[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.] Why aren't we? - THE OFFICIAL BLOG OF THE SBS DIVA
Wed, Oct 27 2004 22:04 bradley

Why aren't we?

So in the Encase class today we're discussion hashes and file signatures.  And we discuss how you can change the file name but you can't change the hash value.  So Gater.exe would still be identified as a bad program no matter what you renamed it.

So I'm chatting with Eric F and he brings up that much of this can be done with group policy.  So off to google I go to check and sure 'nuff, we can block this stuff like this.  So why aren't we?

The article “To create a hash rule” talks exactly how to do this in Software restriction policies.  Now granted it would probably be tough to do this, and might be easier to build the “here's the good program” database and just put in those programs that CAN be run, but why aren't we utilizing more of this power that we have already under the hood?

Like all the running around with our heads cut off we've been doing for the gdiplus.dll issue.  Couldn't we build a restriction policy to either allow only the good one to run or the bad one not to run?  Or am I oversimplifying this?

NIST has hash files that you can subscribe to along with other sources on the web.

I just think that as we go forward more of the “kewl” stuff like this will be more integrated and automated.

Filed under:

# re: Why aren't we?

Wednesday, October 27, 2004 10:43 PM by bradley

The problem is, you CAN change the program, and still have it come out to the same hash value through a hash collision. Sadly enough, they're relatively easy to do in MD5 (compared to SHA-256). And even worse, most people still use MD5 for hashing. I agree it's a good thing to use for the most part, just realize that it has fairly significant weaknesses.

# re: Why aren't we?

Wednesday, October 27, 2004 10:54 PM by bradley

Actually that's not true. While it's technically feasible to "craft" two files with the same hash values [as the researchers in China proved] the probability that you will "find" two identical md5 hash values on a computer are must more difficult. You have higher probability of finding two fingerprints of probably identical nature than two files of identical hashes.

All they've done is plant the seed of cross examination in attorneys.

# Cryptographic Verification of Binaries

Thursday, October 28, 2004 6:53 AM by TrackBack

I just read Susan Bradley's post asking why we don't use a program hashes to only allow desktop's to run certain binaries. This got me thinking about my friend and lab mate Yusuf's project, "Kernel-based Cryptographic Pre-execution Validation of
ELF

# re: Why aren't we?

Thursday, October 28, 2004 8:18 AM by bradley

Susan,

Never fear. Some people ARE working on confining application execute access on Windows, including file integrity checks against a hash. It just takes time to roll out.

:)

# re: Why aren't we?

Thursday, October 28, 2004 9:22 AM by bradley

I agree that the likelyhood of you finding two files (by accident) that hash to the same value are low, but people need to be aware that when they use hashes to define unwanted content that a single one byte change in the malware changes the hash, and if they use hashes to only allow certain content, then it becomes a less trivial issue (but still not impossible) to make a piece of malware hash to the same value as a legitimate piece of software.

# re: Why aren't we?

Thursday, October 28, 2004 10:05 AM by bradley

Agreed! :-)