Re: Can't undate running process binary in Solaris?

Eric Sosman <esosman@xxxxxxxxxxxxxxxxxxxx> writes:
You may also run afoul of a feature of present-day Solaris:
it can verify the digitally-signed checksum of an executable file
or library before permitting it to run. The verification is
optional, by default, but can be made mandatory for specific user
accounts if the sysadmin is security-conscious. Usage of this

In addition to that, there's pkgchk, bart, tripwire, and any number of
intrusion-detection systems. This modified binary will stand out like
a sore thumb if the administrator tries to verify that his system
hasn't been tampered with.

That's essentially what it sounds like the original poster will be
accomplishing -- making the system appear to have been tampered with.
Sane administrators will wipe the damaged binary from the system and
perhaps restore everything from backup at that point.

I'm sure the objection to this will be something like, "but our
documentation says that we do this!" So what? It doesn't scale.
Maybe I could put up with having one or two binaries on the system
that are known to mutate over time. I don't think I could stand it if
there were dozens or hundreds of them. Is this application really so
special that the user will never want to install another bit?

feature does not seem to be widespread as yet, but as malware
continues to spread it would not surprise me to find verification
enabled at more and more sites. And since your self-modifying
executable cannot maintain a constant checksum, you will find
no customers, nor even any trial users, at those sites ...

As with many schemes that appear to assume customers are crooks, it
sounds like a self-solving problem to me. ;-}

--
James Carlson, Solaris Networking <james.d.carlson@xxxxxxx>
Sun Microsystems / 1 Network Drive 71.232W Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
.

Relevant Pages

  • Re: email address not verified = no button to click on.
    ... In order to verify my email address, I followed your instructions but I get ... Windows Live Messenger; Microsoft services such as Xbox LIVE, MSN, and Office ... When you receive the verification e-mail, ...
    (microsoft.public.windowsxp.messenger)
  • Re: Just for Borek
    ... If you're unable to verify, you can still use the Sitemaps ... We offer two methods of verification. ... You can either upload an HTML ... Add a META tag Upload an HTML file ...
    (alt.internet.search-engines)
  • Re: DVD fails "verify" but copies just fine
    ... After a couple of successfully verified burns (two out of three, ... failure to verify, but not at the same place on the DVD every time. ... So after trying to come up with a way to compare some 4 Gig worth of ... Some people don't bother about verification because of this. ...
    (comp.sys.mac.apps)
  • Re: OT - The Berger File: Sandy Berger didnt destroy documents with notes in the margin.
    ... John Wheaton wrote: ... and I asked YOU to verify it first! ... I asked him to provide verification of him touching any minor. ... What crime did Foley commit? ...
    (alt.guitar.amps)
  • Re: Cant undate running process binary in Solaris?
    ... that relies on modifying the executable file: Make a backup ... Or make the file owned by user1 with 755 permissions, ... it can verify the digitally-signed checksum of an executable file ...
    (comp.unix.programmer)