From owner-freebsd-security@FreeBSD.ORG Tue Jul 11 20:59:20 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57B1A16A535 for ; Tue, 11 Jul 2006 20:59:20 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE7DE43EA6 for ; Tue, 11 Jul 2006 20:58:20 +0000 (GMT) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.13.6/8.13.6) with ESMTP id k6BKvYG7000725; Tue, 11 Jul 2006 16:57:34 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.3P/8.13.3) with ESMTP id k6BKvcaZ059728 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 11 Jul 2006 16:57:38 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.2.3.4.0.20060711165223.04bce500@64.7.153.2> X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4 Date: Tue, 11 Jul 2006 16:57:55 -0400 To: "R. B. Riddick" , Poul-Henning Kamp From: Mike Tancsa In-Reply-To: <20060711204521.80198.qmail@web30304.mail.mud.yahoo.com> References: <77192.1152649343@critter.freebsd.dk> <20060711204521.80198.qmail@web30304.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: ClamAV version 0.88.3, clamav-milter version 0.88.3 on clamscanner3 X-Virus-Status: Clean Cc: freebsd-security@freebsd.org Subject: Re: Integrity checking NANOBSD images X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jul 2006 20:59:20 -0000 At 04:45 PM 11/07/2006, R. B. Riddick wrote: >--- Poul-Henning Kamp wrote: > > Arming a trojan to just do 'sleep 145 ; echo "sha256 = 0248482..."' > > when you thing you're running sha256 would be trivia. > > >But what if the trojan copies its files to the RAM disc and waits for this >sha256 binary showing up? And then, when it is there, it removes its >changes on >the hard disc (those changes certainly must be in unused (formerly zeroed) >areas of the hard disc or in the (zeroed) end of certain shell >scripts... Or do >I miss something? Yes, sounds possible. Between checks, "undo" the trojan. However, the binary would have to live somewhere on the flash or it would not survive reboots and you would have to tinker with the bootup process to load the trojan at boot time. >Wasn't is usual some years ago to switch the boot disc hardware to "read only" >mode? I dont know how to do that, but my source seemed to be trustworthy >(although I never saw him - I just heard his voice...)... ;-)) > >A switch like on those 1.44'' floppy discs would be good... >But then software/OS updates would require physical access to the box... For this app, the problem is that there might indeed be physical tampering with the box despite some reasonable efforts to lock it up.