linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Theodore Y. Ts'o" <tytso@mit.edu>
To: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Janne Karhunen <janne.karhunen@gmail.com>,
	Chuck Lever <chuck.lever@oracle.com>,
	linux-integrity@vger.kernel.org
Subject: Re: IMA on remote file systems
Date: Wed, 18 Sep 2019 08:37:24 -0400	[thread overview]
Message-ID: <20190918123724.GJ6762@mit.edu> (raw)
In-Reply-To: <1568732169.11799.18.camel@HansenPartnership.com>

On Tue, Sep 17, 2019 at 09:56:09AM -0500, James Bottomley wrote:
> > There seems to be a philosophical debate about this.  Some IMA folks
> > have claimed that you want to know at the time of the binary being
> > executed, whether or not it is corrupt or not.  Their concern is that
> > if you can make a binary crash when it pages in some page of memory,,,,
>
> That's not my recollection of the IMA position.

I had *several* conversations with IMA folks, including Mimi, who very
carefully explained to me why fs-verity was bad from a security
perspective.  We also had security experts inside Google who said it
was fine, so it's fair to say that there is no unaminimity on this
issue.  (Put 4 security experts in a room, and watch 5 different
positions develop).

> I'd more say the Linux Kernel itself, at least for executables, has
> mechanisms to ensure open files aren't updated because that ends up
> causing potential I/D cache incoherence with resulting binary crashes,
> so for executables, IMA relies on this mechanism.

But that's only true because the disk is inside the TCB.  If you can
modify the disk while file is open --- for example, if the NSA has
created trojaned HDD firmware --- then assuming that the kernel can
ensure that the file can't be modified while it's being executed is
completely false.  Consider what happens if the file is stored on
iSCSI, where either (a) there is no protection of the network
connection, or (b) the iSCSI device is under the control of the
malicious attacker.

> I'd also be wary of pushing a merkle tree as a solution to the TOC/TOU
> problem because, while it's true you can appraise a page at a time
> using the lowest layer hash, unless you do a full merkle tree check on
> that hash every time, you're still vulnerable to the attacker
> corrupting both the hash and the page (especially as the merkle tree
> can be so huge, requiring that it be paged too).

If the page containing the lowest layer hash is in memory (and memory
is considered part of the TCB), then we don't need to do the full
merkle tree check.  If the lowest layer hash has been pushed out of
memory, then it has to be read from the storage device, but we might
not still have to do a full merkle tree check.  We only have to do a
check up to the merkle tree block which is still in memory.  In
practice, both for dm-verity and fs-verity, the upper layers of the
Merkle tree are will tend to be kept in memory because we can touch
them as "accessed" even though we didn't need to actually recompute
the hash of tree nodes which are still in memory.

So the Merkle tree *does* solve the TOC/TOU issue, so long as we are
careful and explicit about what are trust assumptions are.  And
certainly treating the memory as being in the TCB is fairly
uncontroversial thing to do!

						 Ted

  parent reply	other threads:[~2019-09-18 12:37 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-28 17:36 IMA on remote file systems Chuck Lever
2019-09-13 14:50 ` Chuck Lever
2019-09-15 21:42   ` Mimi Zohar
2019-09-16 16:10     ` Theodore Y. Ts'o
2019-09-16 18:16       ` Chuck Lever
2019-09-16 13:16 ` Janne Karhunen
2019-09-16 14:47   ` Chuck Lever
2019-09-17  6:30     ` Janne Karhunen
2019-09-17 12:45       ` Theodore Y. Ts'o
2019-09-17 14:18         ` Mimi Zohar
2019-09-17 14:56         ` James Bottomley
2019-09-18  5:27           ` Janne Karhunen
2019-09-18 12:50             ` Theodore Y. Ts'o
2019-09-18 15:52             ` James Bottomley
2019-09-19  6:47               ` Janne Karhunen
2019-09-18 12:37           ` Theodore Y. Ts'o [this message]
2019-09-18 14:40             ` Mimi Zohar
2019-09-18 15:49             ` James Bottomley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190918123724.GJ6762@mit.edu \
    --to=tytso@mit.edu \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=chuck.lever@oracle.com \
    --cc=janne.karhunen@gmail.com \
    --cc=linux-integrity@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).