Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 1 Dec 2021 18:40:59 +0000
From: Travis Finkenauer <tmfink@...iper.net>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: IMA gadgets


> On Dec 1, 2021, at 12:06 AM, Johannes Segitz <jsegitz@...e.de> wrote:
> 
> From a security POV it doesn't
> help much (on a normal Linux system, can be different if you really strip
> it down).

I agree. It's difficult to add an IMA-like security policy that is both effective and general-purpose. But, if you don't care about your system being general-purpose, IMA can be useful on "locked-down vendor systems".

If you can use IMA to enforce a "write XOR execute" policy on a filesystem, then you could have separate filesystems for executable code and writeable config. For example, you could:

1) Have your executable code in a read-only squashfs filesystem. Use IMA to enforce only signed binaries will run.
2) Put writeable data in a "noexec" filesystem.
3) Lock-down (or remove) interpreters (python, perl, bash, etc.) that could "execute" data whose provenance does not come from a signed, read-only filesystem.

Such a locked-down setup provides some security by trying to ensure only vendor-provided code is executed.
But, this setup is probably not suitable for a general-purpose end-user system.

-Travis

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.