IMA appraisal master plan?

Patrick Ohly patrick.ohly at intel.com
Mon Nov 20 10:20:52 UTC 2017


On Mon, 2017-11-20 at 07:47 +1100, James Morris wrote:
> On Fri, 17 Nov 2017, Roberto Sassu wrote:
> 
> > LSMs are responsible to enforce a security policy at run-time,
> > while IMA/EVM protect data and metadata against offline attacks.
> 
> In my view, IMA can also protect against making an online attack 
> persistent across boots, and that would be the most compelling use of
> it for many general purpose applications.

I do not quite buy that interpretation. If the online attack succeeds
in bypassing the run-time checks, for example with a full root exploit,
then he has pretty much the same capabilities to make persistent file
changes as during an offline attack.

When allowing local hashing, it's actually worse: during an offline
attack, the attacker might not have access to the TPM and thus cannot
easily update the EVM HMAC. During an online attack, the kernel will
happily update that and the IMA hash for the attacker, resulting in a
file that passes appraisal after a reboot.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.


--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the Linux-security-module-archive mailing list