On Mon, 20 Nov 2017, Mimi Zohar wrote:

On Mon, 2017-11-20 at 11:20 +0100, Patrick Ohly wrote:

quoted

On Mon, 2017-11-20 at 07:47 +1100, James Morris wrote:

quoted

On Fri, 17 Nov 2017, Roberto Sassu wrote:

quoted

LSMs are responsible to enforce a security policy at run-time,
while IMA/EVM protect data and metadata against offline attacks.

In my view, IMA can also protect against making an online attack?
persistent across boots, and that would be the most compelling use of
it?for many general purpose applications.

I do not quite buy that interpretation. If the online attack succeeds
in bypassing the run-time checks, for example with a full root exploit,
then he has pretty much the same capabilities to make persistent file
changes as during an offline attack.

In the face of a full root exploit, there is not much that one can do,
"other" than to detect it. ?This is why remote attestation is so
important.

Right, although the consensus seems to be that RA is essential rather than 
simply important.


-- 
James Morris
[off-list ref]