This exists. Tripwire runs a one-way hash function on any file you tell
it to which can be used to verify the integrity of the files later on.
I have recently been interested with the idea of line item log entry
checksumming. This led me to the idea of writing a kernel module to do
this before the data enters user space. It would be similarly desirable
for your verification scheme to exist outside the reach of user space so
that a user space process can't mount a man in the middle attack aainst
the messaging of whether verification passed.
The real hard nut to crack on this one is making sure the checksums you
are using to compare against the checksoum you create during verification
are indeed the originals. How do you make sure that after a cracker
installs malware that they don't just replace the original checksum with a
new one that matches the malware app?
tack
On Thu, 6 Sep 2001, Erik Curiel wrote:
>
> I'm curious to hear what people think about the following rough idea for a
> possible fundamentally different approach to computer security. Just as
> biological viruses are a pretty good analogy for understanding how
> computer viruses operate, the security system I envision would operate
> roughly on the model of the animal immunological system.
>
> The animal immunological system works roughly as follows. White B cells
> in the blood constantly check everything they come across
> indiscriminately, including all the body's native, proper organelles.
> All the body's native, proper organelles (such as, e.g., the animal's
> striated muscle tissue) have molecular markers on their surface called the
> MHA (major histo-compatibility complex) that mark them as properly
> belonging to---produced by or ingested in the appropriate fashion---that
> particular animal. You can think of it as one key in a standard two-key
> encryption scheme. The B cells carry the other key anc challenge
> everything they come across. If what they challenge can answer properly,
> they move on to the next thing. If they can't answer the challenge
> properly, then the B cell triggers an immune response based on the foreign
> markers they found on the object that can't answer the challenge.
>
> In the computer scheme, the analogue of the B cells would be some sort of
> daemon that constantly checks all files found on the system. The MHA
> would be some sort of encrypted tag unique to that machine (or at least to
> that instance of an operating system or to a particular user) that is
> automatically generated and attached or associated with every file
> natively residing on or created or properly copied to that machine. This
> would require perhaps a wrapper sort of system for every binary on the
> machine that can produce or copy files, so that whenever a file is
> produced or copied by a native binary the encrypted tag gets associated
> with the newly produced file when the user enters the proper password.
> The daemon would constantly run in the background checking every file it
> finds for the proper encrypted tag. If it finds a file that doesn't have
> that tag (e.g. a file put there by someone who doesn't know the proper
> password), then it would make that file non-executable if it is
> executable, kill any instance of it then running, and alert the user/admin
> about the file.
>
> This is just a very rough idea and needs some more thought, but what do
> y'all think of the basic outline?
>
> E
>
>
>
--
------------------------------------------
1st Amendment: Void where prohibited
http://freesklyarov.org
http://www.anti-dmca.org
