User: Password:
Subscribe / Log in / New account


Some trusted computing security modules

IBM has been pushing the use of the "trusted platform module" chip found in its laptops (and on other systems as well) for some time; see this report from OLS 2005 for a summary of the benefits they see from trusted computing. Now IBM's developers have posted a new set of security modules which make use of the TPM to lock down a system. The three modules are:

  • The simple Linux integrity model, or SLIM. This module associates two attributes with every process and every file: the integrity level and the privacy level. The integrity levels are "system," "user," and "untrusted." Any process may read or execute any file with an equal or higher integrity level (subject to the usual permissions). Read and execute access to lower-integrity files is also allowed, but, as a result, the process will, itself, be demoted to the lower level. Writing files with a higher integrity level is not allowed. The integrity levels thus implement a form of simple, automatic sandboxing; if a process touches untrusted resources, it also loses trust and has a lowered ability to change things elsewhere on the system. Network sockets, incidentally, are always considered to have an "untrusted" integrity level.

    The privacy level has four levels: public, user, user-sensitive, and system-sensitive. Processes can read files of equal or lower sensitivity. If, instead, a process reads a higher-sensitivity file, its own sensitivity level is raised to match. Writing lower-sensitivity files is not allowed. This "high watermark" mechanism is intended to prevent the leakage of secret data to less-trusted contexts.

  • The SLIM module, like SELinux, depends on the extended attributes of a file to make security decisions. But what if something is able to change those attributes? The extended verification module (EVM) is an attempt to keep that from happening. EVM creates its own extended attribute on each file which is an HMAC hash of the file's contents and attributes. If the file and the HMAC fail to match, EVM will deny access to the file.

    One might argue that EVM's hash is no less susceptible to tampering than the other attributes on the file. The difference is that EVM uses the hardware TPM module to sign the HMAC result. The TPM will only perform this operation if it is satisfied that the proper "secure boot" rituals have been followed, and that the integrity of the running system has not been compromised. Since the TPM key is specific to that particular chip, it is not possible to remove the drive and forge HMACs on a different system. If the trusted boot chain, starting with the BIOS, holds, there should be a high level of assurance that the system's files and their attributes have not been tampered with.

  • The third module is the integrity measurement architecture. LWN readers have seen IMA before, so that discussion will not be repeated. In short, IMA is a remote attestation feature which can provide a convincing proof that a system is running (only) well-known, trusted versions of approved software.

The IMA module was not well received when it was last posted. The developers hope that the largest objections have been addressed, and that the set of TPM-related modules as a whole can be considered, eventually, for merging. Before reaching that point, however, these modules have another obstacle to overcome: they rely on the ability to run multiple Linux security modules in a "stacked" mode. Stacked security modules have been a contentious issue for some time, and that capability has never been merged. The developers claim that the new modules will make the case for stacking, but that conversation has yet to take place.

Comments (none posted)

Brief items

Discontinued SUSE Linux Distribution: 9.0

SUSE has a reminder that no security updates will be available for SUSE Linux 9.0 after December 15, 2005. "As a consequence, the SUSE Linux 9.0 distribution directory on our ftp server has been moved from /pub/suse/i386/9.0/ to the /pub/suse/discontinued/ directory tree structure to free space on our mirror sites. The 9.0 directory in the update tree /pub/suse/i386/update/9.0 will follow, as soon as all updates have been published."

Full Story (comments: none)

New vulnerabilities

acidlab: SQL injection

Package(s):acidlab CVE #(s):CVE-2005-3325
Created:November 14, 2005 Updated:November 16, 2005
Description: Remco Verhoef has discovered a vulnerability in acidlab, Analysis Console for Intrusion Databases, and in acidbase, Basic Analysis and Security Engine, which can be exploited by malicious users to conduct SQL injection attacks.
Debian DSA-893-1 acidlab 2005-11-14

Comments (none posted)

emacs: lisp execution vulnerability

Package(s):emacs CVE #(s):CAN-2003-1232
Created:November 10, 2005 Updated:November 16, 2005
Description: Version 21.2 of the EMACS editor has a vulnerability in which text files containing Lisp code can be executed without warning the user. Attackers can cause users to execute arbitrary code.
Mandriva MDKSA-2005:208 emacs 2005-11-09

Comments (none posted)

flash-plugin: buffer overflow

Package(s):flash-plugin CVE #(s):CVE-2005-2628
Created:November 10, 2005 Updated:November 25, 2005
Description: The Mozilla browser Macromedia Flash Player plug-in has a buffer overflow vulnerability. A user who opens a maliciously created Macromedia Flash file may be tricked into executing arbitrary code.
Gentoo 200511-21 netscape-flash 2005-11-25
Red Hat RHSA-2005:835-00 flash-plugin 2005-11-09

Comments (none posted)

ftpd: remote buffer overflow

Package(s):ftpd CVE #(s):CVE-2005-3524
Created:November 14, 2005 Updated:November 16, 2005
Description: A buffer overflow vulnerability has been found in the linux-ftpd-ssl package. A command that generates an excessively long response from the server may overrun a stack buffer. An attacker that has permission to create directories that are accessible via the FTP server could exploit this vulnerability. Successful exploitation would execute arbitrary code on the local machine with root privileges.
Debian DSA-896-1 linux-ftpd-ssl 2005-11-15
Gentoo 200511-11 ftpd 2005-11-13

Comments (none posted)

gdk-pixbuf: multiple vulnerabilities

Package(s):gdk-pixbuf gtk2 CVE #(s):CVE-2005-3186 CVE-2005-2976 CVE-2005-2975
Created:November 15, 2005 Updated:March 20, 2006
Description: The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to execute arbitrary code when the file was opened by a victim.

Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to execute arbitrary code or crash when the file was opened by a victim.

Ludwig Nussel also discovered an infinite-loop denial of service bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to stop responding when the file was opened by a victim.

Fedora-Legacy FLSA:173274 gdk-pixbuf 2006-03-16
Debian DSA-913-1 gdk-pixbuf 2005-12-01
Debian DSA-911-1 gtk+2.0 2005-11-29
Trustix TSLSA-2005-0066 gtk2+ lynx 2005-11-18
Mandriva MDKSA-2005:214 gdk-pixbuf 2005-11-18
Ubuntu USN-216-1 gtk+2.0, gdk-pixbuf 2005-11-16
SuSE SUSE-SA:2005:065 gdk-pixbuf 2005-11-16
Gentoo 200511-14 gdk-pixbuf 2005-11-16
Fedora FEDORA-2005-1088 gtk2 2005-11-15
Fedora FEDORA-2005-1087 gtk2 2005-11-15
Fedora FEDORA-2005-1086 gdk-pixbuf 2005-11-15
Fedora FEDORA-2005-1085 gdk-pixbuf 2005-11-15
Red Hat RHSA-2005:811-01 gtk2 2005-11-15
Red Hat RHSA-2005:810-01 gdk-pixbuf 2005-11-15

Comments (none posted)

lynx: arbitrary command execution

Package(s):lynx CVE #(s):CVE-2005-2929
Created:November 14, 2005 Updated:September 14, 2009
Description: An arbitrary command execute bug was found in the lynx "lynxcgi:" URI handler. An attacker could create a web page redirecting to a malicious URL which could execute arbitrary code as the user running lynx.
Gentoo 200909-15 lynx 2009-09-12
Fedora-Legacy FLSA:152832 lynx 2005-12-17
OpenPKG OpenPKG-SA-2005.026 lynx 2005-12-03
Fedora FEDORA-2005-1079 lynx 2005-11-14
Fedora FEDORA-2005-1078 lynx 2005-11-14
Gentoo 200511-09 lynx 2005-11-13
Mandriva MDKSA-2005:211 lynx 2005-11-12
Red Hat RHSA-2005:839-01 lynx 2005-11-11

Comments (none posted)

phpsysinfo: programming errors

Package(s):phpsysinfo CVE #(s):CVE-2005-3347 CVE-2005-3348
Created:November 15, 2005 Updated:November 23, 2005
Description: Christopher Kunz discovered that local variables get overwritten unconditionally and are trusted later, which could lead to the inclusion of arbitrary files. Christopher Kunz also discovered that user-supplied input is used unsanitized, causing a HTTP Response splitting problem.
Gentoo 200511-18 phpsysinfo 2005-11-22
Debian DSA-898-1 phpgroupware 2005-11-17
Mandriva MDKSA-2005:212 egroupware 2005-11-16
Debian DSA-897-1 phpsysinfo 2005-11-15

Comments (none posted)

RAR: format string and buffer overflow

Package(s):rar CVE #(s):
Created:November 14, 2005 Updated:November 16, 2005
Description: Tan Chew Keong reported two vulnerabilities in RAR: a format string error exists when displaying a diagnostic error message that informs the user of an invalid filename in an UUE/XXE encoded file and some boundary errors in the processing of malicious ACE archives can be exploited to cause a buffer overflow.
Gentoo 200511-10 rar 2005-11-13

Comments (none posted)

scorched3d: multiple vulnerabilities

Package(s):scorched3d CVE #(s):
Created:November 15, 2005 Updated:August 11, 2006
Description: Luigi Auriemma discovered multiple flaws in the Scorched 3D game server, including a format string vulnerability and several buffer overflows. A remote attacker could exploit these vulnerabilities to crash a game server or execute arbitrary code with the rights of the game server user.
Gentoo 200511-12:03 scorched3d 2005-11-15
Gentoo 200511-12 scorched3d 2005-11-15

Comments (none posted)


Plash 1.14 released

Plash 1.14 is out. Plash is: a secure, restricted execution environment for running Linux programs with the minimum necessary privileges. It is similar to using chroot jails, but is more lightweight and flexible. You can use Plash to grant a process read-only or read-write access to specific files and directories, which can be mapped at any point in its private filesystem namespace.

This release includes a new "file powerbox" capability which can allow a user to grant access to specific files to an application on the fly.

Full Story (comments: none)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds