LinuxSecuritySummit2010/Abstracts/Zohar EVM

From Linux Security Wiki (obsolete)
Revision as of 09:53, 15 June 2010 by JamesMorris (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


Using EVM to protect security extended attributes


Mimi Zohar, IBM


Extended Verification Module(EVM) detects offline tampering of the security extended attributes (e.g. security.selinux, security.SMACK64, security.capability, security.ima), which are the basis for LSM permission decisions and the proposed IMA integrity appraisal decisions. To detect offline tampering of the extended attributes, EVM maintains an HMAC-sha1 across a set of security extended attributes, storing the HMAC as the extended attribute 'security.evm'. To support verification of the integrity of an extended attribute, EVM exports evm_verifyxattr(), which re-calculates the HMAC and compares it with the version stored in 'security.evm'.

This talk will cover configuration, use and performance of the proposed EVM and IMA appraisal extensions. It will discuss the IMA measurement policy versus the new appraisal policy, a threat analysis of EVM/IMA appraisal, and things still needed for more complete protection of the security labels.

Personal tools