WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] Re: trusted computing


> From: David Hopwood <david@xxxxx>
> [image removed] Re: trusted computing  
> 2004-10-18 19:24

>  Tim Freeman wrote:
>  
>  > not about Xen in particular, but as a side note, because I think some
>  > people are interested in trusted computing and virtualization?  If
>  > you"re not, sorry for the intrusion!
>  >
>  > http://www.research.ibm.com/secure_systems_department/projects/tcglinux/
>  >
>  > "Currently, we experiment measuring the information flow on SELinux
>  > systems to reason about isolation properties of a system. For this
>  > purpose, we modified tcgLinux to run as an LSM kernel module stacked on
>  > top of SELinux. We also envision to extend our attestation method to
>  > integrate virtualization technology and partition the attestation space
>  > of a system using the information flow policies enforced therein."
>  
>  # [tcgLinux]"s main goal is to generate verifiable representative information
>  # about the software stack running on a Linux system. This information can
>  # be used by remote parties to determine the integrity of the execution
>  # environment.
>  
>  Can it, though? The assumption seems to be that fingerprinting executables
>  is sufficient to characterise the security configuration of a system.
>  AFAICS that"s patently false: the security of a system is dependent on its
>  complete configuration, including many non-executable files. IOW, anyone
>  can compromise a system without changing any executable files.
>  
>  # We instrumented the Linux kernel to trigger a measurement for each
>  # executable, library, or kernel module loaded into the run-time before
>  # they affect the system.
>  
>  Yep, only executables. This seems quite useless.
>  
>  --
>  David Hopwood <david.nospam.hopwood@xxxxx>

One outcome of the tcgLinux project, the Integrity Measurement Architecture (IMA), implements mandatory kernel measurements including executable code, libraries, modules, etc. Beyond this, it also offers a quite convenient interface that enables applications to measure any file (on the local file system) before loading and consuming it. (Note: the fact -that- and -when- an application measures input files can be validated using the application's measurement).

For example, we have instrumented bash (adding 4 lines of code) so that bash initiates measurements on any file that is loaded as a command file or sourced. This includes start-up scripts into the measurements (see e.g. bash-command file measurements as part of the measurement list on http://www.research.ibm.com/secure_systems_department/projects/tcglinux/measurements.html).

We envision that such simple instrumentation can be done easily for Apache, e.g., to measure the http configuration file or any other application (tripwire configuration files...).

Measuring only executables would, so I agree, not be very useful because the security of many applications depends strongly on their configuration data, which usually controls sensitive operation of the application (as for example httpd.conf, tripwire tw.config).

We are currently working on "open-sourcing" IMA and hope to be able to make the code available to the community soon.

Thanks
---
Reiner Sailer
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-devel] Re: trusted computing, Reiner Sailer <=