Re: Root Kit Protection
On Wed, Feb 16, 2000 at 08:16:05PM -0900, Ethan Benson wrote:
> the md5sum database MUST be either 1) on immutable media (write
> protected floppy, or CDROM) or 2) cryptographically signed with
> GPG/PGP. the former is impossible to automate really since it
> requires the user to make hardware modifications to save the
> immutable database.
You must also be sure, that open() returns the right file. Imagine a
root kit, that stores the orginal files on a hiden directory. If you
open() the file, the tampered kernel would simply return the hiden
orginal file. On exec() it would exec the modified version.
To deal with this, I wrote a md5sum program, that opens the device directly
and read the files without the help of the kernel (strace shows:
open("/dev/sda1", O_RDONLY) and a lot of lseek() and read()). It works
on ext2fs only and is still in development. It works for me(tm).
If someone is interessed, I can make the source available (it's GPL,
of course).
> Ethan Benson
Michael Vogt
--
GPG Fingerprint = EA71 B296 4597 4D8B 343E 821E 9624 83E1 5662 C734
/"\ o
\ / ASCII RIBBON CAMPAIGN /|\
X AGAINST HTML MAIL >>
/ \ o
Reply to: