scispace - formally typeset
Search or ask a question
Proceedings ArticleDOI

Advanced integrity checking and recovery using write-protected storage for enhancing operating system security

22 Jul 2015-pp 219-224
TL;DR: The performance degradation issue faced in ICAR system has been reduced here, so that users can now access secure files almost as normal as non-secure files.
Abstract: This paper contains an enhancement solution to an existing system called: Integrity Checking and Recovery (ICAR) system. ICAR provides a means to check for file integrity and also a feature to restore the file if a breach has been detected. The fact that it uses write protected storage makes it efficient against attacks. The performance degradation issue faced in ICAR system has been reduced here, so that users can now access secure files almost as normal as non-secure files. The improvement is achieved by making a modification to the cache present in the ICAR system. This is done by implementing the concept of augmentation of data structures in LRU page replacement algorithm thus making page operations faster in the cache which improves the overall performance of the system.
Citations
More filters
Journal ArticleDOI
TL;DR: A novel agentless periodic filesystem monitor framework for virtual machines with different image formats and can reduce the number of scanning files and scanning time and the core idea is to minimize the scope of the scanning files in both file integrity checking and virus detection.

7 citations


Cites background from "Advanced integrity checking and rec..."

  • ...Unlike XenRIM, ICAR [19] runs as a kernel module to check file integrity, which can restore the original version of the modified file....

    [...]

Journal ArticleDOI
TL;DR: CFWatcher is presented, a target-based real-time monitoring solution to protect critical files by leveraging VMI techniques, and the experimental results demonstrate that the overhead introduced by CFwatcher is acceptable.
Abstract: Protecting critical files in operating system is very important to system security. With the increasing adoption of Virtual Machine Introspection (VMI), designing VMI-based monitoring tools become a preferential choice with promising features, such as isolation, stealthiness and quick recovery from crash. However, these tools inevitably introduce high overhead due to their operation-based characteristic. Specifically, they need to intercept some file operations to monitor critical files once the operations are executed, regardless of whether the files are critical or not. It is known that file operation is high-frequency, so operation-based methods often result in performance degradation seriously. Thus, in this paper we present CFWatcher, a target-based real-time monitoring solution to protect critical files by leveraging VMI techniques. As a target-based scheme, CFWatcher constraints the monitoring into the operations that are accessing target files defined by users. Consequently, the overhead depends on the frequency of target files being accessed instead of the whole filesystem, which dramatically reduces the overhead. To validate our solution, a prototype system is built on Xen with full virtualization, which not only is able to monitor both Linux and Windows virtual machines, but also can take actions to prevent unauthorized access according to predefined policies. Through extensive evaluations, the experimental results demonstrate that the overhead introduced by CFWatcher is acceptable. Especially, the overhead is very low in the case of a few target files. key words: Monitoring, VMI, target-based, filesystem

3 citations


Cites background or methods from "Advanced integrity checking and rec..."

  • ...Unlike ICAR, [2] stores all of the crucial data in a physically write-protected storage, and uses them to check file integrity....

    [...]

  • ...Traditional approaches [1]–[3] usually employ an agent or a kernel module installed in the OS to detect what is happening to critical files....

    [...]

  • ...For example, ICAR [1] works as an Linux kernel module, and checks for file intrusion....

    [...]

Posted Content
TL;DR: A low-overhead kernel object monitoring approach to reduce the overhead caused by page-level monitor, to migrate the target kernel objects to a protected memory area and then to monitor the corresponding new memory pages.
Abstract: Monitoring kernel object modification of virtual machine is widely used by virtual-machine-introspection-based security monitors to protect virtual machines in cloud computing, such as monitoring dentry objects to intercept file operations, etc. However, most of the current virtual machine monitors, such as KVM and Xen, only support page-level monitoring, because the Intel EPT technology can only monitor page privilege. If the out-of-virtual-machine security tools want to monitor some kernel objects, they need to intercept the operation of the whole memory page. Since there are some other objects stored in the monitored pages, the modification of them will also trigger the monitor. Therefore, page-level memory monitor usually introduces overhead to related kernel services of the target virtual machine. In this paper, we propose a low-overhead kernel object monitoring approach to reduce the overhead caused by page-level monitor. The core idea is to migrate the target kernel objects to a protected memory area and then to monitor the corresponding new memory pages. Since the new pages only contain the kernel objects to be monitored, other kernel objects will not trigger our monitor. Therefore, our monitor will not introduce runtime overhead to the related kernel service. The experimental results show that our system can monitor target kernel objects effectively only with very low overhead.

