IOS Rookit: the sky isn't falling (yet)

• Previous message (by thread): IOS Rookit: the sky isn't falling (yet)
• Next message (by thread): IOS Rookit: the sky isn't falling (yet)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

goemon at anime.net wrote:
> On Tue, 27 May 2008, Valdis.Kletnieks at vt.edu wrote:
>> On Tue, 27 May 2008 11:24:19 MDT, Chris Grundemann said:
>>> Like MD5 File Validation? - "MD5 values are now made available on
>>> Cisco.com for all Cisco IOS software images for comparison against
>>> local system image values."
>> That does wonders for catching a corruption in the FTP that wasn't
>> caught
>> by the relatively weak TCP checksumming.
>> But if the attacker has the wherewithal to cause a modified file to be
>> downloaded (either by replacing it on the real server, or getting you to
>> visit a fake server), they can also present you with a webpage that
>> has an
>> MD5 hash that matches the modified file.
>> Now, if they provided a PGP signature of the file, done with a key
>> that I
>> have reason to trust, *that* raises the bar significantly...
>
> What you want is cisco hardware that verifies firmware signatures in
> hardware.
>
> -Dan
>
Why not TPM? Sign every binary on the device, encrypt & sign the
headers. The entire device runs in a hypervisor. Everything must be
approved by Cisco. Let's make routers even more blackboxish and require
vendor certification for every little thing. I don't know about you, but
I don't want layers of DRM and crap ontop of my router when I'm still
wondering about idiots leaving tftpds open. :-/


-- 
+1.925.202.9485
Sargun Dhillon
deCarta
sdhillon at decarta.com
www.decarta.com

• Previous message (by thread): IOS Rookit: the sky isn't falling (yet)
• Next message (by thread): IOS Rookit: the sky isn't falling (yet)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]