Re: Debian audititing tool?

To: debian-security@lists.debian.org
Subject: Re: Debian audititing tool?
From: Christian Kurz <shorty@debian.org>
Date: Fri, 22 Dec 2000 15:55:04 +0100
Message-id: <[🔎] 20001222155504.A19583@seteuid.getuid.de>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20001221154556.H3549@llama.nslug.ns.ca>
References: <[🔎] 20001221143248.WFTZ2581.mta10.onebox.com@onebox.com> <[🔎] 20001221153756.N27036@bofh.de> <[🔎] 20001221154556.H3549@llama.nslug.ns.ca>

On 00-12-21 Peter Cordes wrote:
> On Thu, Dec 21, 2000 at 03:37:56PM +0100, Christian Kurz wrote:
> > On 00-12-21 Dan Hutchinson wrote:
> > > Sorry it was fornesics, but the code is basically matching the machine
> > > code, a unique pattern of 1's and 0's to the machine code of the kernal.
> > 
> > Well, but then you need to know all patterns of malicous code that could
> > occur. I think this will be a lot of patterns that you have to search
> > for, so that the search will take a long time.
> > 
> > > Unless you have a kernal file that doesn't have 1's and 0's in machine
> > > language, you can scan the code.  I am not sure how ASM code is written
> > > thou.
> > 
> > Well, ASM (assembler) comes also down to 1 and 0 if you think about
> > machine-code that is used by the processor. I thaught you wanted to scan
> > the code that you find beneath /usr/src/linux.

>  You have to search the binary kernel image.  If you just scan the source,
> you have no way of knowing that the binary came from the source.  Someone
> could hack the binary without changing the source.  If there are any
> commonly-made changes to the binary, then you could look for them.

Agreed, but then you have to scan the modules as well, as someone could
change a module too or add one.

>  It will be hard to do, and impossible to do perfectly.  The Right Way is to
> keep a hash of your kernel binary so you know if it changes.  BTW, md5 has
> not been broken, AFAIK, so there is no currently known way to change a
> binary without changing its MD5 hash, except trial and error, which would
> take a lot more _years_ than anyone would want to wait!  You expressed doubt
> about this earlier.  Rest assured that no real breaks in MD5 have been made
> public.  (The NSA might have something, but they don't publish.)  The md5sum
> manpage notes:
>        The related MD4 message digest  algorithm  was  broken  in
>        October  1995.  MD5 isn't looking as secure as it used to.

I just looked again in the Schneier to reread the paragraph about MD5.
And if you use the compression function in MD5, you can produce collions
like den Boer and Boesselaer proofed it. So, you should be careful about
the usage of MD5 as Digest Algorithmen, because a "basic design
principles [of MD5] - to design a collision-resistant function - has
been violated". So I would be very careful about the usage of this
algorithmen.

Ciao
     Christian
-- 
          Debian Developer and Quality Assurance Team Member
    1024/26CC7853 31E6 A8CA 68FC 284F 7D16  63EC A9E6 67FF 26CC 7853

Attachment: pgpw3wfkQF4aJ.pgp
Description: PGP signature

Reply to:

References:
- Re: Debian audititing tool?
  - From: "Dan Hutchinson" <hutchinsond@zdnetonebox.com>
- Re: Debian audititing tool?
  - From: Christian Kurz <shorty@debian.org>
- Re: Debian audititing tool?
  - From: Peter Cordes <peter@llama.nslug.ns.ca>

Prev by Date: Re: OT: frequent accesses to port 563[456]
Next by Date: Re: Debian audititing tool?
Previous by thread: Re: Debian audititing tool?
Next by thread: Re: Debian audititing tool?
Index(es):
- Date
- Thread