Slashdot Mirror

← Back to Stories (view on slashdot.org)

Known-Good MD5 Database

Posted by timothy on from the damn-good-idea dept.

bgp4 writes "Have you ever examined a system you thought was broken into but you weren't sure? If only you had run an integrity verification program like osiris or Tripwire first you could have figured out what programs had been changed. In an effort to help out in the instances when you can't answer the question "what was this like before?" we've constructed a searchable database of MD5 and SHA-1 hashes for files in many standard operating systems. You can search using the filename or the checksum and see if you have a trojaned binary or an overactive imagination. Currently at knowngoods.org we have many FreeBSD, OS X, Linux, and Solaris installations checksummed and cataloged. If you have other programs or distributions you would like to see in the database, please let us know."

28 of 307 comments (clear)

  1. What about source builds? by Anonymous Coward · · Score: 5, Insightful

    Wouldn't this be useless to anybody that builds from source?

    1. Re:What about source builds? by Cerlyn · · Score: 5, Insightful

      Indeed; the capability of such a system is a bit limited with operating systems like FreeBSD, which actively *encourage* their users to build/rebuild from sources. IIRC, FreeBSD actually only gives intermediate security updates in source code format so you have to compile them (not too hard: cd /usr/src ; make buildworld).

      So, recording the checksum to /bin/ls, etc. is a bit flawed in that when I do a "make buildworld", my custom configuration parameters from /etc/make.conf get used, overriding CPU type, if Xfree86 is installed, etc. Since my system's parameters likely will not match FreeBSD's master build system, there is a high chance that the checksums after I do a rebuild are significantly different.

      But for non-source distributions (Redhat, etc.) this concept is excellent, assuming that no one compromises the database or the OS kernel. Unfortunately, no database checksummer will ever counteract the case when the OS kernel itself is compromised, potentially returning one file when scanned and another when executed.

      Still, it wouldn't hurt for them to record source file checksums as well; after all, having an independant checksumming group would require them to be compromised as well as the FTP network, making an attacker's life harder.

    2. Re:What about source builds? by pVoid · · Score: 4, Insightful
      Indeed.

      In fact, this system would be best suited for systems which aren't OSS... such as windows =)

      crowd boos... stones and rotten tomatoes fly as author runs for cover

      :)

    3. Re:What about source builds? by Anonymous Coward · · Score: 1, Insightful

      And if enough people did it to matter, rootkits would just compromise your source files too.

    4. Re:What about source builds? by caino59 · · Score: 3, Insightful

      well, that's all fine and dandy...unless your complierer is compromised....

    5. Re:What about source builds? by shamilton · · Score: 3, Insightful

      Because the default /bin/ls is lowest common denominator. As for a waste of time...

      [root@visor:/usr/src/bin/ls] /usr/bin/time make
      Warning: Object directory not changed from original /usr/src/bin/ls
      cc -O -pipe -DCOLORLS -Wall -Wformat -c cmp.c
      cc -O -pipe -DCOLORLS -Wall -Wformat -c ls.c
      cc -O -pipe -DCOLORLS -Wall -Wformat -c print.c
      print.c: In function `printcol':
      print.c:253: warning: `base' might be used uninitialized in this function
      cc -O -pipe -DCOLORLS -Wall -Wformat -c util.c
      cc -O -pipe -DCOLORLS -Wall -Wformat -static -o ls cmp.o ls.o print.o util.o -lm -ltermcap
      gzip -cn ls.1 > ls.1.gz
      1.59 real 0.35 user 0.12 sys

      I can afford the 1.59 seconds.

      sh

      --
      "[A] high IQ is like a Jeep; you will still get stuck, just farther from help!" --Just d' FAQs, c.g.a
    6. Re:What about source builds? by RDPIII · · Score: 3, Insightful
      Unfortunately, no database checksummer will ever counteract the case when the OS kernel itself is compromised, potentially returning one file when scanned and another when executed.
      Not if you execute your md5sum or other checksum program in a trusted environment, e.g., after booting a rescue system from CD/DVD-ROM. If you suspect that your system has been compromised, you probably wouldn't want to run any executables directly on that system.
      --
      Marklar: marklar
  2. What?! No Windows? by Anonymous Coward · · Score: 2, Insightful

    We need file verification, too! Probably more so with some of the Windows/IE vulnerabilities.

  3. But what happens... by Anonymous Coward · · Score: 1, Insightful

    ... when they trojan your MD5 checksummer? ;)

    1. Re:But what happens... by kasperd · · Score: 4, Insightful

      when they trojan your MD5 checksummer?

      Then your compromised system might apear to be clean. I have actually seen a system where that has happened. But the intruder forgot to trojan the rpm executable, "rpm -Va" revealed everything. But had the intruder trojaned the rpm executable too, that wouldn't have worked. The only secure way to use the verification tool is to boot from a readonly media and run the tool from there.

