From owner-freebsd-security@FreeBSD.ORG Tue Jul 11 21:08:56 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5573816A4E1 for ; Tue, 11 Jul 2006 21:08:56 +0000 (UTC) (envelope-from arne_woerner@yahoo.com) Received: from web30303.mail.mud.yahoo.com (web30303.mail.mud.yahoo.com [68.142.200.96]) by mx1.FreeBSD.org (Postfix) with SMTP id C562C43D6A for ; Tue, 11 Jul 2006 21:08:55 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 972 invoked by uid 60001); 11 Jul 2006 21:08:55 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=YhuLRP15tw9VYlLeGwZN0ksbamcM5i7W3O13Rb4sEKlAmsbsBA3YB70z2tXocuXQ+K1UarZNLXswrCtK+iQ1FLbQWVg/5Wh4C5wUj1KO7dl+P4N7AjK5gshKdpvyzkANEJNakaGVhQxuHCJ5gyKd3+saBNI9+sxxYj9tg0Kr/is= ; Message-ID: <20060711210855.970.qmail@web30303.mail.mud.yahoo.com> Received: from [213.54.82.225] by web30303.mail.mud.yahoo.com via HTTP; Tue, 11 Jul 2006 14:08:55 PDT Date: Tue, 11 Jul 2006 14:08:55 -0700 (PDT) From: "R. B. Riddick" To: Mike Tancsa , Poul-Henning Kamp In-Reply-To: <6.2.3.4.0.20060711165223.04bce500@64.7.153.2> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: Re: Integrity checking NANOBSD images X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jul 2006 21:08:56 -0000 --- Mike Tancsa wrote: > >But what if the trojan copies its files to the RAM disc and waits for this > >sha256 binary showing up? And then, when it is there, it removes its > >changes on > >the hard disc (those changes certainly must be in unused (formerly zeroed) > >areas of the hard disc or in the (zeroed) end of certain shell > >scripts... Or do > >I miss something? > > Yes, sounds possible. Between checks, "undo" the trojan. However, > the binary would have to live somewhere on the flash or it would not > survive reboots and you would have to tinker with the bootup process > to load the trojan at boot time. > Yes, that is what I mean with "unused" areas... I think many scripts in /etc/rc.d have some space in their end, that is zeroed and unused... So you just have to record their original size... Then u add some trojan software stuff in some start shell script function and u r done (of course those changes must be made, after the check sum procedure is over...; and must be undone before every check sum procedure)... Maybe we should try to make the box physically safer... By an sabotage detection unit... Infrared scanner or ultra-sound movement scanner or so... -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com