# Vault 7 and Notepad++



## Atarian (Mar 11, 2017)

With the recent revelations about CIA hacking techniques, it turned out that this could have been avoided in part by checking the signatures of the DLLs used by the author of Notepad++.

If a library was replaced by a hostile actor on FreeBSD, do we have any way of checking if it was modified? Do we have the ability to add a layer of metadata to the filesystem to allow for digital signatures?


----------



## Phishfry (Mar 11, 2017)

Atarian said:


> do we have any way of checking if it was modified?


http://www.freshports.org/sysutils/fswatch-mon/
https://www.freebsd.org/cgi/man.cgi?query=audit
https://forums.freebsd.org/threads/56813/


----------



## Atarian (Mar 13, 2017)

Thanks for the information. I'm familiar with tripwire.

the only thing with Tripwire et al is that it only tells you when a binary has changed when you run the scan.

It's still not what I was driving at is... something like a signature stored as metadata for each executable or linked library, that is checked against a list of trusted certificates before execution. That way a modified library or trojan can never execute and compromise the whole system.

Is this idea even feasible?


----------



## SirDice (Mar 13, 2017)

If somebody is able to backdoor libraries they're probably also capable of changing/updating those signatures.

But besides that, there are problems with those signatures. How are you going to sign them? Everybody builds their own versions (it's open source after all) so the key to sign them needs to be included with the OS. If you have the key you can sign just about anything.


----------

