Protecting the Filesystem Integrity of a Fedora 15 Virtual Machine from Offline Attacks using IMA/EVM
Peter Kruus, The Johns Hopkins University Applied Physics Laboratory
This work focuses on applying new load-time integrity protection mechanisms to a virtual machine to protect its file system when the system is shutdown or suspended. While mandatory access control mechanisms like SELinux are an effective way of preventing files from being modified by malicious users or processes, they are only effective while the operating system and its security mechanisms are running. In a virtual environment, where virtual machines can be shutdown or suspended for storage or migration between servers, protection mechanisms are needed to ensure file system integrity from offline attacks.
We apply the latest version of IBM’s Integrity Measurement Architecture (IMA) and the new IMA Appraise and Extended Verification Module (EVM) extensions to the kernel of a Fedora 15 VMware virtual machine to detect offline modifications to files and block their opening when the system resumes. We will show the effectiveness of IMA/EVM against offline integrity attacks through a short recorded demonstration.