On a Google chrome device, has anyone tried to manually verify chrome os kernels and filesystems AFTER booting, from the command line? (Wondering what commands one would run to do that...)If the box is rooted obviously such checks can't be trusted, but still... the root kit would have to make sure to cover those tracks and I'm wondering if that might not be so easy? Maybe one could even have some few scripts/binaries on a USB thumb drive to run that one can trust, in combination with the read only firmware that one can check against, post boot in dev-mode?The gist: run stock Chrome OS on a chrome device in dev-mode (getting command line access), and still do some kernel/root fs verification yourself (since it's not done during the boot sequence). Best of both worlds ("verified dev-mode").
I ask because (1) I'm curious to explore more what is happening during verified boot and what might be possible on non-Google hardware, but also (2) as a use case.
2012/10/24 Trever <trr...@gmail.com>
On a Google chrome device, has anyone tried to manually verify chrome os kernels and filesystems AFTER booting, from the command line? (Wondering what commands one would run to do that...)If the box is rooted obviously such checks can't be trusted, but still... the root kit would have to make sure to cover those tracks and I'm wondering if that might not be so easy? Maybe one could even have some few scripts/binaries on a USB thumb drive to run that one can trust, in combination with the read only firmware that one can check against, post boot in dev-mode?The gist: run stock Chrome OS on a chrome device in dev-mode (getting command line access), and still do some kernel/root fs verification yourself (since it's not done during the boot sequence). Best of both worlds ("verified dev-mode").Actually, by default when you enable developer mode, you still get a read-only rootfs with verification. You can turn that off by using make_dev_ssd, but it requires an extra step.
On Wed, Oct 24, 2012 at 7:00 PM, Olof Johansson <ol...@chromium.org> wrote:2012/10/24 Trever <trr...@gmail.com>
On a Google chrome device, has anyone tried to manually verify chrome os kernels and filesystems AFTER booting, from the command line? (Wondering what commands one would run to do that...)If the box is rooted obviously such checks can't be trusted, but still... the root kit would have to make sure to cover those tracks and I'm wondering if that might not be so easy? Maybe one could even have some few scripts/binaries on a USB thumb drive to run that one can trust, in combination with the read only firmware that one can check against, post boot in dev-mode?The gist: run stock Chrome OS on a chrome device in dev-mode (getting command line access), and still do some kernel/root fs verification yourself (since it's not done during the boot sequence). Best of both worlds ("verified dev-mode").Actually, by default when you enable developer mode, you still get a read-only rootfs with verification. You can turn that off by using make_dev_ssd, but it requires an extra step.and to the point of malicious software, you need to reboot the system after running `make_dev_ssd` before the kernel will allow you to mount the rootfs in write mode. once verity mode kicks in, you can't go back.of course, this doesn't stop code from modifying the partition directly via /dev/. the kernel will probably crash or throw errors when encountering out of sync behavior, and at next boot (if verity is still on), the modification will be detected.
I'm a bit puzzled.Chrome device documentation states: "The developer switch enables the command line shell and deactivates part of the verified boot process."Which part of the verified boot process is deactivated?
--
Chromium OS discuss mailing list: chromium-...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-os-discuss?hl=en
With the kernel/fs signatures and the read only key burned in the firmware, it would be cool to see if you could still (post boot) detect root kits and such with the same level of assurance as stock verified boot gives you. (Whatever assurance that is.) The Chrome device "infrastructure" seems like it would make possible a USB drive with tools that a root kit couldn't fool, etc.. Where I started with this thread.
I personally like turning off the verified boot so that I have the stock Chrome OS but also with the shell. Because stock Chrome OS has pretty much what I need (find, ls, mv, cp, sed, awk, curl, vim, etc..). I don't need to hobby up my own distro (UGH!), just need the stock shell (and Chrome OS browser land). Allows me eg. to move eon's of ASCII documentation to my chromebox and use my converter (ascii2gocs) over time to put everything in the Google cloud at my leisure, while still being on the chrome device and having the relative security of that. Whatever. But it's a bit of a whince to lose the verified boot.
