Re: Possibility to cheat integrity checking?

From: Greg Hoglund (hoglund@cenzic.com)
Date: 03/13/02 

Date: Wed, 13 Mar 2002 11:15:29 -0800 (Pacific Standard Time)
From: Greg Hoglund <hoglund@cenzic.com>
To: Holger Reichert <holger.reichert@holysword.de>

It is possible to circumvent a file-integrity management tool by inserting
code in the kernel of the computer. The kernel supports all of the system
services that the said file-management tool would use to query information
about the filesystem. Thus, the kernel components can be modified to
expose false data to the management tool. This has been demonstrated in
the wild on both NT and unix platforms using a technology called a
'rootkit'. In any case, if you want a 'trusted' calculation of file
hashes you will need to perform the calculation 'offline' - in that you
would take the said filesystem and mount it under a trusted environment,
perform the hashing operation there, and perhaps return the filesystem
back to it's native environment. There are disk-duplication devices out
there that may make this easier. Fundamentally, if you suspect a target
operating-environment has been compromised, you cannot trust the said
operating environment at all so you must perform the calculations
elsewhere or in a location that is clean and trusted.

-Greg Hoglund
Cenzic, Inc.
http://www.cenzic.com

On Wed, 13 Mar 2002, Holger Reichert wrote:

> Hello List,
>
> I've a question regarding the possibilities of cheating the following
> combination of file integrity checking.
>
> * MD5 checksum
> * Date last updated
> * File length
>
> How easy is it?
> Are there tools to manipulate a file and get the orginal MD5 checksum.
> Is it then possible to forge the above mentioned file attributes?
> Or is this a combination which cannot be cheaten?
> I myself think, that the above method isn't secure enough, but I need
> the facts.
> Imformative links would also be nice to have ;-)
>
> Thank you in advance
>
> Holger Reichert
>

Quantcast