Open Source Software File Integrity

Do you check file integrity when you download open source software? This is normally accomplished by the software developer providing MD5 sums for the files. An MD5 sum is a computed signature for the chosen file. By providing you this signature, you are able to verify the integrity of the file by computing the signature on your own system and comparing it against the sum that was downloaded with the file. Many developers have recently started including GPG signed sums, which is even better, and prevents creating fake sum files in the event that the system that contains the software and sum files is compromised.

The reason I bring this up is that a popular open source application was recently compromised. An attacker was able to access a server that contained the downloadable distribution and changed some of the files to contain malicious code that could be exploited remotely. The altered files were found by a user that had downloaded the files and found a discrepancy in the sums, potentially saving many that had downloaded the altered software.

Doing this may sound like an inconvenience, but it is really easy to do, and helps ensure that you are getting software that was not tampered with. To do your part, you just need to acquire an MD5 digest generating program. Many distributions of Linux include one, and you can download them for virtually any OS. You could even create one, if you want. Now you just need to run the MD5 generating program against the files you downloaded. Compare your output against the MD5 sum provided by the developer.

If you have GPG and the developer provides signed MD5 sums, you can check that the MD5 sums were actually created by the developer.

A new threat

A new threat in software has established itself in the last year. That threat is vulnerabilities in device drivers. Historically, security and drivers never had much in common. It appears that this line of thinking is going to cause some severe headaches in the near future.

Just a few days ago it was announced that a severe vulnerability was identified in Broadcom’s wireless drivers. There’s a buffer overflow condition in the SSID handler. Potentially somebody driving around broadcasting a malicious SSID could compromise your machine by just sitting there waiting for your computer to pick it up. It is claimed that there is a reliable exploit for this already, fortunately it hasn’t been made public yet. If this does become public, it could be very dangerous. It’s a kernel level exploit, which means it’s going to bypass any anti-virus measures on the computer. Broadcom was notified of the problem and they updated their driver, but issued no security warning. So far, it doesn’t appear than any vendors that use Broadcom chipsets have updated their corresponding drivers.

This isn’t the first occurrence of such a vulnerability. You may remember the Centrino vulnerabilities earlier this year, vulnerabilities were also identified in Apple’s wifi drivers, and recently in Nvidia’s video drivers for Linux, among others.

It’s time for hardware manufacturers to start thinking about security, and taking responsibility for any security issues just as every other software developer has to. It’s unfortunate this was not already the case, and it may be too late.