Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Tue 25 Jun 2019, 01:26
All times are UTC - 4
 Forum index » Off-Topic Area » Programming
How to validate a Save file?
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [5 Posts]  
Author Message
rufwoof


Joined: 24 Feb 2014
Posts: 3183

PostPosted: Tue 14 May 2019, 07:05    Post subject:  How to validate a Save file?  

For a save file (file filesystem), each time you reboot even without saving, the content of that file changes. At least that is the case for Fatdog 800.

As part of bootup I validate the mbr (dd the first 512 bytes from the partition grub4dos is installed on, and compare that to a pre-recorded version), grldr, vmlinuz, menu.lst and fd64.sfs, using either comparisons to known versions md5sum's (for the larger files), or simple comparison to backup copies of those files (for the smaller files). That way any tampering (intrusion detection) gets flagged at bootup (I run the intrusion detection script in ~/Startup).

A changing save file however is more involved. Ultimately I'll be recording a md5sum for that however in the interim so far my code looks like ...

Code:
# compare only partially, laR fields with a nineth value i.e. actual files
# excluding . and .. files (current directory and parent directory pointers)
# and we don't look at timestamp/date, only ownership, permissions, size and filenames
# We do pick up if files have been removed or added
mkdir /tmp/a /tmp/b
mount fd64save.ext3 /tmp/a
mount fd64save.ext3.bak /tmp/b
ls -laR /tmp/a | awk '{if(($9)&&($9!=".")&&($9!="..")){print $0}}' | awk '{print $1, $2, $3, $4, $5, $9}' | sort >/tmp/a.lst
ls -laR /tmp/b | awk '{if(($9)&&($9!=".")&&($9!="..")){print $0}}' | awk '{print $1, $2, $3, $4, $5, $9}' | sort >/tmp/b.lst
D=`diff /tmp/a.lst /tmp/b.lst`
if [ ! -z "$D" ]; then
   echo warning fd64save.ext3 suspect
   OK=0
fi
rm /tmp/a.lst /tmp/b.lst
umount /tmp/a /tmp/b
rmdir /tmp/a /tmp/b

i.e. I'm comparing mostly (not fully) as being comparable, comparing a backup copy of the fdsave.ext3 file (save area file filesystem) to the one being booted/loaded, in a manner such that the two reasonably extensive comparisons do fully compare.

My question is, is there another easier way that others might be using or might suggest? i.e. how to others go about validating a save file as having been unchanged/the-same, when the save file changes even if you don't save during a session.

TIA.

_________________
( ͡° ͜ʖ ͡°) :wq

Last edited by rufwoof on Tue 14 May 2019, 14:47; edited 1 time in total
Back to top
View user's profile Send private message 
s243a

Joined: 02 Sep 2014
Posts: 1909

PostPosted: Tue 14 May 2019, 10:20    Post subject:  

You could store the checksum of each file (e.g. sha256). This would take less space but would take longer. I would also compare the file size.
_________________
Find me on minds and on pearltrees.
Back to top
View user's profile Send private message Visit poster's website 
rufwoof


Joined: 24 Feb 2014
Posts: 3183

PostPosted: Tue 14 May 2019, 14:46    Post subject:  

Thanks s243a. Something like mtree - checking each files checksum, is relatively slow. OK for small sized save file contents but much less so for larger saves.

ls -la and omitting the 6/7/8th fields does include a check against the permissions, owner, group. size and name for each file, and runs through checking all of the files in the save file, along with checking the mbr, grldr, menu.lst, vmlinuz and fd64.sfs in around 10 seconds total time, which is around the longest delay I would like before advising that the booted system looks OK (continuing). Better than nowt, not as extensive a test as it could be with respect to checking the fd64save.ext3 (savefile). Thinking along the lines of additionally including a checksum type test, perhaps separately/backgrounded, along the lines of mtree being set to run against all bin, sbin and lib folders (plus /etc) in the booted system. Combined that would equate to the save files content having been validated reasonably enough IMO.

More a case of thinking through possible alternatives - that might already be out-there. If for instance a remote cracker with root access to a session mounted the save-file and injected/changed things in that then their crack would remain persistent into future reboots that used the save file/folder layer. Encryption/lock of the save-file barrier (having to enter a password when booting) blocks that, but has the backdoor wide open (booted internet facing system/browser that could record changes in the ram based save area, that would get saved if a save were made during that session).

Frugal booting using HDD is a nice/simple way to go, however I guess the better practice is to usb boot (mbr, grldr, vmlinuz, fd64.sfs on usb) where that usb is removed once booted, only reattaching when a save is to be made and only saving after having booted a 'clean' session, making the changes and saving those (otherwise just shutting down without the usb and without saving changes), and where the HDD based save file is encrypted. Which mitigates the need for the above/earlier validations. More a case of looking for how similar protections might be applied when using different arrangements to that (such as booting when everything is on HDD (no usb being used)).

_________________
( ͡° ͜ʖ ͡°) :wq
Back to top
View user's profile Send private message 
musher0

Joined: 04 Jan 2009
Posts: 14194
Location: Gatineau (Qc), Canada

PostPosted: Tue 04 Jun 2019, 15:44    Post subject:  

Why would one do this?
_________________
musher0
~~~~~~~~~~
Je suis né pour aimer et non pas pour haïr. (Sophocle) /
I was born to love and not to hate. (Sophocles)
Back to top
View user's profile Send private message 
rufwoof


Joined: 24 Feb 2014
Posts: 3183

PostPosted: Tue 04 Jun 2019, 16:42    Post subject:  

Quote:
Why would one do this?

I now store my save files (multi-session) on the boot usb ... that I disconnect after booting. So no in session cracking of the mbr, grldr, vmlinuz ...etc. including the save files.

Otherwise (to reiterate) a cracked session ... mount a save file and insert/change as a cracker may desire and umount ... and the crack remains persistent across reboots.

_________________
( ͡° ͜ʖ ͡°) :wq
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [5 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Programming
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0336s ][ Queries: 11 (0.0079s) ][ GZIP on ]