IMA info required
June 8th, 2007 By shazkhan

Salams, today we had a comprehensive talk about selinux, trusted computing and formal methods. It was a good get together and we need to have these on regular bases.

Secondly, Mr. MMA discussed his experiance related to IMA usage side by side with selinux. He will share his experiance with us. This will benefit me and Mr. TAT.

I am expecting the code snippets and know how of the process that Mr. MMA used on this blog or on our mailing group. This is required soon!

Thirdly, we can utilize this blog for a lot of communication. I request group members to post their updates regarding their specific topic and this will benefit all of us. Apart from this we can share other things off the topic that we come across for knowledge sharing. If someone is feeling shy regarding their ideas that they might be stolen, we have our mailing group which is always there! This keeps everyone motivated and it makes the tough gets going if u understand what I mean. It promotes the competitive psyche and everyone will work hard then.

7 Responses to " IMA info required "
 
alam78
June 10th, 2007

Some detailed comments regarding your approach.

I describe your approach according to your my understanding:

1. A Policy Management Server (PMS) is distributing MAC policies to clients

2. The clients are required to enforce these policies while making communication with the server. Consider an example when the mozilla at the client is restricted to have communication with Apache no 1 at the server.

3. But before enforcement, the client also wants verify the integrity of the PMS or its behavior as i suggested, i mean before enforcement.

4. Fir this, you want to reuse some of our work like stacking IMA on top of SELinux. right?

OK.

1. Search for file_mmap hook function in the SELInux hook functions, dont exactly remember where it is located.

2. Start with IMA, try to implement IMA on your Linux and work around its functionality.

3. We can take a look at IMA code together in the next meeting then. You will present me the IMA functionality. Especially, play around the following feature of IMA: An independent configuration file called
/sys/kernel/measure is maintained to indicate the files
that are needed to be protected. Each entry in this file contains
the file name and its absolute path.

4. The fourth step will be communicate with the TPM from within the LInux kernel and openSSL as we discussed.

Please respond.

Best,
MM Alam

 
shazkhan
June 10th, 2007

Regarding our understanding, the senario is exactly what u wrote here. Can you plz verify with some experts this idea or do u personally think that its a useful paradigm. I can ask brindle regarding this if u suggest.

The tasks that u mentioned will require a lot of messy hardwork but in concept the first three are straight forward. Can u plz shed some light on the 4th one.

How are u feeling now. I specially prayed for u.

 
alam78
June 11th, 2007

The first three seems straight forward, but still they will require time, because, i was personally not involved in the implementation of SELinux hook function for IMA. I have only provided support for IMA and SELinux code analysis, which i proposed that we can go jointly in the next meeting right?

Secondly, the 4th is a more difficult one, i.e. to communicate with the TPM within the SELinux or Linux kernel. Linux community is too restrictive in that, but i have some general ideas, which we can shape or re-shape in order to solve this problem.

Regarding your question about discussion, i had a discussion with an expert. The detailed comments are not possible to be written here — too many things in that, but the bottom line is that we need to put some application context in to all this problem scenario i.e. why we are doing this? This has to be clarified to the general audience. I will discuss this issue too with you in the next meeting.

Please update me your implementation progress on first three steps asap.

and Please ask other experts too and update us accordingly.

Best,
MM Alam

 
shazkhan
June 11th, 2007

U mean we will do the code analysis of ima and selinux in next meeting! Linux community is restrictive about tpm because of TCG and the side effects of TCPA. Is that the reason? Does’nt IMA have code that communicates with tpm and its pcr?

We are doing this because distributed MAC is the future and without remote attestation building trust is almost impossible or reqires then a lot of negotiation and infrastructure.

 
alam78
June 11th, 2007

Yes, we will go together on the analysis.

Linux community argument is not to oppose TCG, but to make it part of userspace rather than kernel. That is the actual point.

Best,
MM Alam

 
shazkhan
June 11th, 2007

The implementation detail is that my selinux policy is missing. Figuring out what to do? I have permissive and targetted settings. Maybe its because of the targeted thingy. Am checking it out. Next I m hitting ipsec.

 
recluze
June 12th, 2007

I agree with you shahbaz, regarding communication of ideas and work on the blog. I also agree that ideas cannot really be stolen if you’re doing something useful. I was busy working on the paper and that is something that needed to be kept silent. Anyway, I’ll be posting regarding my direction and work soon inshaallah.

Leave a Reply


(Required)

(Required)