Checksums Done Right

[Matthew Garrett]

On Sat, Jun 30, 2007 at 04:21:11PM -0700, scott at cse.ucdavis.edu wrote:

> Escalation of privileges is one attack, yes. Although the type of "attack"
> I'm talking about is for users that already have the ability to write a
> root-owned binary. I'm describing more of a DoS attack that basically just
> keeps admins scratching their heads. It doesn't have to be a useful
> collision to cause headaches. The main point is that md5 is broken and
> should be retired[1] (note: that's the "R" in RSA writing that "md5 is
> broken" not just me).

MD4 was broken in terms of finding collisions some time ago, but it's 
still not possible to trivially find MD4 collisions for an arbitrary 
existing file. The fact that (for carefully selected files) it's 
possible to find collisions for MD5 doesn't mean that it's generally 
broken or needs replacing immediately.

> > So the real benefit is that you can do this on a live system, rather
> > than having to reboot to known-good media?
> 
> Potentially, yes. Of course I envision malicious kernel modules being
> created that remove themselves from the filesystem while running then at
> the last minute before shutting down write what's necessary to load
> themselves on boot again. In that case you'd have to shutdown the system
> to be certain.

With modern hardware the sensible thing to do is just to boot from CD. 
There's no mechanism for fudging that unless you invoke virtualisation 
or firmware modification, both of which are still (highly) theoretical 
attacks.

> Then I invite you to join the ongoing "blue pill" debate. That is really
> outside the scope of CDR but still an interesting attack vector
> none-the-less. We assume you get the "high ground" first.

There's absolutely no way of implementing virtualisation without making 
certain instructions take an extra few cycles. Sensitive enough 
measurements ought to be able to pick that up.

-- 
Matthew Garrett | mjg59 at srcf.ucam.org