Abstract
This paper discusses the problems posed by Trojan horses and unauthorized code, and reviews existing solutions for dealing with them. A technique involving the in-kernel verification of executables is proposed. Its advantages include simplicity, transparency, ease of use and minimal setup time. In addition, the technique has several applications, including assisting with honeypot implementations, incident response and forensic investigations.
Chapter PDF
Similar content being viewed by others
References
A. Apvrille, D. Gordon, S. Hallyn, M. Pourzandi and V. Roy, The DigSig Project, LinuxWorld Magazine, vol 2(1), December 22, 2003.
W. Arbaugh, G. Ballintijn and L. van Doorn, Signed executables for Linux, Technical Report CS-TR-4259, University of Maryland, College Park, Maryland, 2001.
S. Beattie, A. Black, C. Cowan, C. Pu and L. P. Yang, CryptoMark: Locking the stable door ahead of the Trojan horse, Technical Report, WireX Communications Inc., Portland, Oregon, 2000.
L. Catuogno and I. Visconti, A format-independent architecture for run-time integrity checking of executable code, in Security in Communication Networks, Lecture Notes in Computer Science, Volume 2576, S. Cimato, C. Galdi and G. Persiano (Eds.), Springer, Berlin-Heidelberg, pp. 219–233, 2003.
FOLDOC, Trojan horse, FOLDOC: The Free On-Line Dictionary of Computing (www.foldoc.org/foldoc/foldoc.cgi?query=Trojan+Horse&action=Search).
FreeBSD, mtree(8), FreeBSD 5.3 System Manager’s Manual, January 11, 2004.
L. Helmer, Sudo environment cleaning privilege escalation vulnerability (secunia.com/advisories/13199).
Immunix Inc. (www.immunix.org).
National Security Agency, Security-Enhanced Linux (www.nsa.gov/selinux).
B. Paul, Evaluation of Security Risks Associated with Networked Information Systems, Master’s Thesis, School of Business Administration, Royal Melbourne Institute of Technology, Melbourne, Australia, 2001.
M. Singer, bsign(1), The Debian Project (packages.debian.org/testing/admin/bsign), 2001.
Tool Interface Standards Committee, Executable and Linkable Format (ELF), Technical Report, Unix System Laboratories, Summit, New Jersey, 2001.
Tripwire Inc., Tripwire for servers datasheet, Technical Report, Tripwire, Inc., Portland, Oregon (www.tripwire.com/files/literature/product_info/Tripwire_for_Servers.pdf), 2005.
B. Wever and ned, Microsoft Internet Explorer malformed IFRAME remote buffer overflow vulnerability (securityresponse.symantec.com/avcenter/security/Content/11515.html).
M. Williams, Anti-Trojan and Trojan detection with in-kernel digital signature testing of executables, Technical Report, NetXSecure NZ Limited, Canterbury, New Zealand, 2002.
C. Wueest, W32.Sober.I@mm (sarc.com/avcenter/venc/data/w32.sober.i@mm.html).
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 International Federation for Information Processing
About this paper
Cite this paper
Motara, Y., Irwin, B. (2006). In-Kernel Cryptographic Executable Verification. In: Pollitt, M., Shenoi, S. (eds) Advances in Digital Forensics. DigitalForensics 2005. IFIP — The International Federation for Information Processing, vol 194. Springer, Boston, MA. https://doi.org/10.1007/0-387-31163-7_25
Download citation
DOI: https://doi.org/10.1007/0-387-31163-7_25
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-30012-2
Online ISBN: 978-0-387-31163-0
eBook Packages: Computer ScienceComputer Science (R0)