Re: Debian audititing tool?

To: debian-security@lists.debian.org
Subject: Re: Debian audititing tool?
From: Peter Cordes <peter@llama.nslug.ns.ca>
Date: Thu, 21 Dec 2000 15:45:56 -0400
Message-id: <[🔎] 20001221154556.H3549@llama.nslug.ns.ca>
In-reply-to: <[🔎] 20001221153756.N27036@bofh.de>; from shorty@debian.org on Thu, Dec 21, 2000 at 03:37:56PM +0100
References: <[🔎] 20001221143248.WFTZ2581.mta10.onebox.com@onebox.com> <[🔎] 20001221153756.N27036@bofh.de>

On Thu, Dec 21, 2000 at 03:37:56PM +0100, Christian Kurz wrote:
> On 00-12-21 Dan Hutchinson wrote:
> > Sorry it was fornesics, but the code is basically matching the machine
> > code, a unique pattern of 1's and 0's to the machine code of the kernal.
> 
> Well, but then you need to know all patterns of malicous code that could
> occur. I think this will be a lot of patterns that you have to search
> for, so that the search will take a long time.
> 
> > Unless you have a kernal file that doesn't have 1's and 0's in machine
> > language, you can scan the code.  I am not sure how ASM code is written
> > thou.
> 
> Well, ASM (assembler) comes also down to 1 and 0 if you think about
> machine-code that is used by the processor. I thaught you wanted to scan
> the code that you find beneath /usr/src/linux.

 You have to search the binary kernel image.  If you just scan the source,
you have no way of knowing that the binary came from the source.  Someone
could hack the binary without changing the source.  If there are any
commonly-made changes to the binary, then you could look for them.

 It will be hard to do, and impossible to do perfectly.  The Right Way is to
keep a hash of your kernel binary so you know if it changes.  BTW, md5 has
not been broken, AFAIK, so there is no currently known way to change a
binary without changing its MD5 hash, except trial and error, which would
take a lot more _years_ than anyone would want to wait!  You expressed doubt
about this earlier.  Rest assured that no real breaks in MD5 have been made
public.  (The NSA might have something, but they don't publish.)  The md5sum
manpage notes:
       The related MD4 message digest  algorithm  was  broken  in
       October  1995.  MD5 isn't looking as secure as it used to.

 I think a signed database of stuff that's supposed to be in Debian, and a
decent way to make a bootable CD that downloads what it needs, and checks
what's on your drive, is a good start.  If the MD5 sum lists are signed, you
don't need to trust the server you download them from.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE

Reply to:

Follow-Ups:
- Re: Debian audititing tool?
  - From: Rene Mayrhofer <rene.mayrhofer@vianova.at>
- Re: Debian audititing tool?
  - From: Christian Kurz <shorty@debian.org>

References:
- Re: Debian audititing tool?
  - From: "Dan Hutchinson" <hutchinsond@zdnetonebox.com>
- Re: Debian audititing tool?
  - From: Christian Kurz <shorty@debian.org>

Prev by Date: Re: Debian audititing tool?
Next by Date: Re: Debian audititing tool?
Previous by thread: Re: Debian audititing tool?
Next by thread: Re: Debian audititing tool?
Index(es):
- Date
- Thread