Embedded Auditors for Intrusion Detection
Abstract
A basic cornerstone of security is to verify the integrity of fundamental data stored in the system.
This integrity checking is being achieved using integrity tools such Tripwire, which depend on the integrity and proper operation of the operating system, i.e. these applications assume that the operating system always operates correctly. When this assumption is not valid, the integrity applications cannot provide a reliable result, and consequently may provide a false negative. Once the operating system is compromised, a novice attacker, using tools widely available on the Internet (rootshell.com, etc), could easily defeat integrity tools that rely on the operating system.
A novel way to overcome this traditional integrity problem is to use an independent auditor. The independent auditor uses an out-of-band verification process that does not depend on the underlying operating system. The resultant system provides extremely strong integrity guarantees, detecting modifications to approved objects as well as detecting the existence of unapproved and thus unsigned objects. This is accomplished without any modifications to the host operating system. StrongARM EBSA-285 Evaluation Board, with a SA-110 microprocessor and 21285 core logic can be used as auditors.
Related Headings
Related Headings
0 comments:
Post a Comment