      --

      Do you care about the security of your wireless mouse?
    2. Re:But what happens... by hondo_san · · Score: 2, Insightful
      Kind of reinforces one thing I sometimes forget to do on a new ftp install, and that is to immediately copy all of the binaries that one would use to detect a comprimised box -- ps, top, ls, md5, and several others that one could find in a book or Wepage devoted to security -- to a read-only CD. Oh yeah, throw in NMap, too. Of course, immediately next should be Tripwire.

      That way, at the first sign of trouble, you just toss in the disk of known-good tools, with the confidence that at least that stuff is clean. Yes there are ways other than this, I'm sure, but for us non-super-guru types, it's pretty handy.

  4. So what about the obvious scenario... by Samir+Gupta · · Score: 2, Insightful

    What if someone hacked into the MD5 database and changed the entries? :-)

    --
    -- Samir Gupta, Ph. D. Head, New Technology Research Group, Nintendo Co. Ltd., Kyoto, Japan.
    1. Re:So what about the obvious scenario... by BitHive · · Score: 4, Insightful

      Then I imagine that as soon as someone changes a hash, many secure systems will indicate they've been comprimised, and the whole thing will be quite obvious to sort out.

  5. This is one of those things... by carl67lp · · Score: 3, Insightful

    This is the type of thing that you'd ask "Why didn't they do this sooner?" -- it's just that logical of an idea.

    Absolutely fabulous, wonderful! The real trick, though, is to build up trust in your database so that those searching it will be sure that the checksums are actually correct--you know, rather than buying a burglar alarm from the robber himself. Thus, I doubt you'd be able to take submissions from users right away--at least without a competent staff checking to make sure they're correct.

  6. ooooo nifty by netwiz · · Score: 5, Insightful

    I've been wondering when something along these lines would be available.

    [devil's advocate] However, how do we know that the pregenerated checksums are correct? Who watches the watchers? [/devil's advocate]

    Yah, yah, I know, the easiest way is to inspect the source for the minicompiler, the main compiler, and the program by hand, then build all of them step-by-step until you're done, then use the final binary to generate your hash. I wonder, tho, how much drift might there be in using a pre-built compiler (say I D/Led the binaries for GCC and the libraries to go with it). One tiny change in machine state (or any other number of things I would suppose) could result in the final binary being a single byte off, and the whole thing's a wash.

    Granted, I may be talking out of my ass here, could someone w/ some hard-core coding knowledge or CS experience expound on the above?

  7. What about Windows OS? by scubacuda · · Score: 5, Insightful
    I didn't see the ability to search for Windows MD5 hashes.

    Considering its history of vulnerabilities, I'd think that this would be pretty important...

    1. Re:What about Windows OS? by Trusty+Penfold · · Score: 3, Insightful


      You can't compile a explorer.exe with a nice back door added in unless you've got the source to explorer.exe.

      Of course you can - it is trivial to alter the behaviour of a Windows executable; viruses do it all the time.

      Append the backdoor to explorer.exe, fiddle with afew bits so the backdoor gets executed first, and find a way to drop it onto the system.

    2. Re:What about Windows OS? by kubrick · · Score: 4, Insightful

      What about viruses that change the structure of the files they infect? Especially ones that haven't been spotted by the anti-virus firms yet (rare, I know, because they probably develop and release most of them).

      Also, can't people still use disassemblers to 'crack' files, and maybe add backdoors at the same time?

      Both of these activities would be reflected by checksum changes.

      --
      deus does not exist but if he does
  8. I have to wonder... by Anonymous Coward · · Score: 1, Insightful

    ...how often this will reveal distro's slipstreaming changes into a given version number.

  9. Something's wrong here by phr2 · · Score: 5, Insightful
    If we need an external database of md5's to authenticate so many different files, that means that md5's weren't really the right authentication method to begin with. It's better to use digital signatures.

    The fancy way to do that is with an Authenticode-like system for signing files. Distro maintainers would sign the files in their distros, and users could also sign their own files. A simpler way would be to just have a big, signed list of md5's in some file that tripwire checks against. Tripwire would check the signature on the file before believing the md5's in it. Or the list could contain individual signatures per file instead of just hashes.

    A centralized md5 database doesn't feel so right with the free software spirit, which says (legitimate) users could modify the files at any time, or just recompile them with a slightly different compiler, etc.

  10. Re:Compromised /bin/md5 by Idarubicin · · Score: 3, Insightful
    Heck, the utilities you used to pull the binary off the machine in question could have been compromised and may not be actually copying the binary in question, but a good version of the binary. The only way to check this would be to mount the drive on another machine and check it there... And if people aren't doing that (which it's a pain in the ass) all this website is going to do is give people a false sense of security.>Heck, the utilities you used to pull the binary off the machine in question could have been compromised and may not be actually copying the binary in question, but a good version of the binary.

