Security:IntegrityMeasurement

From Tizen Wiki
Jump to: navigation, search

What is Integrity Measurement

Integrity Measurement Architecture/Extended Verification Module (IMA/EVM) it's a module that allows to check integrity of the system. If gives possibility to check if important files in system haven't been modified by unauthorized person. System checks files before open (and/or execute) if they were not suspiciously modified, and according to the specified action it will: report the violation, block access to the file, or just ignore result of measurement. It gives possibility to check every file if it was compromised. It gives the possibility to create a policy that describes which files have to be checked.

IMA checks file content and compares it with hash or signature stored in security.ima extended attributes.

EVM checks content of extended attributes from security domain (security.ima, security.SMACK4, etc.) and compares it with secure hash (HMAC) or signature stored in security.evm.

The simplest case is to sign every file with digital signature. This means that in extended attributes of every file (covered by policy) is digital signature of file content. While opening the file kernel will check correctness of the signature and will take appropriate action (open file, return permission denied, log, etc.). On the device only the public key is present - so infringement of any file is impossible without noticing.

The policy describes files that should be checked - it can be based on various criteria. Fox example: file path, owner of the file, owner of process, LSM labels, etc. For details check "Kernel" section.

The Tizen implementation

To implement this solution in Tizen the existing IMA/EVM Linux kernel feature will be used. The kernel feature will be extended with additional interfaces. An additional library (libimaevm) will be implemented, to make using the interface easier. Also the controller process, test UI application and test remote managing service will be provided.
The dependency between the modules are shown on the diagram:

Dependency between modules in IMA/EVM system

Kernel

Kernel will provide interfaces for:

  • Enable/disable IMA/EVM
  • (Re)load policy, read loaded policy
  • Get list of measured files/Check file status

Kernel interfaces:

  • Interface for loading policy (policy should be authorized with signature)
  • Policy read interface (reading policy loaded into the kernel)
  • IMA runtime disable/enforce/ignore/fix switch
  • EVM runtime disable/enable/fix switch
  • Interface for reading list of measured files (files that have been open or executed from last reboot, the list contains a status of files)

Possible states of IMA/EVM

  • IMA_STATE_DISABLED - IMA is turned off.
  • IMA_STATE_ENFORCE - IMA checks integrity of every file covered by policy. Permission denied is returned on integrity violations.
  • IMA_STATE_FIX - IMA doesn't check file integrity. Hash of files is updated on file close.
  • IMA_STATE_IGNORE - (AKA IMA_STATE_LOG) IMA checks integrity of every file covered by policy. No permission denied - only log on integrity violations.
  • EVM_STATE_DISABLED - EVM if turned off.
  • EVM_STATE_ENABLED - EVM checks integrity of files. Permission denied is returned on integrity violations.
  • EVM_STATE_FIX - No integrity check - hash is update on file close.

Policy

Policy can be based on different criteria like:

  • path
  • file system ID (fsuuid)
  • file system type (FS_MAGIC)
  • owner of file (uid)
  • owner of process (uid)
  • type of file (executable/non executable)
  • LSM labels
  • action (open/execute)

Any of these criteria can be mixed together in any combination.

Userspace library

The library will use the kernel interfaces to implement the API. The main purpose for the library is to make using of kernel API easier. It will have similar role like libsmack for smackfs. The library will be implemented in ima-evm-utils repository. Library will provide API:

Get loaded policy from kernel, and load policy into the kernel.

/*
 * Returns policy (via param) as a array of char* (NULL terminated).
 * E.g.: {"dont_measure fsmagic=0xf97cff8c",
 *        "measure func=MMAP_CHECK mask=MAY_EXEC",
 *        "appraise fowner=0",
 *        NULL}
 * The memory have to be freed by the caller. The best way the free the
 * memory is to call: ima_free_policy(char **policy)
 * Returns LIB_SUCCESS on success or LIB_ERROR_* on error
 */
int ima_get_policy(char*** policy);

/*
 * For freeing the memory allocated for the policy by ima_get_policy().
 * Returns LIB_SUCCESS on success or LIB_ERROR_* on error
 */
int ima_free_policy(char** policy);

/*
 * Tries to load policy from char **policy into the kernel.
 * The caller needs also to provide the signature as a const char*
 * Returns LIB_SUCCESS on success or LIB_ERROR_* on error
 */
int ima_set_policy(const char** policy, const char* policy_sig);

/*
 * Tries to load policy from file into the kernel. Signature for
 * the policy must be present in the same location as policy_path.sig file.
 * E.g. for the call:
 *     ima_set_policy_file("/path/to/policy");
 *     The signature must exist in location: /path/to/policy.sig
 * Returns LIB_SUCCESS on success or LIB_ERROR_* on error
 */
int ima_set_policy_file(const char* policy_path);

Get state of IMA.

/*
 * Returns via param state of IMA (ima_state enum) and returns LIB_SUCCESS or
 * LIB_ERROR_* on error
 */
int ima_get_state(int *state);

/*
 * Sets IMA state (ima_state enum) and returns LIB_SUCCESS or LIB_ERROR_* on error
 */
int ima_set_state(int state);

Get state of EMV.

