Re: Integrity checking NANOBSD images

--- Mike Tancsa <mike@sentex.net> wrote:
> >But what if the trojan copies its files to the RAM disc and waits for this
> >sha256 binary showing up? And then, when it is there, it removes its 
> >changes on
> >the hard disc  (those changes certainly must be in unused (formerly zeroed)
> >areas of the hard disc or in the (zeroed) end of certain shell 
> >scripts... Or do
> >I miss something?
> 
> Yes, sounds possible.  Between checks, "undo" the trojan.  However, 
> the binary would have to live somewhere on the flash or it would not 
> survive reboots and you would have to tinker with the bootup process 
> to load the trojan at boot time.
> 
Yes, that is what I mean with "unused" areas... I think many scripts in
/etc/rc.d have some space in their end, that is zeroed and unused... So you
just have to record their original size... Then u add some trojan software
stuff in some start shell script function and u r done (of course those changes
must be made, after the check sum procedure is over...; and must be undone
before every check sum procedure)...

Maybe we should try to make the box physically safer... By an sabotage
detection unit... Infrared scanner or ultra-sound movement scanner or so...

-Arne

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"