LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

LWN.net Weekly Edition for June 6, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The Integrity Measurement Architecture

The Integrity Measurement Architecture

Posted May 26, 2005 14:01 UTC (Thu) by wdupre1 (subscriber, #7498)
Parent article: The Integrity Measurement Architecture

Okay, so I can verify that my executable code is blessed. How does this protect me from exploits that use "blessed" interpreters, e.g. Perl, Python, Java, Ruby, Bash, etc.

In the windows world, many viruses, trojans, and worms are written in embedded scripting languages. How does this protect me in the M$ scenarios?

Does each interpreted program also need a hash signature?

This seems to be a limited solution.

(Log in to post comments)

The Integrity Measurement Architecture

Posted May 28, 2005 17:57 UTC (Sat) by stephen_pollei (guest, #23348) [Link]

Pavel Machek <pavel@ucw.cz> made the same kind of objection on lkml saying "What is it good for, then? So I have to put my backdoor into script, not into an executable...".
Reiner Sailer <sailer@us.ibm.com> replied Scripts can be measured as well (from the user space). For example, equipping the bash shell with 5-10 lines of code, bash initiates IMA measurements on scripts and files that are sourced into bash before they are "executed" by bash. This way, startup scripts and executed scripts can be logged as measurements and the measuremnt list will include them.
That led to more talk about lots of things and with Pavel concluding Well, you'll have to add measurement of any security-sensitive config file, any script, and will have to make sure that all parsing of system config files does not contain buffer-overrun problems. That's lot of work before IMA is usefull. It is true you do not make situation any worse.
What I wonder is if you can measure arbritary files from userspace what is to stop you from using altered scripts but also having the valid scripts put into the list?

The Integrity Measurement Architecture

Posted Jun 2, 2005 20:48 UTC (Thu) by zakaelri (guest, #17928) [Link]

Do you mean "How do you prevent the exploit of registering A while runnning B?"? If so, read on...

First off. TPM makes a few fundamental assumption about it's use: If [everything loaded before A] is valid, and A appears valid, then A is valid. If A is valid, than A can be truested.

Basically, they check to make sure that every program that runs has not been modified from the version used to build the original hash. This includes the BIOS, the bootloader, the kernel, init, etc.

So, given that assumption:

If you add the TPM code to (say) bash, and bash is valid, then you know that any script run by bash will be verified by the TPM. Why? Because if the TPM code was changed, bash wouldn't be valid. (When the kernel loads bash, it would fail the check). As long as the script passed, you know it's safe to run.

So, unless there was a security hole programmed into bash, you wouldn't need to worry about it running 1 script while verifying another.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds