nanog mailing list archives
Re: [NANOG] IOS rootkits
From: "Buhrmaster, Gary" <gtb () slac stanford edu>
Date: Mon, 19 May 2008 12:41:04 -0700
I understand *why* we are worried about rootkits on individual servers. On essentially "closed" platforms this isn't going to be rocket science. It may seem odd by today's BCPs, but booting up from "golden" images via write-protected hardware or TFTP or similar is pretty straightforward
Since todays bootstrap codes are in EEPROM (or equivalent), if you get "root" once, you can have "root" forever. Faking file system content (and real time replacing of code) is the core of any current (good) Linux/Mac/Windows rootkit. Cisco/Juniper/Force10/whatever is just another platform to do the same if you can replace the bootstrap. Modular IOS might even make it easier to do dynamic code insertion. There are platforms (Xbox?, Tivo?, etc.) that try to do cryptographic validation of the code they are loading. Network devices are not yet doing a true cryptograhic validation as far as I know, although one could imagine that that might be a next step to protect against that specific threat (although I seem to recall that bypassing the Xbox validations only took a few months, so it is harder than it first appears to get right). Gary _______________________________________________ NANOG mailing list NANOG () nanog org http://mailman.nanog.org/mailman/listinfo/nanog
Current thread:
- [NANOG] IOS rootkits Gadi Evron (May 16)
- Re: [NANOG] IOS rootkits Paul Wall (May 16)
- Re: [NANOG] IOS rootkits Gadi Evron (May 16)
- Re: [NANOG] IOS rootkits Dragos Ruiu (May 16)
- Re: [NANOG] IOS rootkits Deepak Jain (May 19)
- Re: [NANOG] IOS rootkits Buhrmaster, Gary (May 19)
- Re: [NANOG] IOS rootkits Deepak Jain (May 19)
- Re: [NANOG] IOS rootkits Gadi Evron (May 20)
- Re: [NANOG] IOS rootkits Deepak Jain (May 19)
- Re: [NANOG] IOS rootkits Paul Wall (May 16)
- Re: [NANOG] IOS rootkits Tony Varriale (May 16)
- <Possible follow-ups>
- Re: [NANOG] IOS rootkits Paul Ferguson (May 16)
- Re: [NANOG] IOS rootkits Paul Wall (May 16)
- Re: [NANOG] IOS rootkits Matthew Moyle-Croft (May 17)
- Re: [NANOG] IOS rootkits Simon Lockhart (May 17)
- Re: [NANOG] IOS rootkits Matthew Moyle-Croft (May 17)
- Re: [NANOG] IOS rootkits Gadi Evron (May 17)
- Re: [NANOG] IOS rootkits Matthew Moyle-Croft (May 17)
- Re: [NANOG] IOS rootkits Paul Wall (May 16)