2 citations


Cites methods from "Advanced integrity checking and rec..."

  • ...Compared with the in-VM security tools [15], [16], VMI-based monitors are more secure and transparent....

    [...]

Proceedings ArticleDOI
01 Mar 2018
TL;DR: A method that provides protection mechanism against unauthorized file modification using the existing Integrity Checking and Recovery concept by holistic approach (hardware and software protection) with an open source security-oriented platform using a programmable system on chip (SoC).
Abstract: The attacks of modifying files such as website hacking, virus infection and ransomware are becoming a recent issue. This is due to a lack of attention to the programs or maintenance of web applications after it has been completed and connected to the internet, while hackers will always try to find a security hole to infiltrate the system. The security of software-based system used in the market today is not good enough to protect those attacks because the software-based protection, in general, can still be modified or manipulated. Therefore, a mechanism that can protect files in a system (such as personal computer or server) by both software and hardware is required. Implementing the mechanism to a hardware can bring a better immunity from malware infections. This paper proposed a method that provides protection mechanism against unauthorized file modification using the existing Integrity Checking and Recovery (ICAR) concept by holistic approach (hardware and software protection) with an open source security-oriented platform using a programmable system on chip (SoC). The results of the simulations show that the system can protect the authenticity of files against file modification-based attacks in the limited scenarios of attack without modifying main system configuration.

1 citations


Cites methods from "Advanced integrity checking and rec..."

  • ...So it needed necessary to introduce some methods to check whether there has been a breach or not which are done most effectively by checking for unauthorized file modification [5]....

    [...]

Proceedings ArticleDOI
20 May 2019
TL;DR: In this article, a low-overhead kernel object monitoring approach is proposed to reduce the overhead caused by page-level monitor, which migrates the target kernel objects to a protected memory area and then monitors the corresponding new memory pages.
Abstract: Monitoring kernel object modification of virtual machine is widely used by virtual-machine-introspection-based security monitors to protect virtual machines in cloud computing, such as monitoring dentry objects to intercept file operations, etc. However, most of the current virtual machine monitors, such as KVM and Xen, only support page-level monitoring, because the Intel EPT technology can only monitor page privilege. If the out-of-virtual-machine security tools want to monitor some kernel objects, they need to intercept the operation of the whole memory page. Since there are some other objects stored in the monitored pages, the modification of them will also trigger the monitor. Therefore, page-level memory monitor usually introduces overhead to related kernel services of the target virtual machine. In this paper, we propose a low-overhead kernel object monitoring approach to reduce the overhead caused by page-level monitor. The core idea is to migrate the target kernel objects to a protected memory area and then to monitor the corresponding new memory pages. Since the new pages only contain the kernel objects to be monitored, other kernel objects will not trigger our monitor. Therefore, our monitor will not introduce runtime overhead to the related kernel service. The experimental results show that our system can monitor target kernel objects effectively only with very low overhead.
References
More filters
Proceedings ArticleDOI
02 Nov 1994
TL;DR: The design and implementation of the Tripwire tool is described, which is tool that aids UNIX system administrators and users in monitoring a designated set of files and directories for any changes, and is highly configurable.
Abstract: At the heart of most computer systems is a file system. The file system contains user data, executable programs, configuration and authorization information, and (usually) the base executable version of the operating system itself. The ability to monitor file systems for unauthorized or unexpected changes gives system administrators valuable data for protecting and maintaining their systems. However, in environments of many networked heterogeneous platforms with different policies and software, the task of monitoring changes becomes quite daunting.Tripwire is tool that aids UNIX system administrators and users in monitoring a designated set of files and directories for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or altered files, so corrective actions may be taken in a timely manner. Tripwire may also be used on user or group files or databases to signal changes.This paper describes the design and implementation of the Tripwire tool. It uses interchangeable “signature” (usually, message digest) routines to identify changes in files, and is highly configurable. Tripwire is no-cost software, available on the Internet, and is currently in use on thousands of machines around the world.

