The Tripwire system calculates all the hashes for all execut

The “Tripwire” system calculates all the hashes for all executable files on a clean computer and then compares the hashes with the actual files, when the machine is scanned, to ensure nothing has changed and no malware is hiding as legitimate programs.

1) What kind of attacks will not be detectable by such a scheme?

2) What attack will render the above strategy useless (i.e. will not find infected files, even if they exist).

Solution

The near-ubiquitous UNIX system is an example of a file system where such monitoring is useful. Flaws
and weaknesses in typical UNIX systems are well-documented (e.g., [8, 25, 19, 4, 9]). UNIX file systems
are susceptible to threats in the guise of unauthorized users, intruders, viruses, worms, and logic bombs
as well as failures and bugs. As such, UNIX system administrators are faced with prospects of subtle,
difficult-to-detect damage to files, malicious and accidental.
Tripwire is an integrity checking tool designed for the UNIX environment to aid system administrators to
monitor their file systems for unauthorized modifications. First made available on November 2, 1992, it has
proven to be a popular tool, being portable, configurable, scalable, flexible, manageable, automatable, and
secure. It was written in response to repeated break-in activity on the Internet, and the difficulty experienced
by affected administrators in finding all of the “backdoors” left by the intruders.

To aid in the detection of the appropriate threats, system administrators would use an integrity checker to
monitor file systems for added, deleted, and changed files. Meaningfully reporting changed files is difficult,
because most files are expected to change: system log files are written to, program sources are updated,
and documents are revised. Typically, these changes would not concern system administrators. However,
changes to certain files, such as system binaries, might elicit a different reaction.

The database used by the integrity checker should be protected from unauthorized modifications; an intruder
who can change the database can subvert the entire integrity checking scheme. Although the system administrator
can secure the database by storing it on some media inaccessible to remote intruders (e.g., paper
printout), usability is sacrificed. A database stored in some machine readable format may risk unauthorized
modification, but allows the integrity checking process to be automated. Storing the database on read-only
media provides the best of both approaches, allowing machine access but preventing changes.

Most available UNIX security tools fall into two categories: static audit tools and integrity checkers.
Among the most prominent are COPS[8], TAMU[22], crc check[8], Hobgoblin[15], and ATP[28].5 A few
commercial security tools also exist, but they are comparable to the user-community tools mentioned here.
While many of these tools may be outstanding in their own right, most are mismatches for integrity checking
in UNIX environments.