MD5 Proven Ineffective for App Signatures 117
prostoalex writes "Marc Stevens, Arjen K. Lenstra, and Benne de Weger have released their paper 'Vulnerability of software integrity and code signing applications to chosen-prefix collisions for MD5'. It describes a reproducible attack on MD5 algorithms to fake software signatures. Researchers start off with two simplistic Windows applications — HelloWorld.exe and GoodbyeWorld.exe, and apply a known prefix attack that makes md5() signatures for both of the applications identical. Researchers point out: 'For abusing a chosen-prefix collision on a software integrity protection or a code signing scheme, the attacker should be able to manipulate the files before they are being hashed and/or signed. This may mean that the attacker needs insider access to the party operating the trusted software integrity protection or code signing process.'"
Well everyone's boned then (Score:4, Interesting)
An attack that requires insider access? Well colour me frightened!
Or don't. That's more accurate anyhow.
Re:Well everyone's boned then (Score:2, Interesting)
Re:Nothing new (Score:5, Interesting)
Ah yes, this again (Score:5, Interesting)
The relevant links are:
http://www.doxpara.com/research/md5/t1.html [doxpara.com]
http://www.doxpara.com/research/md5/t2.html [doxpara.com]
http://www.doxpara.com/research/md5/md5_someday.pdf [doxpara.com]
I'm pretty sure I talked about third party attestation in that paper.
A more interesting point was made to me just the other day, which is that there's always enough ambient entropy in any real world system to deviate between trusted and untrusted behavior. In other words, for a turing complete app, you *can't* create a meaningful hash, because you aren't capturing all bits that will drive the execution flow. So, getting code signed really doesn't assert anything other than a business relationship. App signatures don't actually work, for any arbitrarily good hash.
ONE block, surely (Score:3, Interesting)
what it really means .. (Score:3, Interesting)
Well, what it means is that an evil software megacorporation could publish a digitally signed app that could be replaced with another presumably nefarious prog later on
Re:Not a real life scenario...
Re:Nothing new (Score:4, Interesting)
Re:use two hash functions (Score:4, Interesting)
The problem as I see is that the harmless version can be released and gain trust. That version can be tested and inspected, even checking the binary wouldn't reveal malicious code because there wouldn't be any malicious code to find - no dodgy looking system calls, for example. Just a chunk of seemingly random data, which could be disguised as a lookup table, compressed image or whatever. At some later point, after the harmless version has gained trust, its use has become more widespread and the rate of downloads has increased correspondingly, it can be replaced by the malicious version. So while you could initially release a malicious version, being able to first release a harmless version can widen the impact of an attack.
Re:Nothing new (Score:3, Interesting)
For a pracical example:
1. Become a kernel contributor on some obscure driver.
2. Add a magic number somewhere, which is the good twin.
3. Wait for this to flow upstream to Linus, then downstream to all the distros.
4. Find a way to hack a mirror of your distro of choice
5. Replace the signed kernel with your trojaned kernel, that'll still be signed
6. Wait for people to install trojaned systems (enterprise systems!)
7. Profit (there is no ???)
Of course, this assumes you can use it knowing just the little magic bits. If you need to be the one compiling both good and evil using the exact same source, then it's very limited.