I'm looking for ways to verify that the currently running software on our Cisco/Juniper boxes is the one that is also in the flash/hd/storage/etc. Something that will somehow compare the running software in ram with the software on flash/hd/storage/etc, so that i can verify that nobody has actually messed with the running software (by whatever means that's possible). Besides the "install verify" command on IOS-XR (which i'm not 100% sure if it suits my needs), i haven't managed to find anything else. And the vendors say that indeed there is nothing more. All other options are about verifying the software file integrity before it gets loaded into ram. Have you ever done such an exercise? Are there maybe any external tools (or services) that offer this capability? -- Tassos
On (2014-01-13 12:26 +0200), Tassos Chatzithomaoglou wrote:
I'm looking for ways to verify that the currently running software on our Cisco/Juniper boxes is the one that is also in the flash/hd/storage/etc.
IOS: verify /md5 flash:file JunOS: filechecksum md5|sha-256|sha1 file But if your system is owned, maybe the verification reads filename and outputs expected hash instead of correct hash. -- ++ytti
On (2014-01-13 12:46 +0200), Saku Ytti wrote:
On (2014-01-13 12:26 +0200), Tassos Chatzithomaoglou wrote:
I'm looking for ways to verify that the currently running software on our Cisco/Juniper boxes is the one that is also in the flash/hd/storage/etc.
IOS: verify /md5 flash:file JunOS: filechecksum md5|sha-256|sha1 file
But if your system is owned, maybe the verification reads filename and outputs expected hash instead of correct hash.
mea culpa, you were looking to check running to image, I don't think this is practical. In IOS its compressed and decompressed upon boot, so no practical way to map the two together. Same is true in JunOS, even without compression it wouldn't be possible to reasonably map the *.tgz to RAM. I think vendors could take page from XBOX360 etc, and embed public keys inside their NPU in modern lithography then sign images, it would be impractical attack vector. But changing memory runtime is probably going to very complicated to verify, easier to create infrastructure/HW where program memory cannot be changed runtime. -- ++ytti
Saku Ytti wrote on 13/1/2014 12:51:
On (2014-01-13 12:26 +0200), Tassos Chatzithomaoglou wrote:
I'm looking for ways to verify that the currently running software on our Cisco/Juniper boxes is the one that is also in the flash/hd/storage/etc. IOS: verify /md5 flash:file JunOS: filechecksum md5|sha-256|sha1 file
But if your system is owned, maybe the verification reads filename and outputs expected hash instead of correct hash. mea culpa, you were looking to check running to image, I don't think this is
On (2014-01-13 12:46 +0200), Saku Ytti wrote: practical. In IOS its compressed and decompressed upon boot, so no practical way to map the two together. Same is true in JunOS, even without compression it wouldn't be possible to reasonably map the *.tgz to RAM.
I think vendors could take page from XBOX360 etc, and embed public keys inside their NPU in modern lithography then sign images, it would be impractical attack vector.
I was assuming the vendors could take a snapshot of the memory and somehow "compare" it to a snapshot of the original software. Or (i don't know how easy it is) do an auditing of the memory snapshot on specific pointers...well, i don't know...just thinking loudly...
But changing memory runtime is probably going to very complicated to verify, easier to create infrastructure/HW where program memory cannot be changed runtime.
I agree, and we already do that, but a regulatory authority has brought into surface something trickier. -- Tassos
dd kmem and see if it's what you'd expect (size of ram+swap). If so you should be able to look at it Also see Volatility On Jan 13, 2014 7:21 AM, "Tassos Chatzithomaoglou" <achatz@forthnet.gr> wrote:
On (2014-01-13 12:46 +0200), Saku Ytti wrote:
On (2014-01-13 12:26 +0200), Tassos Chatzithomaoglou wrote:
I'm looking for ways to verify that the currently running software on our Cisco/Juniper boxes is the one that is also in the flash/hd/storage/etc. IOS: verify /md5 flash:file JunOS: filechecksum md5|sha-256|sha1 file
But if your system is owned, maybe the verification reads filename and outputs expected hash instead of correct hash. mea culpa, you were looking to check running to image, I don't think
Saku Ytti wrote on 13/1/2014 12:51: this is
practical. In IOS its compressed and decompressed upon boot, so no practical way to map the two together. Same is true in JunOS, even without compression it wouldn't be possible to reasonably map the *.tgz to RAM.
I think vendors could take page from XBOX360 etc, and embed public keys inside their NPU in modern lithography then sign images, it would be impractical attack vector.
I was assuming the vendors could take a snapshot of the memory and somehow "compare" it to a snapshot of the original software. Or (i don't know how easy it is) do an auditing of the memory snapshot on specific pointers...well, i don't know...just thinking loudly...
But changing memory runtime is probably going to very complicated to verify, easier to create infrastructure/HW where program memory cannot be changed runtime.
I agree, and we already do that, but a regulatory authority has brought into surface something trickier.
