Heinz Diehl schrieb:
..which is not true, of course. I can e.g. have a copy of the boot
sector/MBR on a memory stick, together with a checksum file of /boot.
Copying the first 512 bytes and checking it against the checksum of the
known good bootsector on the memory stick will detect any manipulation immediately.
A simple "dd if=mbr_copy of=/dev/sda bs=512 count=1" will cure the problem.
If the integrity of the system is compromised this won't help.
What if the trojan itself did "an dd if=/dev/sda of=hidden_mbr_copy..."
and redirected all future read-access to the original MBR to this backup
file?
The same would be true for manipulated kernels. They could keep the
original kernel image in a hidden file and redirect all system calls
aimed on the manipulated image to this good image.
Alternatively they could simply manipulate md5sum, sh1sum or whatever
and add logic like:
if filename==name of corrupted kernel
print md5 of good kernel
else
print true md5
Only booting from a trustworthy medium would help and the same is true
in the case of truecrypt.
Marc
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
