nanog mailing list archives
RE: IOS Rookit: the sky isn't falling (yet)
From: Jim Wise <jwise () draga com>
Date: Thu, 29 May 2008 09:37:49 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 29 May 2008, Fred Reimer wrote:
plaintext (the IOS code) and the hash. It is not trivial to be able to make changes in the code and maintain the same hash value, but there has been at least limited success in doing so.
Has there? My understanding is that constructing a new image to match an existing MD5 checksum (vs. constructing two new images with matching MD5 checksums) was still not feasible. Did I miss something?
It may not be possible to replace the boot ROM, because presumably the new hardware would check the ROM code hash before loading it and also presumably the ROM code does not have quite as much text messages that can be changed to generate the same hash value, thereby bypassing the security checks.
This may be an obvious question, but given that the code which verifies an IOS image would (presumably) be part of the boot ROM, where would you put the code which verifies the boot ROM? What does it mean to say `the hardware' should check the boot ROM? - -- Jim Wise jwise () draga com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (NetBSD) iD8DBQFIPrGtq/KRbT0KwbwRArN+AJ0QTuytahkUluOYpCHQ9jw94gNWFQCfTQ5c 2V0w8OO3EnCnJvb3lYh1+sQ= =o9Ro -----END PGP SIGNATURE-----
Current thread:
- Re: IOS Rookit: the sky isn't falling (yet), (continued)
- Re: IOS Rookit: the sky isn't falling (yet) Kevin Oberman (May 27)
- RE: IOS Rookit: the sky isn't falling (yet) michael.dillon (May 27)
- Re: IOS Rookit: the sky isn't falling (yet) Valdis . Kletnieks (May 27)
- Re: IOS Rookit: the sky isn't falling (yet) Dorn Hetzel (May 27)
- RE: IOS Rookit: the sky isn't falling (yet) michael.dillon (May 27)
- Re: IOS Rookit: the sky isn't falling (yet) Valdis . Kletnieks (May 27)
- RE: IOS Rookit: the sky isn't falling (yet) michael.dillon (May 28)
- Re: IOS Rookit: the sky isn't falling (yet) Steven M. Bellovin (May 28)
- Re: IOS Rookit: the sky isn't falling (yet) Gadi Evron (May 28)
- RE: IOS Rookit: the sky isn't falling (yet) Fred Reimer (May 29)
- RE: IOS Rookit: the sky isn't falling (yet) Jim Wise (May 29)
- Re: IOS Rookit: the sky isn't falling (yet) Jared Mauch (May 29)
- RE: IOS Rookit: the sky isn't falling (yet) Fred Reimer (May 29)
- RE: IOS Rookit: the sky isn't falling (yet) Jim Wise (May 29)
- RE: IOS Rookit: the sky isn't falling (yet) Fred Reimer (May 29)
- Re: IOS Rookit: the sky isn't falling (yet) Steven M. Bellovin (May 29)
- RE: IOS Rookit: the sky isn't falling (yet) Fred Reimer (May 29)
- Re: IOS Rookit: the sky isn't falling (yet) Gadi Evron (May 27)
- Re: IOS Rookit: the sky isn't falling (yet) Sean Donelan (May 27)
- Re: IOS Rookit: the sky isn't falling (yet) Gadi Evron (May 27)
- Re: IOS Rookit: running hacked binaries certainly places you at risk! Jared Mauch (May 27)