nanog mailing list archives

Re: IOS Rookit: the sky isn't falling (yet)


From: Gadi Evron <ge () linuxbox org>
Date: Wed, 28 May 2008 23:20:48 -0500 (CDT)

On Thu, 29 May 2008, Steven M. Bellovin wrote:
On Wed, 28 May 2008 10:37:05 +0100
<michael.dillon () bt com> wrote:

So let's see - if you had a billion CPUs in your botnet, and
each one could go at a billion to the second, you still need
2**69 seconds or 449,235,776,528,695 years.  Not bad - only
10,000 times the amount of time this planet has been around,
so yeah, that's the way they'll attack all right.

I didn't say that. I said that they are starting with an IOS image
in which there are some small number of bytes which they can possibly
change and still have a functional image. So it is likely that they
will brute force that by computing an MD5 hash on all variations of
those few bytes. It's like winning the lottery, you only *NEED* to
buy one ticket. No matter how slim the chances are of bad guys winning
that lottery, it is no excuse for ignoring the possibility that an
MD5 hash check may not be proof that you have an original image.

Did you even look at Valdis' arithmetic?  It *won't work*.  It isn't
"likely" that they'll try anything with that low a chance of success.
As for "no matter how slim the chances" -- if you want to have even a
vague chance of succeeding before Sol turns into a red giant, you're
going to have to devote enormous resources to the project.  (Actually,
I don't think you can succeed even then, not by brute force -- there
aren't a "small number of bytes" that can be changed, you can introduce
"random" "typographical" errors in error messages for the SNA stack or
some such, and if you're doing a brute force pre-image attack on MD5 any
bit is as good as any other.)  Let's put it purely in economic terms:
which is a better way to invest your effort, building a machine (or
botnet) with many billions of processors and still having no plausible
chance of winning, or -- as you yourself suggest -- getting the HVAC
contract for the data center.  Or putting back doors in the chips.  Or
bribing or blackmailing coders.  Or breaking into the vault where Cisco
keeps its master RSA key.  Or funding a vast research effort on
cracking MD5 before it's replaced by SHA-512.  Or *something* even
vaguely sane, because brute-forcing MD5 isn't physically possible.

I don't understand how this disucssion got to breaking MD5 to begin with? The whole point was that the results will be manipulated due to the rootkit messing with the test, no?

        Gadi.


                --Steve Bellovin, http://www.cs.columbia.edu/~smb



Current thread: