Re: [PATCH 2 of 4] ima: related Makefile compile order change and Readme

From: Reiner Sailer (sailer@private)
Date: Wed May 25 2005 - 08:00:09 PDT

Pavel Machek <pavel@private> wrote on 05/24/2005 06:41:44 PM:

> Maybe I'm just wrong... I definitely chosen bad example (grub) because
> it is also bootloader...
> > (iv) From then on, the IMA in the kernel is responsible for measuring 
> > executables/modules before loading them and for maintaining the 
> > measurement list and its TPM aggregate. 
> Kernel does not know what is exacutable and what is data. Thanks to
> buffer overflows, the line between executable and data is extremely
> blury.
> Now, to my argumentation. Imagine bootscripts containing
> "show_etc_issue" command. (That shows /etc/issue). If there's buffer
> overflow in "show_etc_issue" command, it is *not* security issue as of
> now, because it only works on data provided by root. But it becomes
> issue when IMA system is in use, because now /etc/issue can be used to
> inject code into system; something that was not possible before.
> OTOH buffer overrun in show_etc_issue is certainly bad thing, because
> it is unexpected behaviour; and if IMA means such stuff is fixed...
> It just seems like a lot of work. You are basically adding check at
> every place where user can
>  shoot_himself_in_the_foot^W^W^W^W^Wdo_something_stupid_to_system_security
> . I suspect many config files can be used to compromise system
> security...
>                         Pavel

Pavel, I cannot follow your argumentation. Could you please expand on how
measuring a script file would affect existing buffer overflows at all?

Just to make sure we are in sync how user space measurements work, here
a summary at the bash example:

(i) bash at point x opens "show_etc_issue" and holds file descriptor in 

(ii) before bash reads the commands from fd_show, we insert a line of code
    writing fd_show down into the kernel (this is a fixed size data 

(iii) IMA hook in the kernel now reads the whole file building a SHA1
      (there is no interpretation of any content of any file here)

(iv)  IMA decides whether the measurement of the file must be stored or 
      whether it is already in the measurement list etc.

(v)   writing fd_show returns to bash

(vi) bash reads the commands and executes them

If I understand you, then you are claiming that steps (ii) to (v) 
introduce buffer overflows in bash or show_etc_issue. How?


This archive was generated by hypermail 2.1.3 : Wed May 25 2005 - 08:01:34 PDT