User: Password:
|
|
Subscribe / Log in / New account

The Integrity Measurement Architecture

The Integrity Measurement Architecture

Posted May 28, 2005 17:57 UTC (Sat) by stephen_pollei (guest, #23348)
In reply to: The Integrity Measurement Architecture by wdupre1
Parent article: The Integrity Measurement Architecture

Pavel Machek <pavel@ucw.cz> made the same kind of objection on lkml saying "What is it good for, then? So I have to put my backdoor into script, not into an executable...".
Reiner Sailer <sailer@us.ibm.com> replied Scripts can be measured as well (from the user space). For example, equipping the bash shell with 5-10 lines of code, bash initiates IMA measurements on scripts and files that are sourced into bash before they are "executed" by bash. This way, startup scripts and executed scripts can be logged as measurements and the measuremnt list will include them.
That led to more talk about lots of things and with Pavel concluding Well, you'll have to add measurement of any security-sensitive config file, any script, and will have to make sure that all parsing of system config files does not contain buffer-overrun problems. That's lot of work before IMA is usefull. It is true you do not make situation any worse.
What I wonder is if you can measure arbritary files from userspace what is to stop you from using altered scripts but also having the valid scripts put into the list?


(Log in to post comments)

The Integrity Measurement Architecture

Posted Jun 2, 2005 20:48 UTC (Thu) by zakaelri (guest, #17928) [Link]

Do you mean "How do you prevent the exploit of registering A while runnning B?"? If so, read on...

First off. TPM makes a few fundamental assumption about it's use: If [everything loaded before A] is valid, and A appears valid, then A is valid. If A is valid, than A can be truested.

Basically, they check to make sure that every program that runs has not been modified from the version used to build the original hash. This includes the BIOS, the bootloader, the kernel, init, etc.

So, given that assumption:

If you add the TPM code to (say) bash, and bash is valid, then you know that any script run by bash will be verified by the TPM. Why? Because if the TPM code was changed, bash wouldn't be valid. (When the kernel loads bash, it would fail the check). As long as the script passed, you know it's safe to run.

So, unless there was a security hole programmed into bash, you wouldn't need to worry about it running 1 script while verifying another.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds