Re: verify currently running software on ram

[Michael Costello <m () expertknobtwiddlers com>]

On 1/13/14 5:26 AM, Tassos Chatzithomaoglou wrote:
> I'm looking for ways to verify that the currently running software on
> our Cisco/Juniper boxes is the one that is also in the
> flash/hd/storage/etc. Something that will somehow compare the running
> software in ram with the software on flash/hd/storage/etc, so that i
> can verify that nobody has actually messed with the running software
> (by whatever means that's possible).
>
> Besides the "install verify" command on IOS-XR (which i'm not 100%
> sure if it suits my needs), i haven't managed to find anything else.
> And the vendors say that indeed there is nothing more. All other
> options are about verifying the software file integrity before it
> gets loaded into ram.
>
> Have you ever done such an exercise? Are there maybe any external
> tools (or services) that offer this capability?

As Tassos said, there are no solutions from vendors.  There are,
however, some examples by third parties such as

  Defending Embedded Systems with Software Symbiotes
  http://ids.cs.columbia.edu/sites/default/files/paper_2.pdf

and

  Protecting Software Codes By Guards
  http://www.seas.gwu.edu/~simhaweb/security/summer2005/Atallah1.pdf

There are other efforts inside academia as well as companies attempting
to develop dynamic firmware attestation (full disclosure: I work for one
such company).

As Valdis and others have said, it's an insoluble problem with solutions
of varying degrees of efficacy and practicality.

-mc