LinuxSecuritySummit2010/Abstracts/Zohar EVM

From Linux Security Wiki (obsolete)
(Difference between revisions)
Jump to: navigation, search
(Created page with '== Title == Using EVM to protect security extended attributes == Author == Mimi Zohar, IBM == Abstract == Extended Verification Module(EVM) detects offline tampering of the …')
 
 
Line 3: Line 3:
 
Using EVM to protect security extended attributes
 
Using EVM to protect security extended attributes
  
== Author ==
+
== Presenter ==
  
 
Mimi Zohar, IBM
 
Mimi Zohar, IBM

Latest revision as of 09:53, 15 June 2010

[edit] Title

Using EVM to protect security extended attributes

[edit] Presenter

Mimi Zohar, IBM

[edit] Abstract

Extended Verification Module(EVM) detects offline tampering of the security extended attributes (e.g. security.selinux, security.SMACK64, security.capability, security.ima), which are the basis for LSM permission decisions and the proposed IMA integrity appraisal decisions. To detect offline tampering of the extended attributes, EVM maintains an HMAC-sha1 across a set of security extended attributes, storing the HMAC as the extended attribute 'security.evm'. To support verification of the integrity of an extended attribute, EVM exports evm_verifyxattr(), which re-calculates the HMAC and compares it with the version stored in 'security.evm'.

This talk will cover configuration, use and performance of the proposed EVM and IMA appraisal extensions. It will discuss the IMA measurement policy versus the new appraisal policy, a threat analysis of EVM/IMA appraisal, and things still needed for more complete protection of the security labels.

Personal tools