Re: verify currently running software on ram

[Tassos Chatzithomaoglou <achatz () forthnet gr>]

Saku Ytti wrote on 13/1/2014 12:51:
> On (2014-01-13 12:46 +0200), Saku Ytti wrote:
> > On (2014-01-13 12:26 +0200), Tassos Chatzithomaoglou wrote:
> >
> > > I'm looking for ways to verify that the currently running software on our Cisco/Juniper boxes is the one that is 
> > > also in the flash/hd/storage/etc.
> > IOS: verify /md5 flash:file
> > JunOS: filechecksum md5|sha-256|sha1 file
> >
> > But if your system is owned, maybe the verification reads filename and outputs
> > expected hash instead of correct hash.
> mea culpa, you were looking to check running to image, I don't think this is
> practical.
> In IOS its compressed and decompressed upon boot, so no practical way to map
> the two together.
> Same is true in JunOS, even without compression it wouldn't be possible to
> reasonably map the *.tgz to RAM.
>
> I think vendors could take page from XBOX360 etc, and embed public keys inside
> their NPU in modern lithography then sign images, it would be impractical
> attack vector.

I was assuming the vendors could take a snapshot of the memory and somehow "compare" it to a snapshot of the original 
software.
Or (i don't know how easy it is) do an auditing of the memory snapshot on specific pointers...well, i don't know...just 
thinking loudly...
> But changing memory runtime is probably going to very complicated to verify,
> easier to create infrastructure/HW where program memory cannot be changed
> runtime.
I agree, and we already do that, but a regulatory authority has brought into surface something trickier.

--
Tassos