622 citations

Proceedings Article
Chris Wright, Crispin Cowan, Stephen Smalley, James Morris, Greg Kroah-Hartman1 
05 Aug 2002
TL;DR: The design and implementation of LSM are presented and the challenges in providing a truly general solution that minimally impacts the Linux kernel are discussed.
Abstract: The access control mechanisms of existing mainstream operating systems are inadequate to provide strong system security. Enhanced access control mechanisms have failed to win acceptance into mainstream operating systems due in part to a lack of consensus within the security community on the right solution. Since general-purpose operating systems must satisfy a wide range of user requirements, any access control mechanism integrated into such a system must be capable of supporting many different access control models. The Linux Security Modules (LSM) project has developed a lightweight, general purpose, access control framework for the mainstream Linux kernel that enables many different access control models to be implemented as loadable kernel modules. A number of existing enhanced access control implementations, including Linux capabilities, Security-Enhanced Linux (SELinux), and Domain and Type Enforcement (DTE), have already been adapted to use the LSM framework. This paper presents the design and implementation of LSM and discusses the challenges in providing a truly general solution that minimally impacts the Linux kernel.

471 citations

01 Jan 2001
TL;DR: This guidance document is intended as a primer in intrusion detection, developed for those who need to understand what security goals intrusion detection mechanisms serve, how to select and configure intrusion detection systems for their specific system and network environments, and how to integrate intrusion detection functions with the rest of the organizational security infrastructure.
Abstract: : Intrusion detection systems (IDSs) are software or hardware systems that automate the process of monitoring the events occurring in a computer system or network, analyzing them for signs of security problems As network attacks have increased in number and severity over the past few years, intrusion detection systems have become a necessary addition to the security infrastructure of most organizations This guidance document is intended as a primer in intrusion detection, developed for those who need to understand what security goals intrusion detection mechanisms serve, how to select and configure intrusion detection systems for their specific system and network environments, how to manage the output of intrusion detection systems, and how to integrate intrusion detection functions with the rest of the organizational security infrastructure References to other information sources are also provided for the reader who requires specialized or more detailed advice on specific intrusion detection issues

296 citations

Journal ArticleDOI
TL;DR: The evolution of layering from historical models to what is found in four different present day commodity OSes is analyzed and insights into useful OS and VFS features are presented that would provide future developers more versatile solutions for incremental file system development.
Abstract: Developing file systems from scratch is difficult and error prone. Using layered, or stackable, file systems is a powerful technique to incrementally extend the functionality of existing file systems on commodity OSes at runtime. In this article, we analyze the evolution of layering from historical models to what is found in four different present day commodity OSes: Solaris, FreeBSD, Linux, and Microsoft Windows. We classify layered file systems into five types based on their functionality and identify the requirements that each class imposes on the OS. We then present five major design issues that we encountered during our experience of developing over twenty layered file systems on four OSes. We discuss how we have addressed each of these issues on current OSes, and present insights into useful OS and VFS features that would provide future developers more versatile solutions for incremental file system development.

78 citations

Journal ArticleDOI
TL;DR: An integrity checking and recovery (ICAR) system is presented here, which protects file system integrity and automatically restores modified files and supplies user tools for cryptographic hash generation and security database management.
Abstract: An integrity checking and recovery (ICAR) system is presented here, which protects file system integrity and automatically restores modified files. The system enables files cryptographic hashes generation and verification, as well as configuration of security constraints. All of the crucial data, including ICAR system binaries, file backups and hashes database are stored in a physically write-protected storage to eliminate the threat of unauthorised modification. A buffering mechanism was designed and implemented in the system to increase operation performance. Additionally, the system supplies user tools for cryptographic hash generation and security database management. The system is implemented as a kernel extension, compliant with the Linux security model. Experimental evaluation of the system was performed and showed an approximate 10% performance degradation in secured file access compared to regular access.

13 citations