    Other replies have mentioned that it might make more sense to boot off known clean read-only media, on which you also have a copy of your checksum utility.

    That said, this still provides a false sense of security. The only way to be absolutely certain that your binaries have not been compromised is the following technique:

    Have all your code written by hermit programmers. They must develop their OS and all programming tools (compilers, etc.) by themselves, on a computer that has no connection to the outside world. Taking an OS from another hermit programmer is also acceptable, as long as it is conveyed by hand from one to the other.

    You must know and trust all of the hermit programmers.

    The hermits must live, eat, and sleep in giant vaults designed to provide physical security to them and their computers. They definitely will not have telephones.

    They must develop applications from scratch--no outside data may be allowed to contaminate their pristine systems. Source code may be imported, as long as it is delivered in hard copy form and hand keyed by someone who is very security conscious.

    The hermits must hand deliver the binaries of applications to you. You should have already received a copy of their pristine OS by this method.

    Presto! Completely secure binaries. No trojans. No false sense of security.

    Oh, unless someone finds a buffer overrun that your hermits missed. Then some kiddie will own your box. Damn.

    --
    ~Idarubicin
  11. "False" senses of security by Hizonner · · Score: 5, Insightful
    Spoken like a true second-year student.

    The reality of the matter is that, while it certainly would be possible for somebody to gag a machine to evade all your wascally checksumming tricks, they frequently don't do so. And when they do it, there's the usual arms-race lag between the time when a new method of checking comes out and when they update their tools to evade it. And there's a cost to them for each defense they evade; if you want to avoid every defense you ever hear of, you basically have to roll your own rootkits, which is a huge time investment.

    And a kiddie who's out there collecting hundreds of boxes has no particular incentive to be anal about holding onto yours.

    ... and everybody makes mistakes. Yes, you're right, looking at checksums gives you absolutely no security against omniscient adversaries with infinite resources. Luckily, real adversaries are not omniscient and have limited resources. Yes, you'll even miss some of the real adversaries. You'll also catch some. Probably a lot. Nothing is perfect. Deal with it.

    Fucking pompous amateurs.

    1. Re:"False" senses of security by Anonymous Coward · · Score: 2, Insightful

      He may be a second year student, but he's right. You don't check a potentially compromised system with itself! Mount the drive on a trusted system and check it there. This isn't even hard. If you suspect a breakin, schedule a half-hour of downtime and boot from a trusted CD, like Knoppix or the live filesystem that comes with Slackware, and check your HD from there. Simple!

    2. Re:"False" senses of security by yerricde · · Score: 2, Insightful

      If you suspect a breakin, schedule a half-hour of downtime and boot from a trusted CD, like Knoppix or the live filesystem that comes with Slackware, and check your HD from there.

      And if the BIOS is trojaned?

      --
      Will I retire or break 10K?
  12. Versions? by tconnors · · Score: 4, Insightful

    OK - debian seemed to have one version there - r5, whatever that is. How does it handle apt-get upgrades? If r5 is reffering to something like stable, then even stable changes over time (contrary to what some poeple think ;-). So do they take the checksums from a machine that was just apt-get upgraded last night, or what? If they mean an actual yearly or half yearly release, who on this world does not apt-get upgrade when there is a security fix released? So your system sure as hell aint going to match theirs.

    Then I can't imagine how you would be able to automate this, so it checks all the binaries in /bin /sbin, /usr/sbin etc - do they have some alternative to HTTP for their database?

    Doesn't seem overly useful to me....

  13. Re:Er, rpm -V? by Nicolas+MONNET · · Score: 3, Insightful

    Usually crackers don't think of altering the RPM database containing the MD5 hashes -- it's happened to me during a Bind compromise --, but there's nothing that would prevent them from doing so ... so you need an external database.

  14. Source distros! by PigleT · · Score: 3, Insightful

    "Doesn't seem overly useful to me...."

    Nor to me, for a different reason: what about those of us with CFLAGS= set to various strange funky optimizations in Gentoo? What about the Ports system in FreeBSD, similarly?

    This thing does not have the potential to spread to all distributions or all unixen.

    What about historical storage? Are they really proposing to store an md5sum for /bin/* /usr/bin/* for all packages for all distributions for all releases, or when do older things get purged?

    Seems mad to me. Would be better off staying with AIDE instead, IMO.

    --
    ~Tim
    --
    .|` Clouds cross the black moonlight,
    Rushing on down to the circle of the turn
  15. rpm = MD5 + GPG by Anonymous Coward · · Score: 1, Insightful

    That's why rpms are not only hashed but signed (unlike this database)

    Good luck faking the signature.