Method and System for Program Execution Integrity Measurement
In computer security, the central part or core of a computer system implements the basic security procedures for controlling access to the rest of that system's resources. To protect a computer system, reliable security at this core - or kernel - level is required. All applications and functions require access to the core system of the computer to function; therefore, a failure or security breach at the core level can result in a lack of reliability in the system as a whole. Several security systems have been developed for the protection of kernel integrity, however, most require confirmation that the kernel itself is secure.
Researchers at Johns Hopkins Applied Physics Laboratory (JHU/APL) have developed a way to detect unauthorized changes in security-critical programs.
"Program execution" integrity is a novel approach to measure unauthorized changes in the kernel mode and thereby verify computer program integrity. The unique features include: dynamic data inspection, event triggers, and a manifest of results. Data objects are inspected during runtime to provide an increased level of confidence in the integrity of a running program. False integrity failures due to dynamic changes at runtime are prevented via runtime monitoring and triggers inserted into program code. Measurement results are time-stamped and stored in a manifest.
Data structures are identified by security relevant attributes: state values, function pointers, and references to other objects. Static objects are located by the address assigned at compile time. Measurement begins by inspecting the static objects of interest, which include containers of dynamic objects.
Integrity checking mechanisms available today use hashing on data that is not expected to change. Program execution integrity measurement examines the structural configuration of dynamic data objects.
The effectiveness of this approach has been demonstrated with various research projects such as the Linux Kernel Integrity Measurement (LKIM) project. LKIM baselines the built-in operation structures from a kernel image on disk. It measures a kernel image in memory without the need to modify the existing kernel. The baseline and measurement processes each produce a textual form that can be used to verity a runtime measurement with the baseline.
Patent Status: U.S. patent(s) 7904278; 8,326,579 issued.CONTACT:
Ms. H. L. Curran
Phone: (443) 778-7262