0

I'm trying to understand how file integrity monitoring works, and I feel like I'm missing something. From what I've read, cryptographic hashes of the files to be monitored are stored in a database. Then, periodically, the hashes for those files are recalculated and compared to check for changes. Here's my problem:

  • If the code to periodically check the current hashes is on the same server as the code we are checking, and the server is compromised, couldn't the attacker modify the integrity checker also? This seems like it would defeat the whole point.

  • If however, the checker is on another machine, you would have to transfer all of the files from the server to the checker machine to calculate the hashes. This could be very time consuming and bandwidth intensive.

What am I missing?

Update: I ran across an interesting idea along this vain. For a similar problem, someone suggested using rsync to compare hashes. I know this isn't what rsync what made for, but after some initial testing it seems to work (and it's really fast). Thoughts?

Community
  • 1
  • 1
Dominic P
  • 2,284
  • 2
  • 27
  • 46
  • In both scenorios the attacker could in theory recreate the original files. It makes no big difference to recreate a hash or a file before the transfer. It would just be very hard to do so, much harder than just attacking a machine. – 576i Aug 14 '13 at 21:15
  • You'd probably get better answers at http://security.stackexchange.com/ – Paul Rubel Aug 14 '13 at 21:16

1 Answers1

2

It depends upon the threat model. If the attacker doesn't know that you're checking hashes you're golden, any checking will work. If the attacker owns your system the only thing that may work is offline checking.

With respect to your first point, you're right that once a system is owned you can't trust it for anything, but you could take out the drive and compare the changes offline. You could use this to diagnose an attack. Additionally you could run from read-only media, like a DVD that was burned previously, it wouldn't stop all attacks, but again, depending upon the thread model would stop some.

Regarding the second point, if you trust the checksum calculator you could just move the hashes to the "checking machine". Note that a motivated attacker could give you "pristine" copies of the files to ship remotely while running the modified ones locally or even give the pristine copy to the local checker while running modified ones in all others cases, if they have enough privilege.

Paul Rubel
  • 26,632
  • 7
  • 60
  • 80