Re: Integrity checking NANOBSD images

--- Mike Tancsa <mike@xxxxxxxxxx> wrote:
But what if the trojan copies its files to the RAM disc and waits for this
sha256 binary showing up? And then, when it is there, it removes its
changes on
the hard disc (those changes certainly must be in unused (formerly zeroed)
areas of the hard disc or in the (zeroed) end of certain shell
scripts... Or do
I miss something?

Yes, sounds possible. Between checks, "undo" the trojan. However,
the binary would have to live somewhere on the flash or it would not
survive reboots and you would have to tinker with the bootup process
to load the trojan at boot time.

Yes, that is what I mean with "unused" areas... I think many scripts in
/etc/rc.d have some space in their end, that is zeroed and unused... So you
just have to record their original size... Then u add some trojan software
stuff in some start shell script function and u r done (of course those changes
must be made, after the check sum procedure is over...; and must be undone
before every check sum procedure)...

Maybe we should try to make the box physically safer... By an sabotage
detection unit... Infrared scanner or ultra-sound movement scanner or so...

-Arne


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"