From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Kyle Moffett <kyle@moffetthome.net>
Cc: linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
James Morris <jmorris@namei.org>,
David Safford <safford@watson.ibm.com>
Subject: Re: [PATCH v7 00/16] EVM
Date: Fri, 01 Jul 2011 10:34:33 -0400 [thread overview]
Message-ID: <1309530873.3245.23.camel@localhost.localdomain> (raw)
In-Reply-To: <BANLkTin-x1kkXiowUYjBS_tr4iwDrzNQkA@mail.gmail.com>
On Thu, 2011-06-30 at 18:31 -0400, Kyle Moffett wrote:
> The problem is that you are assuming that a large chunk of filesystem
> code is capable of properly and securely handling untrusted and
> malicious
> content. Historically filesystem drivers are NOT capable of handling
> such things, as evidenced by the large number of bugs that tools such
> as
> fsfuzzer tend to trigger. If you want to use IMA as-designed then you
> need to perform a relatively extensive audit of filesystem and fsck
> code.
>
> Furthermore, even when the filesystem does not have any security
> issues
> itself, you are assuming that intentionally malicious data-aliasing
> between "trusted" and "untrusted" files can have no potential security
> implications. You should look at the prevalence of simple stupid
> "/tmp"
> symlink attacks for more counter-examples there.
>
> In addition, IMA relies on the underlying attribute and data caching
> properties of the VFS, which won't hold true for intentionally
> malicious
> corrupted filesystems. It effectively assumes that writing data or
> metadata for one file will not invalidate the cached data or metadata
> for
> another which is blatantly false when filesystem extents overlap each
> other.
>
> Overall, the IMA architecture assumes that if it loads and validates
> the
> file data or metadata that it cannot be changed except through a
> kernel
> access to that particular inode. For a corrupted filesystem that is
> absolutely untrue.
>
> Cheers,
> Kyle Moffett
You've brought up a number of interesting scenarios, which I appreciate.
I will definitely take a closer look at fsfuzzer. It might be a good
starting point for an EVM/IMA-appraisal LTP testsuite. The bottom line,
as I said previously, is that EVM/IMA-appraisal doesn't need to prevent
these things from occurring. It just needs to be able to detect them.
Caching the integrity verification results is a performance issue, be it
an important one.
Currently the integrity verification results are reset when the file
data or metadata changes and removed on __fput(). Based on your
scenarios, I am looking to see if there might be additional situations
where the verification results need to be reset.
thanks,
Mimi
next prev parent reply other threads:[~2011-07-01 14:34 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-29 19:50 [PATCH v7 00/16] EVM Mimi Zohar
2011-06-29 19:50 ` [PATCH v7 01/16] security: new security_inode_init_security API adds function callback Mimi Zohar
2011-06-29 19:50 ` [PATCH v7 02/16] integrity: move ima inode integrity data management Mimi Zohar
2011-06-29 19:50 ` [PATCH v7 03/16] xattr: define vfs_getxattr_alloc and vfs_xattr_cmp Mimi Zohar
2011-06-29 19:50 ` [PATCH v7 04/16] evm: re-release Mimi Zohar
2011-06-29 19:50 ` [PATCH v7 05/16] evm: add support for different security.evm data types Mimi Zohar
2011-06-29 19:50 ` [PATCH v7 06/16] security: imbed evm calls in security hooks Mimi Zohar
2011-06-29 19:50 ` [PATCH v7 07/16] evm: evm_inode_post_removexattr Mimi Zohar
2011-06-29 19:50 ` [PATCH v7 08/16] evm: imbed evm_inode_post_setattr Mimi Zohar
2011-06-29 19:50 ` [PATCH v7 09/16] evm: add evm_inode_init_security to initialize new files Mimi Zohar
2011-06-29 19:50 ` [PATCH v7 10/16] evm: call evm_inode_init_security from security_inode_init_security Mimi Zohar
2011-06-29 19:50 ` [PATCH v7 11/16] evm: crypto hash replaced by shash Mimi Zohar
2011-06-29 19:50 ` [PATCH v7 12/16] evm: additional parameter to pass integrity cache entry 'iint' Mimi Zohar
2011-06-29 19:50 ` [PATCH v7 13/16] evm: evm_verify_hmac must not return INTEGRITY_UNKNOWN Mimi Zohar
2011-06-29 19:50 ` [PATCH v7 14/16] evm: replace hmac_status with evm_status Mimi Zohar
2011-06-29 19:50 ` [PATCH v7 15/16] evm: permit only valid security.evm xattrs to be updated Mimi Zohar
2011-06-29 19:50 ` [PATCH v7 16/16] evm: add evm_inode_setattr to prevent updating an invalid security.evm Mimi Zohar
2011-06-29 20:53 ` [PATCH v7 00/16] EVM Kyle Moffett
2011-06-29 23:42 ` Mimi Zohar
2011-06-30 1:57 ` Kyle Moffett
2011-06-30 3:51 ` Mimi Zohar
2011-06-30 22:32 ` Kyle Moffett
2011-07-14 15:07 ` David Safford
[not found] ` <BANLkTin-x1kkXiowUYjBS_tr4iwDrzNQkA@mail.gmail.com>
2011-07-01 14:34 ` Mimi Zohar [this message]
2011-07-01 21:55 ` Mimi Zohar
2011-07-14 15:07 ` David Safford
2011-07-18 13:45 ` Serge E. Hallyn
2011-07-14 15:07 ` David Safford
2011-06-30 21:06 ` Ryan Ware
2011-06-30 22:37 ` Mimi Zohar
2011-07-01 2:02 ` Ware, Ryan R
2011-07-18 23:52 ` James Morris
2011-07-19 20:56 ` Mimi Zohar
2011-08-09 1:53 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1309530873.3245.23.camel@localhost.localdomain \
--to=zohar@linux.vnet.ibm.com \
--cc=jmorris@namei.org \
--cc=kyle@moffetthome.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=safford@watson.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).