From: Janne Karhunen <janne.karhunen@gmail.com>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: linux-integrity@vger.kernel.org, "Theodore Y. Ts'o" <tytso@mit.edu>
Subject: Re: IMA on remote file systems
Date: Tue, 17 Sep 2019 09:30:31 +0300 [thread overview]
Message-ID: <CAE=NcrYjzdBCB7aK6bL+C+W8N-QJyuPF0RvFqCmsK_S90oyvxg@mail.gmail.com> (raw)
In-Reply-To: <1BF68F78-FA8E-4633-9AB4-AB6E0B10DCB8@oracle.com>
On Mon, Sep 16, 2019 at 5:47 PM Chuck Lever <chuck.lever@oracle.com> wrote:
> >> My thought was to use an ephemeral Merkle tree for NFS (and
> >> possibly other remote filesystems, like FUSE, until these
> >> filesystems support durable per-file Merkle trees). A tree would
> >> be constructed when the client measures a file, but it would not
> >> saved to the filesystem. Instead of a hash of the file's contents,
> >> the tree's root signature is stored as the IMA metadata.
> >
> > So the attack you are trying to guard against is that the pages that
> > were evicted once and that are read back could still be integrity
> > verified?
>
> Yes, the idea would be to provide a generic mechanism for constructing
> ephemeral trees such that it can be used for the purpose you describe
> on behalf of file systems besides NFS; eg. FUSE, or other remote file
> systems such as SMB.
I might be wrong, but handling this properly would be good for the
core IMA as well. Take an example of a memory mapped database file:
this file will have generic write access for a group of processes.
Now, if the attacker can create memory pressure on the host, we might
eventually end up freeing pages from this particular file. Once this
happens the attacker is free to modify the pages on the disk and they
will all get eventually loaded back into the memory without no-one
noticing.
Could the fs-verity be plugged in as a measurement mechanism in the
IMA? So rather than calling a hash function, call verity to measure
and add new set of IMA hooks to report violations that arise after
execution? IMA policy logic and functionality would be pretty much
unchanged.
--
Janne
next prev parent reply other threads:[~2019-09-17 6:30 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-28 17:36 IMA on remote file systems Chuck Lever
2019-09-13 14:50 ` Chuck Lever
2019-09-15 21:42 ` Mimi Zohar
2019-09-16 16:10 ` Theodore Y. Ts'o
2019-09-16 18:16 ` Chuck Lever
2019-09-16 13:16 ` Janne Karhunen
2019-09-16 14:47 ` Chuck Lever
2019-09-17 6:30 ` Janne Karhunen [this message]
2019-09-17 12:45 ` Theodore Y. Ts'o
2019-09-17 14:18 ` Mimi Zohar
2019-09-17 14:56 ` James Bottomley
2019-09-18 5:27 ` Janne Karhunen
2019-09-18 12:50 ` Theodore Y. Ts'o
2019-09-18 15:52 ` James Bottomley
2019-09-19 6:47 ` Janne Karhunen
2019-09-18 12:37 ` Theodore Y. Ts'o
2019-09-18 14:40 ` Mimi Zohar
2019-09-18 15:49 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAE=NcrYjzdBCB7aK6bL+C+W8N-QJyuPF0RvFqCmsK_S90oyvxg@mail.gmail.com' \
--to=janne.karhunen@gmail.com \
--cc=chuck.lever@oracle.com \
--cc=linux-integrity@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).