A Format-Independent Architecture for Run-Time Integrity Checking of Executable Code

  • Luigi Catuogno
  • Ivan Visconti
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2576)

Abstract

A robust architecture against network intrusions plays a main role for information security and service reliability. An intruder that obtains an unauthorized access to a remote system could read restricted information or hide this access for future and eventually more dangerous actions. Temporary intrusions can become permanent (i.e., resistant to reboots) if malicious code is installed in a system not adequately protected. In this paper we propose an infrastructure for the run-time integrity checking of executable code. Our approach is general as the specification of our infrastructure includes support for every file format. Moreover we also present our implementation that supports run-time integrity checking for ELF and shell script files. Experimental results show that our solution is a practical and effective protection for workstations connected to the Internet offering services to local and remote users.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    W. A. Arbaugh, G. Ballintijn, L. van Doorn: Signed Executables for Linux. Tech. Report CS-TR-4259. University of Maryland, June 4, 2001Google Scholar
  2. 2.
    W. Arbaugh, D. Farber, J. Smith: A Secure and Reliable Bootstrap Architecture. Proceedings of 1997 IEEE Symposium on Security and Privacy, pp. 65–71. May 1997.Google Scholar
  3. 3.
    S. Cesare: Unix ELF parasites and virus. Unpublished technical report. http://www.big.net.au/~silvio/elf-pv.txt
  4. 4.
    S. Cesare: Runtime Kernel KMEM Patching. Unpublished technical report. http://www.big.net.au/~silvio/runtime-kernel-kmem-patching.txt
  5. 5.
    C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang: StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. Proc. 7th USENIX Security Conference, pp. 63–78. San Antonio Texas, Jan. 1998Google Scholar
  6. 6.
    C. Cowan, P. Wagle, C. Pu, S. Beattie, J. Walpole: Buffer Overflows: Attacks and Defenses for the Vulnerability of the decade. DARPA Information Survivability Conference an Expo (DISCEX). Hilton Head Island SC, Jan. 2000Google Scholar
  7. 7.
    Halflife: Bypassing Integrity Checking Systems. Phrack, issue 51. September 1997.Google Scholar
  8. 8.
    N. Itoi, W. A. Arbaugh, S. J. Pollak, D. M. Reeves: Personal Secure Booting. Proceedings of Australian Conference on Information Security and Privacy, pp. 130–144. Sydney, July 11–13, 2001Google Scholar
  9. 9.
    Tool Interface Standards Committee: Tool Interface Standards (TIS) Portable Formats Specification version 1.1. http://developer.intel.com/vtune/tis.htm, October 1993
  10. 10.
    H. Lu: ELF: From the programmer perspective. http://citeseer.nj.nec.com/lu95elf.html. May 17, 1995
  11. 11.
    G. H. Kim, E. H. Spafford: The design and Implementation of Tripwire: a System Integrity Checker. Proceedings of Conference on Computer and Communications Security, pages 18–29. Fairfax (Virginia), 2–4 November 1994Google Scholar
  12. 12.
    G. H. Kim, E. H. Spafford: Experiences with Tripwire: Using integrity checkers for intrusion detection. In Systems Administration, Networking and Security Conference III. USENIX, April 1994.Google Scholar
  13. 13.
    C. Ko, T. Fraser, L. Badger, D. Klipatrick: Detecting and Countering System Intrusions Using Software Wrappers. Proceedings of the 9th USENIX Security Symposium. Denver, Colorado, August 14–17, 2000.Google Scholar
  14. 14.
    J. Linn: Privacy Enhancement for Internet Electronic Mail. PKIX Working Group, RFC1421, February, 1993.Google Scholar
  15. 15.
    RSA Laboratories: PKCS7 Cryptographic Message Syntax Standard. ftp://www.rsasecurity.com, November 1, 1993
  16. 16.
    S. McCanne, V. Jacobson: The BSD Packet Filter: a new architecture for user-level packet capture. Proceedings of the 1993 winter USENIX conference, pp. 259–269. San Diego CA, 1993.Google Scholar
  17. 17.
    Sun Microsystems Corporation: Java Code Signing. http://java.sun.com/security/codesign, 1996
  18. 18.
    R. Housley, W. Ford, W. Polk, and D. Solo: Internet X509 Public Key Infrastructure: Certificate and CRL Profile. Network Working Group, RFC 3280, April, 2002Google Scholar
  19. 19.
    RSA Laboratories: RSAREF: A Cryptographic Toolkit for Privacy-Enhanced Mail. http://www.aus.rsa.com, 1994
  20. 20.
    SD: Linux on-the-fly kernel patching without LKM. Phrack issue 58, December 2001Google Scholar
  21. 21.
    Sun Microsystems: JavaTM Security Evolution and Concepts. Technical Articles. http://developer.java.sun.com/
  22. 22.
    D. Stinson: Cryptography: Theory and Practice. CRC Press.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Luigi Catuogno
    • 1
  • Ivan Visconti
    • 1
  1. 1.Dipartimento di Informatica ed ApplicazioniUniversità di SalernoBaronissi (SA)Italy

Personalised recommendations