Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ZFS and block deduplication



> From: Tom Metro [mailto:tmetro-blu-5a1Jt6qxUNc at public.gmane.org]
> 
> I think the attack vector would be along the lines of an attacker
> identifying one or more blocks of a privileged executable, creating
> replacement blocks that have both malicious code and cause a hash
> collision. They write the blocks to disk, and after the executable
> restarts, they have control.

Yup, interesting.
It would be pretty difficult, however, because (a) identifying such an
exploitable collision is so difficult, and (b) whichever data got written to
disk first would be the copy that "wins."  Meaning - The attacker could not
look at an existing filesystem and then try to corrupt something that
already exists.  They would have to predict that an admin is going to
install something, find the corrupted version of something, get the
corrupted version onto disk first, and then get the admin to create what
they think is a non-corrupted thing.

Difficult, but certainly not impossible if verification is disabled.






BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org