linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Theodore Y. Ts'o" <tytso@mit.edu>
To: Janne Karhunen <janne.karhunen@gmail.com>
Cc: Chuck Lever <chuck.lever@oracle.com>, linux-integrity@vger.kernel.org
Subject: Re: IMA on remote file systems
Date: Tue, 17 Sep 2019 08:45:33 -0400	[thread overview]
Message-ID: <20190917124533.GD6762@mit.edu> (raw)
In-Reply-To: <CAE=NcrYjzdBCB7aK6bL+C+W8N-QJyuPF0RvFqCmsK_S90oyvxg@mail.gmail.com>

On Tue, Sep 17, 2019 at 09:30:31AM +0300, Janne Karhunen wrote:
> I might be wrong, but handling this properly would be good for the
> core IMA as well. Take an example of a memory mapped database file:
> this file will have generic write access for a group of processes.
> Now, if the attacker can create memory pressure on the host, we might
> eventually end up freeing pages from this particular file. Once this
> happens the attacker is free to modify the pages on the disk and they
> will all get eventually loaded back into the memory without no-one
> noticing.

There seems to be a philosophical debate about this.  Some IMA folks
have claimed that you want to know at the time of the binary being
executed, whether or not it is corrupt or not.  Their concern is that
if you can make a binary crash when it pages in some page of memory,
you might be able to exploit that fact by being able to force some
setuid binary to stop at some arbitrary point.  My understanding was
that they were pretty absolutist about that position, and that's one
of the reason why the original fs-verity work was completely decoupled
from IMA, and why fs-verity exists in the first place ---- if you have
gargantuan binaries with ELF debugging sections which will never get
read in normal use cases, or APK files with translation tables or
video cut scenes which are only used at when the game is first
started, or in between major sections of the game, you don't want to
delay application startup for long periods of time just to checksum
the whole darned file.

The issue about using memory pressure to push pages out to disk and
forcing a TOU/TOC security failure is the reason why Check is
interested in fs-verity.  In the original IMA design, the disk is
considered part of the Trusted Computing Base (TCB), at least while it
was spinning.  So the asssumption is the attacker wouldn't be able to
modify the disk blocks once the system was booted, and IMA merely
protected against off-line attacks (aka, "the evil maid scenario"
where the laptop or mobile device left in the hotel room gets a free
upgrade courtesy of some state intelligence agency like the MSS).  But
for NFS, the NFS server is generally not considered part of the TCB,
so the original IMA design very vulnerable to the concern you've
described.

> Could the fs-verity be plugged in as a measurement mechanism in the
> IMA? So rather than calling a hash function, call verity to measure
> and add new set of IMA hooks to report violations that arise after
> execution? IMA policy logic and functionality would be pretty much
> unchanged.

That is the plan, and it's not hard to do.  The question which I've
raised is when should we do it, given that some people believe that
pulling the entire file into memory and checksumming it at exec or
open time is a feature, not a bug.

Should we use the fs-verity merkel tree root hash as the measurement
function unconditionally if it is present?  Or does IMA want to have
some kind of tuning knob; and if so, should it be on a per-file system
basis, or globally, etc. etc.  Those are IMA design questions, and
I'll let the IMA folks decide what they want to do.

						- Ted

  reply	other threads:[~2019-09-17 12:45 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-28 17:36 IMA on remote file systems Chuck Lever
2019-09-13 14:50 ` Chuck Lever
2019-09-15 21:42   ` Mimi Zohar
2019-09-16 16:10     ` Theodore Y. Ts'o
2019-09-16 18:16       ` Chuck Lever
2019-09-16 13:16 ` Janne Karhunen
2019-09-16 14:47   ` Chuck Lever
2019-09-17  6:30     ` Janne Karhunen
2019-09-17 12:45       ` Theodore Y. Ts'o [this message]
2019-09-17 14:18         ` Mimi Zohar
2019-09-17 14:56         ` James Bottomley
2019-09-18  5:27           ` Janne Karhunen
2019-09-18 12:50             ` Theodore Y. Ts'o
2019-09-18 15:52             ` James Bottomley
2019-09-19  6:47               ` Janne Karhunen
2019-09-18 12:37           ` Theodore Y. Ts'o
2019-09-18 14:40             ` Mimi Zohar
2019-09-18 15:49             ` James Bottomley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190917124533.GD6762@mit.edu \
    --to=tytso@mit.edu \
    --cc=chuck.lever@oracle.com \
    --cc=janne.karhunen@gmail.com \
    --cc=linux-integrity@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).