Linux Security Summit Europe 2020

This presentation investigates the resilience of IMA against malicious block devices. While it is not too surprising that all hope is lost if the hardware betrays you, we note that reprogramming hard-disk controllers is still relatively easy and the results may surprise some who sought to protect their machines with IMA. We find that users, in particular in the domain of critical infrastructure, may be susceptible in ways they have not considered. In this presentation, we demonstrate that the security guarantees of IMA can be undermined by way of a specially-crafted malicious block device, which delivers different data depending on whether the block has already been accessed. We extensively analyse the conditions which allow the attack to be launched and discuss how the attack affects certain use cases of IMA and discuss potential mitigations.