> From: David Hopwood <david@bl...>
> [image removed] Re: trusted computing
> 2004-10-18 19:24
> Tim Freeman wrote:
>
> > not about Xen in particular, but as a side note, because I think some
> > people are interested in trusted computing and virtualization? If
> > you"re not, sorry for the intrusion!
> >
> >
http://www.research.ibm.com/secure_systems_department/projects/tcglinux/> >
> > "Currently, we experiment measuring the information flow on
SELinux
> > systems to reason about isolation properties of a system. For this
> > purpose, we modified tcgLinux to run as an LSM kernel module stacked
on> > top of SELinux. We also envision to extend our attestation method to
> > integrate virtualization technology and partition the attestation
space> > of a system using the information flow policies enforced
therein."
>
> # [tcgLinux]"s main goal is to generate verifiable representative
information> # about the software stack running on a Linux system. This information
can> # be used by remote parties to determine the integrity of the execution
> # environment.
>
> Can it, though? The assumption seems to be that fingerprinting
executables> is sufficient to characterise the security configuration of a system.
> AFAICS that"s patently false: the security of a system is dependent
on
its> complete configuration, including many non-executable files. IOW,
anyone> can compromise a system without changing any executable files.
>
> # We instrumented the Linux kernel to trigger a measurement for each
> # executable, library, or kernel module loaded into the run-time before
> # they affect the system.
>
> Yep, only executables. This seems quite useless.
>
> --
> David Hopwood <david.nospam.hopwood@bl...>
One outcome of the tcgLinux project, the Integrity Measurement
Architecture (IMA), implements mandatory kernel measurements including
executable code, libraries, modules, etc. Beyond this, it also offers a
quite convenient interface that enables applications to measure any file
(on the local file system) before loading and consuming it. (Note: the
fact -that- and -when- an application measures input files can be
validated using the application''s measurement).
For example, we have instrumented bash (adding 4 lines of code) so that
bash initiates measurements on any file that is loaded as a command file
or sourced. This includes start-up scripts into the measurements (see e.g.
bash-command file measurements as part of the measurement list on
http://www.research.ibm.com/secure_systems_department/projects/tcglinux/measurements.html).
We envision that such simple instrumentation can be done easily for
Apache, e.g., to measure the http configuration file or any other
application (tripwire configuration files...).
Measuring only executables would, so I agree, not be very useful because
the security of many applications depends strongly on their configuration
data, which usually controls sensitive operation of the application (as
for example httpd.conf, tripwire tw.config).
We are currently working on "open-sourcing" IMA and hope to be able to
make the code available to the community soon.
Thanks
---
Reiner Sailer
