An architecture for on-the-fly file integrity checking

Abstract

There are several ways for an intruder to obtain access to a remote computing system, such as exploiting program vulnerabilities, stealing passwords, and so. The intruder can modify system utilities in order to hide his/her presence and to guarantee an open backdoor to the system. Many techniques have been proposed to detect unauthorized file modifications, but they usually work off-line and thus detect file modifications only when the system is already compromised. This paper presents an architecture to deal with this kind of problem. Through the combined use of digital signature techniques and system call interceptions, it allows for transparent on-the-fly integrity check of files in Unix systems. Its evaluation in real-world situations validates the approach, by showing overheads under 10% for most situations. © Springer-Verlag Berlin Heidelberg 2003.