Rooting Out Corrupted Code

Thursday, 12 December 2002, 12:00 PM EST

Sometimes it's easy to tell when you're dealing with an imposter. That Mona Lisa at your neighbor's yard sale is unlikely to be the real thing. When you see Elvis at the mall, you can be pretty sure that he's a fake, too.

Even on a computer it can be obvious. when you run strings against your ls binary and among all of the other data it returns gcc -shared -o /tmp/own.so /tmp/own.c;rm -f /tmp/own.c, you can be pretty sure that's not the real ls command. A fellow in my local Linux Users Group reported this recently, and he didn't need to be told that the system had been rooted.

Sometimes, however, it's more difficult to tell if there's a problem. The most common way to verify the integrity of a binary on a Unix system is by comparing a checksum of the actual file to the checksum of a known-good copy of that file. Tripwire and AIDE are popular system validation tools built on this premise.

The checksum concept has its roots in the bad old days of 300 baud modems without built-in error correction, the xmodem protocol guarded against downloads corrupted by line noise. On the sender's side, xmodem would break a file up into 128-byte chunks and run a check against each block that would produce a single number. After downloading a block of data, the receiver's system would run the same check against it. If both sides got the same answer, the receiver would ask for the next block of data; if the answers differed, then the receiver asked the sender to retransmit the corrupted data.

[ Read more ]




Spotlight

The context-aware security lifecycle and the cloud

Posted on 25 November 2014.  |  Ofer Wolf, CEO at Sentrix, explains the role of the context-aware security lifecycle and illustrates how the cloud is shaping the modern security architecture.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Nov 26th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //