We consider the problem of malicious attacks that lead to corruption of files in a file system. A typical method to detect such corruption is to compute signatures of all the files and store these signatures in a secure place. A malicious modification of a file can be detected by verifying the signature. This method, however, leaves the system vulnerable to an attacker who has access to some of the files and the signatures (but not the signing transformation) and who replaces some of the files by their old versions and the corresponding signatures by the signatures of the old versions.In this paper, we present a technique called Check2 that also relies on signatures for detecting corruption of files. The novel feature of our approach is that we compute additional levels of signatures to guarantee that any change of a file and the corresponding signature will require an attacker to perform a very lengthy chain of precise changes to successfully complete the corruption in an undetected manner. If an attacker fails to complete all the required changes, Check2 can be used to pinpoint which files have been corrupted. Two alternative ways of implementing Check2 are offered, the first using a deterministic way of combining signatures and the second using a randomized scheme. Our results show that the overhead added to the system is minimal.
[1]
Eugene H. Spafford,et al.
Experiences with Tripwire: Using Integrity Checkers for Intrusion Detection
,
1994
.
[2]
Eugene H. Spafford,et al.
The design and implementation of tripwire: a file system integrity checker
,
1994,
CCS '94.
[3]
A. Adrian Albert,et al.
An Introduction to Finite Projective Planes
,
1970
.
[4]
Mamoru Maekawa,et al.
A N algorithm for mutual exclusion in decentralized systems
,
1985,
TOCS.
[5]
Richard J. Lipton,et al.
A Class of Randomized Strategies for Low-Cost Comparison of File Copies
,
1991,
IEEE Trans. Parallel Distributed Syst..
[6]
Ralph C. Merkle,et al.
A fast software one-way hash function
,
1990,
Journal of Cryptology.