/*
 * Returns via param state of EVM (evm_state enum) and returns LIB_SUCCESS or
 * LIB_ERROR_* on error
 */
int evm_get_state(int *state);

/*
 * Sets EVM state (evm_state enum) and returns LIB_SUCCESS or LIB_ERROR_* on error
 */
int evm_set_state(int state);

Check state of file.

int get_file_state(const char *path, int *state);

Set and get security.ima xattr

/*
 * Sets security.ima extended attribute.
 * Returns LIB_SUCCESS on success or LIB_ERROR_* on error
 */
int ima_set_xattr (const char* path);

/*
 * Gets security.ima extended attribute.
 * Returns LIB_SUCCESS on success or LIB_ERROR_* on error
 */
int ima_get_xattr (const char* path, char** hash); 

Set and get security.evm xattr

/*
 * Sets security.evm extended attribute.
 * Returns LIB_SUCCESS on success or LIB_ERROR_* on error
 */
int evm_set_xattr (const char* path, const char* evm);

/*
 * Gets security.evm extended attribute.
 * Returns LIB_SUCCESS on success or LIB_ERROR_* on error
 */
int evm_get_xattr (const char* path, char** hash);

All functions should return 0 on success and negative value on error.

Possible state of file:

enum ima_file_state {
    IMA_FILE_STATE_OK,
    IMA_FILE_STATE_TAMPERED,
    IMA_FILE_STATE_UNKNOWN
}

Possible state of IMA/EVM:

enum ima_state {
    IMA_STATE_DISABLED = 0x00, /* IMA is turned off - no actions are done */
    IMA_STATE_ENFORCE  = 0x01, /* IMA checks files integrity - on errors access denied
                                * is returned when attempt to open.
                                * If file hash was correct on open it is updated on close */
    IMA_STATE_FIX      = 0x02, /* IMA doesn't check files integrity. Hash of files is
                                * updated on file close */
    IMA_STATE_IGNORE   = 0x04, /* IMA checks files integrity, errors are reported on
                                * measurement list, but there is no blocking access.
                                * If file hash was correct on open it is updated on close */
};
enum evm_state {
    EVM_STATE_DISABLED = 0x00, /* EVM is turned off - no actions are done */
    EVM_STATE_ENABLED  = 0x01, /* EVM is check security.* xattrs integrity. On error access
                                * denied is returned when attempt to open. If security.evm was
                                * correct on open it is updated on close */
    EVM_STATE_FIX      = 0x02  /* No integrity check - Hash of file is updated on file close */
};

Controller process

The process controller - it is the server that have rights to read from/write to kernel interfaces (via libimaevm). It will provide IPC interfaces for using the kernel interfaces by other "unprivileged" application (application that doesn't have capabilities). The controller process is the ima-evm-server. The the sockets for IMA/EVM IPC should be labeled by appropriate Smack label - according to the Smack Three Domain Model it should be "System". Such "unprivileged" application could be a setting application that gives the UI interface to configure/manage IMA/EVM. The main purpose of the controller process is to demonstrate how IMA/EVM system works, and the controller process should be adjusted/limited to manufacturer needs.

Test UI application, test console tool, test server

This application will be implemented only to show and check how the IMA/EVM works. It should NOT be present in final product. The UI application is only the reference solution, and the producer should replace it with his own application, re-write to meets his needs, or remove it. Also the test console tool is implemented to demonstrate possibilities of libimaevm, and ima-evm-server. The UI application and the console tool will demonstrate all options of IMA/EVM.

This simple remote test server will be implemented to demonstrate features of IMA/EVM like updating policy, or files protected by IMA/EVM. This server should NOT be used with final product.

Development

Development of kernel interfaces can be found on Dmitry Kasatkin branches on kernel.org. You can check the http version here. When the patches will be ready they will be send to kernel.org mailing list. Backported patches can be found on Tizen.org kernel-common repository on sandbox/jkozerski/ima-evm branch.

Development of libimaevm can be found on ima-evm-utils project on Tizen.org. All features will be upstreamed to project side on sourceforge.net.

The Controller process, Test UI application, and Test Server will be developing directly on tizen.org in ima-evm-reference-utils project.

Examples and possible use cases

You can find here some examples of possible use cases. You can read all of them and choose parts that you're interested in.

Check also general examples of using IMA/EVM.

Reference

Here you can find links for the source codes.

Tizen kernel-common with IMA/EVM:
git clone https://review.tizen.org/gerrit/profile/common/kernel-common
branch: sandbox/jkozerski/ima-evm
gitweb

Mainline kernel - kernel.org - Dmitry Kasatkin branches
branch: ima-control-experimental

ima-evm-utils:
git clone https://review.tizen.org/gerrit/platform/upstream/ima-evm-utils
branch: tizen
gitweb

ima-evm-reference-utils
git clone https://review.tizen.org/gerrit/platform/core/security/ima-evm-reference-utils
branch: tizen
gitweb