-2

This is a sort of security-related thought experiment. In a (slightly odd) conversation I recently had, we got to discussing ways that a file could be kept the same, even when malicious users attempt to edit it. For the purpose of this discussion, we can assume that the "attacker"'s access to the file cannot be restricted, and the file cannot be made read-only. One idea that was suggested was to have a program continually overwriting the values. This raised the question of what stops the attacker from altering those programs, which led to a suggestion that I'd like to analyse a little.

The idea is to have a few copies of a program running. Each program contains the desired file in its source code, along with a checksum of itself (including the file) so that in theory, it can detect modifications to itself or to another copy of itself. The program exists in several locations on disk. The program checks itself against the checksum, and terminates if there's a mismatch. It then seeks out one of the other versions, checks its values and checksum, and if any one of them is wrong, it terminates that program and overwrites it with a copy of itself. It then counts the number of program instances running, and if it's too small, it writes another copy to disk, and runs it. Meanwhile, another instance of the program is doing the same to this instance, while another does the same to that instance, and so on. The idea is that if the file is small, the program can be small, and this will all happen relatively quickly, so the chance that an attacker will be able to successfully modify all copies, in memory and on disk, simultaneously, before the mesh of programs detects and overwrites the edits, is very small. (For the purpose of this discussion, for various reasons the attacker cannot terminate the programs.)

Is there any way to change that file if you only have access to the disk? Say it's a shared drive, so you can access files on the disk (including the file we're trying to protect and the binaries of the programs doing the protecting) but you can't access the machine's RAM and you can't run or stop programs running on that machine (although you can run whatever you like on your own machine). Is there a way to alter that file so that a program reading it will reliably get the values you inserted and not the original ones?

anaximander
  • 1,531
  • 1
  • 10
  • 14

1 Answers1

2

What you are describing looks like malware. Programs which try to stay there and rewrite themselves to "fix" alterations by the rightful owner are normally considered a nuisance. Virus cleaning software goes to great lengths to eradicate such outbreaks.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Yeah, I thought that. I realise that you have absolutely no reason to trust a random stranger on the internet, but I'm not intending to write malware. This was a question raised by [a book we just read](http://www.amazon.co.uk/Off-Be-Wizard-ebook/dp/B00BZP19A4) in which there's a file that multiple people are editing so that a program reading that file (which they can't access directly) will do things. (Namely, manipulate reality and give them magical powers... it's a slightly silly book. In a good way.) The question is whether one person could do something that the others couldn't undo. – anaximander Aug 28 '13 at 15:52