From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Patrick Ohly <patrick.ohly@intel.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Matthew Garrett <mjg59@google.com>,
James Morris <james.l.morris@oracle.com>
Cc: linux-integrity <linux-integrity@vger.kernel.org>
Subject: Re: IMA appraisal master plan?
Date: Thu, 16 Nov 2017 08:13:38 -0500 [thread overview]
Message-ID: <1510838018.3711.426.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <1510827621.5979.27.camel@intel.com>
On Thu, 2017-11-16 at 11:20 +0100, Patrick Ohly wrote:
> On Thu, 2017-11-16 at 10:23 +0100, Roberto Sassu wrote:
> > Me and Matthew are considering policies based on subject criteria
> > rather than object criteria. The integrity of a process can be
> > guaranteed because everything that process reads or executes will be
> > appraised.
>
> Even then you still have the problem that the integrity of the process
> may also depend on the presence (or absence) of files. My favorite
> example for that is systemd: suppose that the integrity of the system
> depends on starting a certain service via systemd. It's trivial for an
> attacker to remove the corresponding unit file when the system is
> offline.
>
> Adding a custom service written by an attacker gets prevented, but an
> attacker can still install unit files prepared by the vendor. For
> example, suppose a device is not supposed to have an ssh daemon, but
> there is a package for OpenSSH properly signed by the vendor. Then an
> attacker can take those files and add them to the device while offline.
> It could get even worse (telnet? A debugging service?), so a vendor
> has to be very careful about what is getting signed.
>
> Another attack vector that also remains open is replacing files with
> other files from the vendor. Suppose there's a binary that does some
> check and signals the result to the calling process with its exit code.
> An attacker can control the result of the check by replacing the binary
> with /bin/true or /bin/false, depending on what result is desired.
Right, both of these examples can be detected by protecting the
directory information.
Mimi
next prev parent reply other threads:[~2017-11-16 13:13 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-07 15:17 [PATCH V6] EVM: Add support for portable signature format Matthew Garrett
2017-11-08 19:37 ` Mimi Zohar
2017-11-15 17:26 ` IMA appraisal master plan? (was: Re: [PATCH V6] EVM: Add support for portable signature format) Patrick Ohly
2017-11-15 17:58 ` Matthew Garrett
2017-11-15 18:21 ` Patrick Ohly
2017-11-15 18:28 ` Matthew Garrett
2017-11-16 0:02 ` James Morris
2017-11-16 0:05 ` Matthew Garrett
2017-11-16 2:13 ` Mimi Zohar
2017-11-16 9:23 ` IMA appraisal master plan? Roberto Sassu
2017-11-16 10:20 ` Patrick Ohly
2017-11-16 13:13 ` Mimi Zohar [this message]
2017-11-16 14:18 ` Roberto Sassu
2017-11-16 13:06 ` Mimi Zohar
2017-11-17 12:20 ` Roberto Sassu
2017-11-17 13:42 ` Mimi Zohar
2017-11-17 14:32 ` Roberto Sassu
2017-11-17 15:58 ` Stephen Smalley
2017-11-17 20:09 ` Safford, David (GE Global Research, US)
2017-11-18 19:29 ` Casey Schaufler
2017-11-19 20:47 ` James Morris
2017-11-20 10:20 ` Patrick Ohly
2017-11-20 14:59 ` Mimi Zohar
2017-11-20 16:15 ` Patrick Ohly
2017-11-21 10:05 ` James Morris
2017-11-21 9:33 ` Roberto Sassu
2017-11-21 14:05 ` Mimi Zohar
2017-11-21 15:25 ` Roberto Sassu
2017-11-21 15:53 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1510838018.3711.426.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=james.l.morris@oracle.com \
--cc=linux-integrity@vger.kernel.org \
--cc=mjg59@google.com \
--cc=patrick.ohly@intel.com \
--cc=roberto.sassu@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).