Hi! > +Limitations: IMA does not detect corruption of software once it is > +loaded into main memory. Instead, it indicates known vulnerabilities > +in such software (e.g., buffer overflow) by securely identifying the > +software at load-time. Only executable files (binaries, libraries, > +kernel modules) are measured by default. However, IMA offers a > +sysfs-interface that allows applications to instruct the kernel to > +measure files that they have opened. What is it good for, then? So I have to put my backdoor into script, not into an executable... > +Some of our work shows that IMA is very useful to detect Rootkit > +exploits that totally take over the software of a Linux system but > +cannot hide themselves from contributing to the TPM aggregate and this > +will be detectable from a non-corrupted platform. While the corrupted > +system might not show the Rootkit, a remote party can securely > +identify known bad or unknown software having been loaded into the > +system. How does it work? It is corrupted software, not your TPM chip that is talking over network.... Do you sign the measurements inside TPM chip? Pavel
This archive was generated by hypermail 2.1.3 : Mon May 23 2005 - 10:36:35 PDT