On 1/13/14 5:26 AM, Tassos Chatzithomaoglou wrote: > I'm looking for ways to verify that the currently running software on > our Cisco/Juniper boxes is the one that is also in the > flash/hd/storage/etc. Something that will somehow compare the running > software in ram with the software on flash/hd/storage/etc, so that i > can verify that nobody has actually messed with the running software > (by whatever means that's possible). > > Besides the "install verify" command on IOS-XR (which i'm not 100% > sure if it suits my needs), i haven't managed to find anything else. > And the vendors say that indeed there is nothing more. All other > options are about verifying the software file integrity before it > gets loaded into ram. > > Have you ever done such an exercise? Are there maybe any external > tools (or services) that offer this capability? >
As Tassos said, there are no solutions from vendors. There are, however, some examples by third parties such as Defending Embedded Systems with Software Symbiotes http://ids.cs.columbia.edu/sites/default/files/paper_2.pdf and Protecting Software Codes By Guards http://www.seas.gwu.edu/~simhaweb/security/summer2005/Atallah1.pdf There are other efforts inside academia as well as companies attempting to develop dynamic firmware attestation (full disclosure: I work for one such company). As Valdis and others have said, it's an insoluble problem with solutions of varying degrees of efficacy and practicality. -mc