Date: Thu, 15 Nov 2001 08:39:41 +0000 From: Colin Percival <colin.percival@wadham.ox.ac.uk> To: Tobias Roth <roth@iamexwi.unibe.ch>, Stefan Probst <stefan.probst@opticom.v-nam.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Spoofing file information? Message-ID: <5.0.2.1.1.20011115083248.0e8cd548@popserver.sfu.ca> In-Reply-To: <20011115092433.A9120@roy.unibe.ch> References: <5.1.0.14.2.20011115143223.04264050@MailServer> <5.1.0.14.2.20011115143223.04264050@MailServer>
next in thread | previous in thread | raw e-mail | index | archive | help
At 09:24 15/11/2001 +0100, Tobias Roth wrote: >So, if you use md5 to compare files, there are those two critera for being >sure the your files haven't been tampered with: > >1. the md5 binary is has not been modified >2. the checksums you made and to which you are comparing haven't been modified Don't forget 3. you're running a kernel which is polite enough to pass the file to md5 intact A compromised kernel can do anything it pleases, including keeping the original copies of files around and passing them to any integrity-checking code. I remember there were some viruses (back in the MS-DOS days) which operated in this manner. Colin Percival To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.2.1.1.20011115083248.0e8cd548>