WARNOCK@clemson.CSNET.UUCP (02/27/87)
Checksum is a DCL command (sys$system:checksum.exe) of the format: $ CHECKSUM filename Checksum is used a lot by DEC when they ship a patch out in in printed form. Basically, if you run patch on a given file (ie: one that you typed in from DEC documentation), and then run checksum against it, a value is returned in the symbol checksum$checksum. This can then be compared to the known value (ie: calculated by DEC by running checksum against the patch they type in.) This insures that you type in EXACTLY what they meant (down to the last space, comment, and period !) Hope that explains it a bit... Todd Warnock Clemson University CSnet: Warnock@Clemson.CSnet BITnet: Warnock@Clemson
art@MITRE.ARPA.UUCP (02/27/87)
The following is an article submitted to the Pageswapper but not yet
published.
Methods of checksuming programs under VMS
BACKGROUND:
Verifying that computer software has not been modified is a common
problem to both secure and non-secure systems. This implied
threat presents itself when new releases of the operating system
are prepared and delivered. The vendor should assure himself that
he is applying patches to the correct version of the program. In
the secure arena the implied threat presents itself both when new
releases of the operational programs are prepared and delivered as
well as during maintenance activities.
One approach to this problem is a process called "checksumming." A
checksum is the process of reading every record in the file and
summing the values in the 32 bit words (with overflow) to form a
single 32 bit value with is associated with the file. The process
may or may not recognize executable images and give separate
checksum's for each separate load section of the image.
ANALYSIS:
In checking various methods that could be used to validate an
image on the DEC VAX/VMS system, the software functions
ANALYZE/IMAGE and an undocumented VMS utility called CHECKSUM were
identified.
ANALYZE/IMAGE provides of information about the image but does not
perform a checksum. This information includes a list of the
patches to the image and a version number. Conceivably, a user
could modify an image in such a way as to not change the version
number or use the official "patch area". This would result in
ANALYZE/IMAGE thinking that the program was unmodified.
CHECKSUM has existed at least since VMS 4.0. It is undocumented
(and at present not supported) but does provide a way of
determining if the file has been modified. It consists of a
program to read the file and calculate a 32 bit checksum. In the
default mode (CHECKSUM/FILE) the entire file is read and
checksummed. If the optional (CHECKSUM/IMAGE) is used, the
various sections of the executable image are checksummed
separately. The output from CHECKSUM is in the symbol
CHECKSUM$CHECKSUM. Thus the normal method of executing the
program is shown in figure 1.
I have written a command procedure to checksum SYS$SYSTEM and
compare the the results to the checksum previously taken. This
procedure is included as table 1. The use of this or a similar
command procedure at boot time could verify that the operating
system and user programs have not been modified. It will take
10-15 minutes to scan all of the files on the disk and perform the
checksum operation. Thus perhaps the best way to perform this
would be in background while the system starts up. The results
could be sent as an alarm message.
Other uses of the CHECKSUM command include verification that only
CMS was used to access files that are under configuration
management control. I have heard stories of programmers using the
VMS "PATCH" command to access files that are under CMS. This type
of technique clearly has many applications.
-------------------------------------------------------------------
Method of Checksumming any file
$CHECKSUM foo.bar
$SHOW SYMBOL CHECKSUM$CHECKSUM
Method of Checksumming an executable file
$CHECKSUM/IMAGE SYS$SYSTEM:PASCAL.EXE
file SYS$SYSROOT:[SYSEXE]PASCAL.EXE;12
image section %D'1' checksum is %X'8D4B4D4E'
image section %D'2' checksum is %X'00022901'
image section %D'4' checksum is %X'00FD337A'
image section %D'6' checksum is %X'0000F98C'
image section %D'8' checksum is %X'A3CF1EBD'
image section %D'10' checksum is %X'090C8745'
image section %D'12' checksum is %X'6B39BC26'
image section %D'13' checksum is %X'54C233C7'
image section %D'14' checksum is %X'581934C7'
image header checksum is %X'2DB7C2A6'
checksum of all image sections is %X'40958C67'
Figure 1: Methods of using Checksum utility
----------------------------------------------------------------
$ set noon
$ open/write checks checkfile.sum
$assign nl: sys$output
$assign nl: sys$error
$loop:
$ next = F$search("sys$system:*.*")
$ if next .eqs. "" then goto check
$ if F$LOCATE(".EXE",next) .ne. F$LENGTH(next) then $GOTO EXEC
$!
$ checksum 'next'
$ write checks next + " " + checksum$checksum
$! write sys$output next + " " + checksum$checksum
$ goto loop
$EXEC:
$ checksum/image/output=nl: 'next'
$ write checks next + " " + checksum$checksum
$! write sys$output next + " " + checksum$checksum
$ goto loop
$check:
$deassign sys$output
$deassign sys$error
$ close checks
$ diff/parallel checkfile.sum
$ purge/keep=2
$ checksum checkfile.sum;0
$ write sys$output "checkfile checksum is " + checksum$checksum
$ exit
$!
$! command file written by Art McClinton Mitre Corporation
$! to check that all of the system files have not been modified
$!
$! method:
$! create a command file listing all of the files
$! use checksum to determine the checksum of each file.
$! .EXE files checksummed using /image
$! all others checksummed using /file
$! difference the resultant list with the previous generated list
$! generate a checksum of the list which can be manually compared
$! with the previous checksum. If it changes then know that have a
$! potential problem.
$!
*
*---Art
*
*Arthur T. McClinton Jr. ARPA: ART@MITRE
*Mitre Corporation Phone: 703-883-6356
*1820 Dolley Madison Blvd Internal Mitre: ART@MWVMS or M10319@MWVM
*McLean, Va. 22102 DCS: MCCLINTON
*
*
*---Art
*
*Arthur T. McClinton Jr. ARPA: ART@MITRE.ARPA
*Mitre Corporation MS-Z305 Phone: 703-883-6356
*1820 Dolley Madison Blvd Internal Mitre: ART@MWVMS or M10319@MWVM
*McLean, Va. 22102 DECUS DCS: MCCLINTON
*