Re: IOS Rookit: the sky isn't falling (yet)

["Steven M. Bellovin" <smb () cs columbia edu>]

On Thu, 29 May 2008 09:18:07 -0400
"Fred Reimer" <freimer () ctiusa com> wrote:
 
> So the only easy way to attack this is the MD5 hash.  We have a know
> plaintext (the IOS code) and the hash.  It is not trivial to be able
> to make changes in the code and maintain the same hash value, but
> there has been at least limited success in doing so. 

No there has not.  There has been considerable success at creating
*collisions*; if you don't have a collaborator inside Cisco's build
team, that does you no good in this case.  There has been *no* success
at preimage attacks, which is what we're talking about here.  (Aside:
I'm on record as saying I wouldn't be surprised if preimage attacks
were developed soon by the cryptanalytic community, since people are
paying so much more attention to hash functions now, but that hasn't
happened yet.)

If you do have a collaborator, there is a conceivable attack.  Use the
collision attack -- that is, the ability to simultaneously produce two
files with the same hash -- to generate a genuine IOS image that is
nevertheless susceptible to being replaced by a corrupted one.  It's a
delicate process, though, since even a 1-bit change will completely
change the hash output and ruin the collision.  You're much better off
having your collaborator simply install a back door for you -- and it
almost certainly won't be found.  See
http://www.eecs.berkeley.edu/Pubs/TechRpts/2007/EECS-2007-136.html or
Chapter 8 of http://zesty.ca/pubs/yee-phd.pdf


                --Steve Bellovin, http://www.cs.columbia.edu/~smb