IBM has been pushing the use of the "trusted platform module" chip found in
its laptops (and on other systems as well) for some time; see
this report from OLS 2005 for a
summary of the benefits they see from trusted computing. Now IBM's
developers have posted
a new set
of security modules which make use of the TPM to lock down a system.
The three modules are:
- The simple Linux integrity model, or SLIM. This module
associates two attributes with every process and every file: the
integrity level and the privacy level. The integrity levels are
"system," "user," and "untrusted." Any process may read or execute
any file with an equal or higher integrity level (subject to the usual
permissions). Read and execute access to lower-integrity files is
also allowed, but, as a result, the process will, itself, be demoted
to the lower level. Writing files with a higher integrity level is
not allowed. The integrity levels thus implement a form of simple,
automatic sandboxing; if a process touches untrusted resources, it
also loses trust and has a lowered ability to change things elsewhere
on the system. Network sockets, incidentally, are always considered
to have an "untrusted" integrity level.
The privacy level has four levels: public, user, user-sensitive, and
system-sensitive. Processes can read files of equal or lower
sensitivity. If, instead, a process reads a higher-sensitivity file,
its own sensitivity level is raised to match. Writing
lower-sensitivity files is not allowed. This "high watermark"
mechanism is intended to prevent the leakage of secret data to
less-trusted contexts.
- The SLIM module, like SELinux, depends on the extended attributes of
a file to make security decisions. But what if something is able to
change those attributes? The extended verification module
(EVM) is an attempt to keep that from happening. EVM creates its own
extended attribute on each file which is an HMAC hash of the file's
contents and attributes. If the file and the HMAC fail to match, EVM
will deny access to the file.
One might argue that EVM's hash is no less susceptible to tampering
than the other attributes on the file. The difference is that EVM
uses the hardware TPM module to sign the HMAC result. The TPM will
only perform this operation if it is satisfied that the proper "secure
boot" rituals have been followed, and that the integrity of the
running system has not been compromised. Since the TPM key is
specific to that particular chip, it is not possible to remove the
drive and forge HMACs on a different system. If the trusted boot
chain, starting with the BIOS, holds, there should be a high level of
assurance that the system's files and their attributes have not been
tampered with.
- The third module is the integrity measurement architecture.
LWN readers have seen IMA
before, so that discussion will not be repeated. In short, IMA is
a remote attestation feature which can provide a convincing proof that
a system is running (only) well-known, trusted versions of approved
software.
The IMA module was not well received when it was last posted. The
developers hope that the largest objections have been addressed, and that
the set of TPM-related modules as a whole can be considered, eventually,
for merging. Before reaching that point, however, these modules have
another obstacle to overcome: they rely on the ability to run multiple
Linux security modules in a "stacked" mode. Stacked security modules have
been a contentious issue for
some time, and that capability has never been merged. The developers claim
that the new modules will make the case for stacking, but that
conversation has yet to take place.
Comments (none posted)
Brief items
SUSE has a reminder that no security updates will be available for SUSE
Linux 9.0 after December 15, 2005. "
As a consequence, the SUSE Linux
9.0 distribution directory on our ftp server ftp.suse.com has been moved
from /pub/suse/i386/9.0/ to the /pub/suse/discontinued/ directory tree
structure to free space on our mirror sites. The 9.0 directory in the
update tree /pub/suse/i386/update/9.0 will follow, as soon as all updates
have been published.
"
Full Story (comments: none)
New vulnerabilities
acidlab: SQL injection
| Package(s): | acidlab |
CVE #(s): | CVE-2005-3325
|
| Created: | November 14, 2005 |
Updated: | November 16, 2005 |
| Description: |
Remco Verhoef has discovered a vulnerability in acidlab, Analysis
Console for Intrusion Databases, and in acidbase, Basic Analysis and
Security Engine, which can be exploited by malicious users to conduct
SQL injection attacks. |
| Alerts: |
|
Comments (none posted)
emacs: lisp execution vulnerability
| Package(s): | emacs |
CVE #(s): | CAN-2003-1232
|
| Created: | November 10, 2005 |
Updated: | November 16, 2005 |
| Description: |
Version 21.2 of the EMACS editor has a vulnerability in which
text files containing Lisp code can be executed without warning
the user. Attackers can cause users to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
flash-plugin: buffer overflow
| Package(s): | flash-plugin |
CVE #(s): | CVE-2005-2628
|
| Created: | November 10, 2005 |
Updated: | November 25, 2005 |
| Description: |
The Mozilla browser Macromedia Flash Player plug-in has a
buffer overflow vulnerability. A user who opens a maliciously
created Macromedia Flash file may be tricked into executing
arbitrary code. |
| Alerts: |
|
Comments (none posted)
ftpd: remote buffer overflow
| Package(s): | ftpd |
CVE #(s): | CVE-2005-3524
|
| Created: | November 14, 2005 |
Updated: | November 16, 2005 |
| Description: |
A buffer overflow vulnerability has been found in the linux-ftpd-ssl
package. A command that generates an excessively long response from the
server may overrun a stack buffer. An attacker that has permission to create directories that are accessible via the FTP server could exploit this vulnerability. Successful exploitation would execute arbitrary code on the local machine with root privileges. |
| Alerts: |
|
Comments (none posted)
gdk-pixbuf: multiple vulnerabilities
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CVE-2005-3186
CVE-2005-2976
CVE-2005-2975
|
| Created: | November 15, 2005 |
Updated: | March 20, 2006 |
| Description: |
The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM file
in such a way that it could cause an application linked with gdk-pixbuf to
execute arbitrary code when the file was opened by a victim.
Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM
file in such a way that it could cause an application linked with
gdk-pixbuf to execute arbitrary code or crash when the file was opened by a
victim.
Ludwig Nussel also discovered an infinite-loop denial of service bug in the
way gdk-pixbuf processes XPM images. An attacker could create a carefully
crafted XPM file in such a way that it could cause an application linked
with gdk-pixbuf to stop responding when the file was opened by a victim. |
| Alerts: |
|
Comments (none posted)
lynx: arbitrary command execution
| Package(s): | lynx |
CVE #(s): | CVE-2005-2929
|
| Created: | November 14, 2005 |
Updated: | September 14, 2009 |
| Description: |
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx. |
| Alerts: |
|
Comments (none posted)
phpsysinfo: programming errors
| Package(s): | phpsysinfo |
CVE #(s): | CVE-2005-3347
CVE-2005-3348
|
| Created: | November 15, 2005 |
Updated: | November 23, 2005 |
| Description: |
Christopher Kunz discovered that local variables get overwritten
unconditionally and are trusted later, which could lead to the inclusion of
arbitrary files. Christopher Kunz also discovered that user-supplied input
is used unsanitized, causing a HTTP Response splitting problem. |
| Alerts: |
|
Comments (none posted)
RAR: format string and buffer overflow
| Package(s): | rar |
CVE #(s): | |
| Created: | November 14, 2005 |
Updated: | November 16, 2005 |
| Description: |
Tan Chew Keong reported two vulnerabilities in RAR: a format string error
exists when displaying a diagnostic error message that informs the user of
an invalid filename in an UUE/XXE encoded file and some boundary errors in
the processing of malicious ACE archives can be exploited to cause a buffer
overflow. |
| Alerts: |
|
Comments (none posted)
scorched3d: multiple vulnerabilities
| Package(s): | scorched3d |
CVE #(s): | |
| Created: | November 15, 2005 |
Updated: | August 11, 2006 |
| Description: |
Luigi Auriemma discovered multiple flaws in the Scorched 3D game
server, including a format string vulnerability and several buffer
overflows. A remote attacker could exploit these vulnerabilities to crash
a game server or execute arbitrary code with the rights of the game server
user. |
| Alerts: |
|
Comments (none posted)
Resources
Plash 1.14 is out. Plash is:
...is a secure, restricted execution environment for running Linux
programs with the minimum necessary privileges. It is similar to
using chroot jails, but is more lightweight and flexible. You can use
Plash to grant a process read-only or read-write access to specific
files and directories, which can be mapped at any point in its private
filesystem namespace.
This release includes a new "file powerbox" capability which can allow a user to grant access to specific files to an application on the fly.
Full Story (comments: none)
Page editor: Jonathan Corbet
Next page:
Kernel development>>
