to make it work?

To make it work in dom0, just stick it in the Linux kernel config and it 
should Just Work(TM).

HTH,
Mark


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

Re: trusted computing

[David Hopwood]

Tim Freeman wrote:

> not about Xen in particular, but as a side note, because I think some
> people are interested in trusted computing and virtualization?  If
> you're not, sorry for the intrusion!
> 
> http://www.research.ibm.com/secure_systems_department/projects/tcglinux/
> 
> "Currently, we experiment measuring the information flow on SELinux
> systems to reason about isolation properties of a system. For this
> purpose, we modified tcgLinux to run as an LSM kernel module stacked on
> top of SELinux. We also envision to extend our attestation method to
> integrate virtualization technology and partition the attestation space
> of a system using the information flow policies enforced therein."

# [tcgLinux]'s main goal is to generate verifiable representative information
# about the software stack running on a Linux system. This information can
# be used by remote parties to determine the integrity of the execution
# environment.

Can it, though? The assumption seems to be that fingerprinting executables
is sufficient to characterise the security configuration of a system.
AFAICS that's patently false: the security of a system is dependent on its
complete configuration, including many non-executable files. IOW, anyone
can compromise a system without changing any executable files.

# We instrumented the Linux kernel to trigger a measurement for each
# executable, library, or kernel module loaded into the run-time before
# they affect the system.

Yep, only executables. This seems quite useless.

-- 
David Hopwood <david.nospam.hopwood@blueyonder.co.uk>



-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

Re: trusted computing

[Tim Freeman]

On Tue, 19 Oct 2004 00:16:43 +0100
David Hopwood <david.nospam.hopwood@blueyonder.co.uk> wrote:
[...]
> Yep, only executables. This seems quite useless.

You have a good point, but maybe combining this method with virtual
machines can actually address the problem?  I had never heard of the IBM
project, so it was curious to see a real implementation (that even
supposedly runs on my laptop).

Here are two interesting papers out there that specifically address the
executable problem.  I can't attest (har har) to the "correctness" of
these approaches, but it is an interesting subject:



http://www.usenix.org/events/vm04/tech/haldar/haldar_html/
"The goal is to attest program behavior, not a particular binary."


page 4, http://suif.stanford.edu/papers/sosp03-terra.pdf
   Certification of a VM being loaded by the TVMM involves the TVMM
signing a hash of all persistent state that identifies the VM. This
includes the BIOS, executable code, and constant data of the VM. This
does not include temporary data on persistent storage or NVRAM contents
that constantly change over time. The separa- tion between data which
does and does not need to be included in the attestation is
application-specific, made by the VM's developer. Terra supports these
two type of data by providing VMs with both "attested storage" that the
TVMM incorporates in the VM's hash and "unattested storage" that it does
not (see section 4.2).


> 
> -- 
> David Hopwood <david.nospam.hopwood@blueyonder.co.uk>
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/xen-devel
> 


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

Re: trusted computing

[Reiner Sailer]

[-- Attachment #1: Type: text/plain, Size: 3226 bytes --]

> From: David Hopwood <david@bl...>
> [image removed] Re: trusted computing   
> 2004-10-18 19:24 
>  Tim Freeman wrote:
> 
>  > not about Xen in particular, but as a side note, because I think some
>  > people are interested in trusted computing and virtualization?  If
>  > you"re not, sorry for the intrusion!
>  > 
>  > 
http://www.research.ibm.com/secure_systems_department/projects/tcglinux/
>  > 
>  > "Currently, we experiment measuring the information flow on SELinux
>  > systems to reason about isolation properties of a system. For this
>  > purpose, we modified tcgLinux to run as an LSM kernel module stacked 
on
>  > top of SELinux. We also envision to extend our attestation method to
>  > integrate virtualization technology and partition the attestation 
space
>  > of a system using the information flow policies enforced therein."
> 
>  # [tcgLinux]"s main goal is to generate verifiable representative 
information
>  # about the software stack running on a Linux system. This information 
can
>  # be used by remote parties to determine the integrity of the execution
>  # environment.
> 
>  Can it, though? The assumption seems to be that fingerprinting 
executables
>  is sufficient to characterise the security configuration of a system.
>  AFAICS that"s patently false: the security of a system is dependent on 
its
>  complete configuration, including many non-executable files. IOW, 
anyone
>  can compromise a system without changing any executable files.
> 
>  # We instrumented the Linux kernel to trigger a measurement for each
>  # executable, library, or kernel module loaded into the run-time before
>  # they affect the system.
> 
>  Yep, only executables. This seems quite useless.
> 
>  -- 
>  David Hopwood <david.nospam.hopwood@bl...>

One outcome of the tcgLinux project, the Integrity Measurement 
Architecture (IMA), implements mandatory kernel measurements including 
executable code, libraries, modules, etc. Beyond this, it also offers a 
quite convenient interface that enables applications to measure any file 
(on the local file system) before loading and consuming it. (Note: the 
fact -that- and -when- an application measures input files can be 
validated using the application's measurement).

For example, we have instrumented bash (adding 4 lines of code) so that 
bash initiates measurements on any file that is loaded as a command file 
or sourced. This includes start-up scripts into the measurements (see e.g. 
bash-command file measurements as part of the measurement list on 
http://www.research.ibm.com/secure_systems_department/projects/tcglinux/measurements.html).

We envision that such simple instrumentation can be done easily for 
Apache, e.g., to measure the http configuration file or any other 
application (tripwire configuration files...).

Measuring only executables would, so I agree, not be very useful because 
the security of many applications depends strongly on their configuration 
data, which usually controls sensitive operation of the application (as 
for example httpd.conf, tripwire tw.config).

We are currently working on "open-sourcing" IMA and hope to be able to 
make the code available to the community soon.

Thanks
---
Reiner Sailer

[-- Attachment #2: Type: text/html, Size: 4086 bytes --]