[TOOL] Secure On-the-Fly File Integrity Checker

From: support@securiteam.com
Date: 10/06/02

From: support@securiteam.com
To: list@securiteam.com
Date: Sun,  6 Oct 2002 19:13:38 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Secure On-the-Fly File Integrity Checker


"SOFFIC should be able to intercept any request for read or execution of a
file and, after checking the file integrity, it should be able to permit
or deny the requested operation."

To assure the effectiveness of SOFFIC, some self-protection mechanisms
must be used on each of its components, and the minimum desired security
requirements are defined based on the following statement: "SOFFIC must
NOT trust the ROOT account, not all the time". This can be easily
justified by the fact that most of the vulnerabilities exploited by
malicious agents give them root access privileges or, at least, a half way
done to get it. It should be noted that, if the root account was
completely secure, the standard security mechanisms from the Linux kernel
would be sufficient to assure the integrity of important files and the
SOFFIC project would be worthless.

Since SOFFIC is, basically, a patch to the Linux kernel, the majority of
its components reside in the kernel and so, it is exposed to the same
vulnerabilities that the kernel is. The most noteworthy is the one that
allows kernel image/memory modification. Doing this, the malicious agent
could compromise the behavior of the whole system, from SOFFIC components
to kernel subsystems. Although security is our main concern, performance
issues are also taken into account.

Considering each of the points exposed above, SOFFIC should accomplish its
goals at the same time that enforces its own security and maintain
acceptable performance rates.


The SOFFIC Project (draft) can be downloaded from:

The tool can be downloaded from:


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [UNIX] Flaws Found in Recent Linux Kernels (newgrp, symblinks)
    ... Flaws Found in Recent Linux Kernels (newgrp, ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... An attacker can force the kernel to spend almost arbitrary amount of time ... script creates 5 symlinks, each of them containing 2*N+1 path elements. ...
  • Re: thoughts on kernel security issues
    ... major security figure and/or haven't donated your life to security and ... the developer and more focus on the development. ... That's pretty complex in terms of kernel code, ... > most of the extra patches that distribution kernels apply are patches ...
  • [UNIX] Linux Kernel File Offset Pointer Handling
    ... Get your security news from a reliable source. ... The Linux kernel offers a file handling API to the userland applications. ... One of the properties of the file object is something called 'file offset' ... about one page of un-initialized kernel memory and can be exploited to ...
  • [UNIX] Kmail HTML Support Allows Spoofing of Emails Content
    ... Get your security news from a reliable source. ... system call handler in the 2.4 Linux Kernel on the AMD64 platform a local attacker can gain root access using a simple program. ... it contains the sources that the binary kernel rpm packages are created from. ... Since the kernel-source.rpm is an installable package that contains sources for the linux kernel, it is not the source RPM for the kernel RPM binary packages. ...
  • [UNIX] Grsecurity Allows Modifying of "read-only kernel"
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... local attackers to overwrite the memory content even though protection ... root will not be able to modify the contents of kernel ...