From: Patrick Ohly <patrick.ohly@intel.com>
To: James Morris <james.l.morris@oracle.com>,
Roberto Sassu <roberto.sassu@huawei.com>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
Matthew Garrett <mjg59@google.com>,
linux-integrity <linux-integrity@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
Silviu Vlasceanu <silviu.vlasceanu@huawei.com>
Subject: Re: IMA appraisal master plan?
Date: Mon, 20 Nov 2017 11:20:52 +0100 [thread overview]
Message-ID: <1511173252.5979.45.camel@intel.com> (raw)
In-Reply-To: <alpine.LFD.2.20.1711200746120.25470@localhost>
On Mon, 2017-11-20 at 07:47 +1100, James Morris wrote:
> On Fri, 17 Nov 2017, Roberto Sassu wrote:
>
> > LSMs are responsible to enforce a security policy at run-time,
> > while IMA/EVM protect data and metadata against offline attacks.
>
> In my view, IMA can also protect against making an online attack
> persistent across boots, and that would be the most compelling use of
> it for many general purpose applications.
I do not quite buy that interpretation. If the online attack succeeds
in bypassing the run-time checks, for example with a full root exploit,
then he has pretty much the same capabilities to make persistent file
changes as during an offline attack.
When allowing local hashing, it's actually worse: during an offline
attack, the attacker might not have access to the TPM and thus cannot
easily update the EVM HMAC. During an online attack, the kernel will
happily update that and the IMA hash for the attacker, resulting in a
file that passes appraisal after a reboot.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
next prev parent reply other threads:[~2017-11-20 10:20 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-07 15:17 [PATCH V6] EVM: Add support for portable signature format Matthew Garrett
2017-11-08 19:37 ` Mimi Zohar
2017-11-15 17:26 ` IMA appraisal master plan? (was: Re: [PATCH V6] EVM: Add support for portable signature format) Patrick Ohly
2017-11-15 17:58 ` Matthew Garrett
2017-11-15 18:21 ` Patrick Ohly
2017-11-15 18:28 ` Matthew Garrett
2017-11-16 0:02 ` James Morris
2017-11-16 0:05 ` Matthew Garrett
2017-11-16 2:13 ` Mimi Zohar
2017-11-16 9:23 ` IMA appraisal master plan? Roberto Sassu
2017-11-16 10:20 ` Patrick Ohly
2017-11-16 13:13 ` Mimi Zohar
2017-11-16 14:18 ` Roberto Sassu
2017-11-16 13:06 ` Mimi Zohar
2017-11-17 12:20 ` Roberto Sassu
2017-11-17 13:42 ` Mimi Zohar
2017-11-17 14:32 ` Roberto Sassu
2017-11-17 15:58 ` Stephen Smalley
2017-11-17 20:09 ` Safford, David (GE Global Research, US)
2017-11-18 19:29 ` Casey Schaufler
2017-11-19 20:47 ` James Morris
2017-11-20 10:20 ` Patrick Ohly [this message]
2017-11-20 14:59 ` Mimi Zohar
2017-11-20 16:15 ` Patrick Ohly
2017-11-21 10:05 ` James Morris
2017-11-21 9:33 ` Roberto Sassu
2017-11-21 14:05 ` Mimi Zohar
2017-11-21 15:25 ` Roberto Sassu
2017-11-21 15:53 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1511173252.5979.45.camel@intel.com \
--to=patrick.ohly@intel.com \
--cc=james.l.morris@oracle.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@google.com \
--cc=roberto.sassu@huawei.com \
--cc=silviu.vlasceanu@huawei.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).