Extended Verification Module (EVM)

This post (Actually a presentation) is about a paper written by David Safford and Mimi Zohar at IBM on Trusted Linux Client (TLC), I am more Interested in EVM so after a brief Introduction to TLC, I will Jump to EVM.

1. Trusted Linux Client:

  • The Main Goals are:
    • To Protect Desktop and Mobile Linux Clients from on-line and off-line attacks
    • Transparent to the user
  • Major Components
    • Trusted Boot
    • Grub
    • TPM
  • Integrity Measurement
    • EVM (Going to concentrate More on this)
  • Integrity Protection
    • SLIM
  • Integrity Attestation
    • Integrity Measurement Architecture
  • Security Domains
    • PUID – Persistent User ID
    • Unionfs – stacked, copy-on-write, sandbox (Stony Brook)
    • Per-process filesystem namespaces

2. Extended Verification Module

  • Purpose
    • Used to to verify all the files
    • Including executables and non-executables
    • Weither they are authentic and un-modified, current, and not known to malicious.
    • Trust Finding
  • Working
    • Use extended file attributes to store authenticated file metadata
      • File data hash
      • Mandatory access control labels
      • Metadata integrity Key Hashed Message Authentication Control (HMAC)
    • Use tpm based symmetric kernel key to HMAC these attributes
    • Verify file once at open/execute, and cache verification (Adv over Previous Method)
    • “heavy lifting” done at install time, runtime is just file hash and HMAC
    • Extensible, policy based definition of attributes and actions (Point not clear to me, Use Which policy)
  • EVM Extended Attributes
    • security.evm.hash ——————– hash of file data (from signed rpm)
    • security.evm.hmac ——————- hmac­sha1 of security.* attributes
    • security.evm.packager ————– signer of package
    • security.evm.version —————- version of package
  • Operation
    • Executable is Installed
    • It is verified using all verification methods listed in the EVM Policy file.
    • Result + Hash + HMAC is stored in Extended Attributes
    • At Run time, kernel Compares verification attributes to current Policy.
    • Action taken Accordingly
  • EVM for Non-Executables
    • The verification Headers are stored in file system not in ELF (like in case of DigSig)
    • So it can be used for any type of file
    • Executables are checked at run time while files are checked at open time
    • Rules for file can be restrict its mode (R,W)
  • Advantage over previous Methods
    • DigSig stores verification headers in ELF (Extensible Linking format) which restrict it to Executables only, EVM uses File System Extended Attributes, make it suitable for all kind of Files.
    • Disadvantage of Public key signature verification has been removed through caching
  • Known Issues
    • Extended attributes are not available on all File Systems
    • Problem occured due to pre-link (I honestly dont know What it is, I think its a tool that modifies the executable for faster performance, hence the hash changes)

3. Slim:

  • For Integrity Protection
  • Build Upon Caernarvon and Lomac models
  • Gives trusted file authority to files verified by EVM
  • All files are labeled with system.level

4. Runtime Output

  • Attributes of “/bin/ping”:

[root@localhost safford]# getfattr ­d ­m “^security” /bin/ping
security.evm.packager=”\\1\265ARed Hat,  Inc. <http://bugzilla.redhat.com/bugzilla>&#8221;
evm_calc_hmac: ping ­ security.evm.hash included
evm_verify_xattr: verification of security.evm.hmac succeeded
evm_inode_permission: ‘ping’ HMAC verification succeeeded
evm_inode_permission: ‘ping’ HMAC verify xattr
evm_inode_permission: security.evm.hash is d6a4d94fb694cffd2847acf40dbc6485
evm_inode_permission: security.evm.hash succeeded
evm_analyze_cacheinfo success

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s