On Wed, Oct 31, 2012 at 11:49 PM, Trever <trr...@gmail.com> wrote:
With the kernel/fs signatures and the read only key burned in the firmware, it would be cool to see if you could still (post boot) detect root kits and such with the same level of assurance as stock verified boot gives you. (Whatever assurance that is.) The Chrome device "infrastructure" seems like it would make possible a USB drive with tools that a root kit couldn't fool, etc.. Where I started with this thread.Once you've booted, you can't tell if a root kit was used to boot the system (or has subsequently been installed by someone at your root shell when you weren't looking). Crossystem gets its information through kernel calls, so a rootkit kernel can simply lie.I personally like turning off the verified boot so that I have the stock Chrome OS but also with the shell. Because stock Chrome OS has pretty much what I need (find, ls, mv, cp, sed, awk, curl, vim, etc..). I don't need to hobby up my own distro (UGH!), just need the stock shell (and Chrome OS browser land). Allows me eg. to move eon's of ASCII documentation to my chromebox and use my converter (ascii2gocs) over time to put everything in the Google cloud at my leisure, while still being on the chrome device and having the relative security of that. Whatever. But it's a bit of a whince to lose the verified boot.If that's all you need, you can do the following:1) Turn the dev switch on2) Set a root password3) From a root shell, run:
crossystem dev_boot_usb=0 dev_boot_signed_only=1The firmware will then boot only Google-signed images (full verified boot), and only from the SSD, but you'll still have your root shell.
On Nov 1, 2012, at 10:53 AM, Trever wrote:
> THERE! Thank you!!! Awesome.
>
> (Re root kits... there are tools on other OS's that reputable security people do trust to do a pretty good job of detecting if your box is rooted... but I hear what you're saying. In theory, once you're root kitted, all bets are off. But in practice?….)
>
In practice, it's at least as hard to break into a Chrome OS system as
any stock Linux system, and the tools for detecting a root kit ought to be
portable to Chromium OS. However, if you don't want/need to install
custom software bits, you're probably more secure booting a verified,
Google-signed Chrome OS image.
2) If an attacker can get sufficient access (with or without physical
access), he can install a root kit, or some equivalent, and your
system could still boot.
--
shell access allows you to easily download files from anywhere &
modify stuff Chrome itself uses. you get direct access to persistent
storage which means someone walking by can much more easily install
something that attacks Chrome itself (such as a rogue extension). or
run `sudo su -` and attack the persistent storage used by ChromeOS
daemons (such as the network or power manager).
thus, for users that have no interest in the stuff dev mode enables,
shell access is a pointless gaping hole.
On Tuesday, November 13, 2012 10:20:44 PM UTC-8, Mike Frysinger wrote:shell access allows you to easily download files from anywhere &
modify stuff Chrome itself uses. you get direct access to persistent
storage which means someone walking by can much more easily install
something that attacks Chrome itself (such as a rogue extension). or
run `sudo su -` and attack the persistent storage used by ChromeOS
daemons (such as the network or power manager).
thus, for users that have no interest in the stuff dev mode enables,
shell access is a pointless gaping hole.Hmmm...Allows "you" to easily download files... Who? Me, or remote attacker?
If you mean remote attacker... So this remote attacker now has different abilities than a remote attacker has when dev-mode is off?
Seems like even when the dev mode is off, the shell is there... the binary is on the system and could be made to run uid=whatever-was-running-that-got-hacked But perhaps I'm mistaken.
If you mean me.... we're assuming I'm not attacking, I alone have physical access to the device while I'm logged in (no one can have a tty shell other than me as long as I'm logged in precisely because I'm logged in and using the device and I'm not sharing it physically while I'm logged in- I fully log out when I give up the device), and every time before I log in, I start from power down and verify it's a verified boot (so anything installed while someone else used the device is caught). Also assuming (in case it wasn't clear) that anyone accessing the device while I'm not using it doesn't crack open the case or otherwise mod the firmware.
> Perhaps at this point my question is more: what does activating dev mode
> do, EXACTLY, at the account/shell/getty level (I guess that's where it would
> take effect...)?
scripts can probe the dev mode switch at runtime and choose to
enable/allow things. this is how crosh knows what commands to allow
you to access such as `shell`.
off the top of my head, i don't know what all in the system changes
based on that flag. i imagine you could grep for 'crossystem' and get
some decent results.
-mike