[Xen-devel] Re: trusted computing

[Reiner Sailer <sailer@xxxxxxxxxx>]

> From: David Hopwood <david@xxxxx>
> [image removed] Re: trusted computing   
> 2004-10-18 19:24 
>  Tim Freeman wrote:
>  
>  > not about Xen in particular, but as a side note, because
I think some
>  > people are interested in trusted computing and virtualization?
 If
>  > you"re not, sorry for the intrusion!
>  > 
>  > http://www.research.ibm.com/secure_systems_department/projects/tcglinux/
>  > 
>  > "Currently, we experiment measuring the information
flow on SELinux
>  > systems to reason about isolation properties of a system.
For this
>  > purpose, we modified tcgLinux to run as an LSM kernel module
stacked on
>  > top of SELinux. We also envision to extend our attestation
method to
>  > integrate virtualization technology and partition the attestation
space
>  > of a system using the information flow policies enforced
therein."
>  
>  # [tcgLinux]"s main goal is to generate verifiable representative
information
>  # about the software stack running on a Linux system. This information
can
>  # be used by remote parties to determine the integrity of the
execution
>  # environment.
>  
>  Can it, though? The assumption seems to be that fingerprinting
executables
>  is sufficient to characterise the security configuration of
a system.
>  AFAICS that"s patently false: the security of a system
is dependent on its
>  complete configuration, including many non-executable files.
IOW, anyone
>  can compromise a system without changing any executable files.
>  
>  # We instrumented the Linux kernel to trigger a measurement
for each
>  # executable, library, or kernel module loaded into the run-time
before
>  # they affect the system.
>  
>  Yep, only executables. This seems quite useless.
>  
>  -- 
>  David Hopwood <david.nospam.hopwood@xxxxx>

One outcome of the tcgLinux project, the Integrity
Measurement Architecture (IMA), implements mandatory kernel measurements
including executable code, libraries, modules, etc. Beyond this, it also
offers a quite convenient interface that enables applications to measure
any file (on the local file system) before loading and consuming it. (Note:
the fact -that- and -when- an application measures input files can be validated
using the application's measurement).

For example, we have instrumented bash (adding 4 lines
of code) so that bash initiates measurements on any file that is loaded
as a command file or sourced. This includes start-up scripts into the measurements
(see e.g. bash-command file measurements as part of the measurement list
on http://www.research.ibm.com/secure_systems_department/projects/tcglinux/measurements.html).

We envision that such simple instrumentation can be
done easily for Apache, e.g., to measure the http configuration file or
any other application (tripwire configuration files...).

Measuring only executables would, so I agree, not
be very useful because the security of many applications depends strongly
on their configuration data, which usually controls sensitive operation
of the application (as for example httpd.conf, tripwire tw.config).

We are currently working on "open-sourcing"
IMA and hope to be able to make the code available to the community soon.

Thanks
---
Reiner Sailer