[168158] in North American Network Operators' Group
Re: verify currently running software on ram
daemon@ATHENA.MIT.EDU (Michael Costello)
Mon Jan 13 19:54:32 2014
Date: Mon, 13 Jan 2014 14:36:24 -0500
From: Michael Costello <m@expertknobtwiddlers.com>
To: nanog@nanog.org
In-Reply-To: <52D3BF3A.1040905@forthnet.gr>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 1/13/14 5:26 AM, Tassos Chatzithomaoglou wrote:
> I'm looking for ways to verify that the currently running software on
> our Cisco/Juniper boxes is the one that is also in the
> flash/hd/storage/etc. Something that will somehow compare the running
> software in ram with the software on flash/hd/storage/etc, so that i
> can verify that nobody has actually messed with the running software
> (by whatever means that's possible).
>
> Besides the "install verify" command on IOS-XR (which i'm not 100%
> sure if it suits my needs), i haven't managed to find anything else.
> And the vendors say that indeed there is nothing more. All other
> options are about verifying the software file integrity before it
> gets loaded into ram.
>
> Have you ever done such an exercise? Are there maybe any external
> tools (or services) that offer this capability?
>
As Tassos said, there are no solutions from vendors. There are,
however, some examples by third parties such as
Defending Embedded Systems with Software Symbiotes
http://ids.cs.columbia.edu/sites/default/files/paper_2.pdf
and
Protecting Software Codes By Guards
http://www.seas.gwu.edu/~simhaweb/security/summer2005/Atallah1.pdf
There are other efforts inside academia as well as companies attempting
to develop dynamic firmware attestation (full disclosure: I work for one
such company).
As Valdis and others have said, it's an insoluble problem with solutions
of varying degrees of efficacy and practicality.
-mc