-- Tassos
Doh, tired and not reading - the util should help after you get a dump though. On Jan 13, 2014 7:29 AM, "shawn wilson" <ag4ve.us@gmail.com> wrote:
dd kmem and see if it's what you'd expect (size of ram+swap). If so you should be able to look at it
Also see Volatility On Jan 13, 2014 7:21 AM, "Tassos Chatzithomaoglou" <achatz@forthnet.gr> wrote:
On (2014-01-13 12:46 +0200), Saku Ytti wrote:
On (2014-01-13 12:26 +0200), Tassos Chatzithomaoglou wrote:
I'm looking for ways to verify that the currently running software on our Cisco/Juniper boxes is the one that is also in the flash/hd/storage/etc. IOS: verify /md5 flash:file JunOS: filechecksum md5|sha-256|sha1 file
But if your system is owned, maybe the verification reads filename and outputs expected hash instead of correct hash. mea culpa, you were looking to check running to image, I don't think
Saku Ytti wrote on 13/1/2014 12:51: this is
practical. In IOS its compressed and decompressed upon boot, so no practical way to map the two together. Same is true in JunOS, even without compression it wouldn't be possible to reasonably map the *.tgz to RAM.
I think vendors could take page from XBOX360 etc, and embed public keys inside their NPU in modern lithography then sign images, it would be impractical attack vector.
I was assuming the vendors could take a snapshot of the memory and somehow "compare" it to a snapshot of the original software. Or (i don't know how easy it is) do an auditing of the memory snapshot on specific pointers...well, i don't know...just thinking loudly...
But changing memory runtime is probably going to very complicated to verify, easier to create infrastructure/HW where program memory cannot be changed runtime.
I agree, and we already do that, but a regulatory authority has brought into surface something trickier.
-- Tassos
That verifies the software that is stored somewhere, not the currently running one. Someone "insider" could load a "hacked" software into flash, boot the router with that file (supposing that he has found a way to do so) and then replace the file on the flash with the real one. How can you verify that the running software is actually the original one? -- Tassos Saku Ytti wrote on 13/1/2014 12:46:
On (2014-01-13 12:26 +0200), Tassos Chatzithomaoglou wrote:
I'm looking for ways to verify that the currently running software on our Cisco/Juniper boxes is the one that is also in the flash/hd/storage/etc. IOS: verify /md5 flash:file JunOS: filechecksum md5|sha-256|sha1 file
But if your system is owned, maybe the verification reads filename and outputs expected hash instead of correct hash.
On Mon, 13 Jan 2014 12:26:02 +0200, Tassos Chatzithomaoglou said:
I'm looking for ways to verify that the currently running software on our Cisco/Juniper boxes is the one that is also in the flash/hd/storage/etc.
In general, asking the operating system if it's pwned is an insoluble problem, because the pwner will of course arrange that the answer to such a query be "No, I'm not pwned". You really need assistance from one layer further down - if you're in a VM, you need to ask the hypervisor. If you're on bare metal, you need to ask the SMM or equivalent. If you're in the SMM, you need to ask the hardware. And of course, at each level, you have to ask yourself how you know that *that* level isn't lying to you.... (Yes, this is the corner of system security where, if you're not already a paranoid schizophrenic, you will be soon.. :)
---- Original Message -----
From: "Valdis Kletnieks" <Valdis.Kletnieks@vt.edu>
You really need assistance from one layer further down - if you're in a VM, you need to ask the hypervisor. If you're on bare metal, you need to ask the SMM or equivalent. If you're in the SMM, you need to ask the hardware. And of course, at each level, you have to ask yourself how you know that *that* level isn't lying to you....
(Yes, this is the corner of system security where, if you're not already a paranoid schizophrenic, you will be soon.. :)
If you have not already read the Ken Thompson paper: http://cm.bell-labs.com/who/ken/trust.html And for a bit more on whether it was ever actually implemented, from Ken himself: https://groups.google.com/d/msg/comp.security.unix/ivjYjNSduFc/0Er2cynPKjsJ Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
On 1/13/14 5:26 AM, Tassos Chatzithomaoglou wrote:
I'm looking for ways to verify that the currently running software on our Cisco/Juniper boxes is the one that is also in the flash/hd/storage/etc. Something that will somehow compare the running software in ram with the software on flash/hd/storage/etc, so that i can verify that nobody has actually messed with the running software (by whatever means that's possible).
Besides the "install verify" command on IOS-XR (which i'm not 100% sure if it suits my needs), i haven't managed to find anything else. And the vendors say that indeed there is nothing more. All other options are about verifying the software file integrity before it gets loaded into ram.
Have you ever done such an exercise? Are there maybe any external tools (or services) that offer this capability?
As Tassos said, there are no solutions from vendors. There are, however, some examples by third parties such as Defending Embedded Systems with Software Symbiotes http://ids.cs.columbia.edu/sites/default/files/paper_2.pdf and Protecting Software Codes By Guards http://www.seas.gwu.edu/~simhaweb/security/summer2005/Atallah1.pdf There are other efforts inside academia as well as companies attempting to develop dynamic firmware attestation (full disclosure: I work for one such company). As Valdis and others have said, it's an insoluble problem with solutions of varying degrees of efficacy and practicality. -mc
participants (6)
-
Jay Ashworth -
Michael Costello -
Saku Ytti -
shawn wilson -
Tassos Chatzithomaoglou -
Valdis.Kletnieks@vt.edu