Linux Security Summit 2014/Abstracts/Safford
Extending the Linux Integrity Subsystem for TCB Protection
David Safford & Mimi Zohar, IBM
The Linux Integrity Subsystem currently provides basic file integrity measurement, attestation, and appraisal, combining both the trusted computing model based on hashes, and the secure computing model based on signatures. It has, however, limitations in its ability to protect all TCB files. For example, the appraisal policy cannot distinguish TCB regular files which are read and executed by an interpreter from files which are simply read. In addition, while IMA-appraisal-digsig provides some immutability for signed files, a root privileged attacker can (in some cases) simply delete and replace the file with an unsigned one. To overcome these limitations, we have extended IMA with a policy based locking that integrates a concept similar to BSD immutable files with the full power of the IMA policy language.
The first part of the talk will describe the use of IMA audit data to determine which files are in the Fedora 20 desktop TCB, and show how the existing IMA is unable to distinguish and lock some of these files adequately. We will then detail the new extensions, and show how these extensions are able to protect the TCB. We will then demonstrate the overall subsystem in action, including package installation and update.
As a bonus, we will show how to build a complementary multifunction usb hardware token for the truly paranoid. It combines the functionality of a TPM (for anchoring IMA attestation on systems with no TPM), of a signature authority (for signing all TCB files locally with _your_ key), and an authentication token (for remote access like ssh). The RSA private keys are generated on token, and never leave the token. (Some soldering required :-)