Hi! > > Actually, you "could" also cat /proc files, then verify the signature > > by hand (using pen and paper :-). > > Theoretically, yes. The signature is 2048bit and to validate the signed > aggregate requires recursively applying SHA1 over all measurements. :-) > > It seems to me that the mechanism is sound... it does what the docs > > says. Another questions is "is it usefull"? > We implemented some exemplary IMA-applications. If you like, visit our > project page and check out the references: > http://www.research.ibm.com/secure_systems_department/projects/tcglinux/ > There you also find a complete measurement list and a response of a measured > system replying to an authorized remote measurement-list-request. To make this usefull, you need to: * have TPM chip * modify all the interpreters * modify all the programs that security-relevant config files. I.e. if there's /etc/keylogger.conf with default # No keyboard logging enabled and attacker changes it to do_log_keys_to_remote evil.com ... you need that config file to be hashed. * remove all the buffer overflows. I.e. if grub contains buffer overflow in parsing menu.conf... that is not a security hole (as of now) because only administrator can modify menu.conf. With IMA enabled, it would make your certification useless... [probably something more]. ...seems to me you need to do quite a lot of work to make this usefull... [And now, remote-buffer-overrun in inetd probably breaks your attestation, no? I'll just load my evil code over the network, without changing any on-disk executables, then install my evil rootkit into kernel by writing into /dev/kmem. How do you prevent that one?] Pavel
This archive was generated by hypermail 2.1.3 : Mon May 23 2005 - 16:45:48 PDT