[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Root Kit Protection

On Wed, Feb 16, 2000 at 08:16:05PM -0900, Ethan Benson wrote:
> the md5sum database MUST be either 1) on immutable media (write
> protected floppy, or CDROM) or 2) cryptographically signed with
> GPG/PGP.  the former is impossible to automate really since it
> requires the user to make hardware modifications to save the
> immutable database. 
You must also be sure, that open() returns the right file. Imagine a
root kit, that stores the orginal files on a hiden directory. If you 
open() the file, the tampered kernel would simply return the hiden 
orginal file. On exec() it would exec the modified version. 

To deal with this, I wrote a md5sum program, that opens the device directly
and read the files without the help of the kernel (strace shows: 
open("/dev/sda1", O_RDONLY) and a lot of lseek() and read()). It works 
on ext2fs only and is still in development. It works for me(tm).
If someone is interessed, I can make the source available (it's GPL, 
of course).
 
> Ethan Benson
Michael Vogt
-- 
GPG Fingerprint = EA71 B296 4597 4D8B 343E  821E 9624 83E1 5662 C734
 /"\                                     o
 \ /     ASCII RIBBON CAMPAIGN          /|\
  X        AGAINST HTML MAIL             >>
 / \                                     o
Reply to: