Hi!
> --- linux-2.6.12-rc6-mm1_orig/Documentation/ima/integrity_measurements.txt 1969-12-31 19:00:00.000000000 -0500
> +++ linux-2.6.12-rc6-mm1-ima/Documentation/ima/integrity_measurements.txt 2005-06-14 16:25:05.000000000 -0400
> @@ -0,0 +1,87 @@
> +The IBM Integrity Measurement Architecture (IMA) offers means to
> +securely identify the software that was loaded into a system run-time
> +since the last reboot. The IMA builds the information necessary to
> +identify the loaded software and provides the basis for services to
> +build on top of such information. However, it does not include any
> +means that would enable remote parties to extract the information
> +itself.
> +
> +Guarantees: IMA offers "software load-guarantees" in that
> +identification of all loaded software is guaranteed to be reflected in
> +measurement data and protected in a hardware TPM security chip (if
> +available). IMA is non-intrusive and neither disturbs the system, nor
> +prevents the system from any actions. However, if running in real
> +mode, when the TPM chip is not accessible IMA might require the system
> +not to start (for security guarantee reasons).
> +
> +Limitations: IMA does not detect corruption of software once it is
> +loaded into main memory. Instead, it indicates known vulnerabilities
> +in such software (e.g., buffer overflow) by securely identifying the
> +software at load-time. Only executable files (binaries, libraries,
> +kernel modules) are measured by default. However, IMA offers a
> +ima file system that enables applications to instruct the kernel to
> +measure files that they have opened (/ima/measurereq).
> +
> +Assumed usage: Verify system installed software configurations and
> +system run-time integrity from a secure management location.
You say that you must panic system if TPM is not acessible during
bootup. That smells just plain wrong. If I want to trick secure
managment point, what prevents me from booting kernel in "test" mode,
and then lie about it?
> +Some of our work shows that IMA is very useful to detect Rootkit
> +exploits that totally take over the software of a Linux system but
> +cannot hide themselves from contributing to the TPM aggregate and this
> +will be detectable from a non-corrupted platform. While the corrupted
> +system might not show the Rootkit, a remote party can securely
> +identify known bad or unknown software having been loaded into the
> +system.
No; with your current system, it only means I may not place my rootkit
into executable file. I can still place my evil rootkit into shell
script and/or config file.
Pavel
--
teflon -- maybe it is a trademark, but it should not be.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
