A data processing system typically comprises a central processing unit (CPU), an input/output (I/O) subsystem, and a memory subsystem, all interconnected by a bus subsystem. The memory subsystem typically comprises random access memory (RAM), read only memory (ROM), and one or more data storage devices such as hard disk drives, optical disk drives, and the like. The I/O subsystem typically comprises: a display; a printer; a keyboard; a pointing device such as a mouse, tracker ball, or the like; and one or more network connections permitting communications between the data processing system and one or more similar systems and/or peripheral devices via a data communications network. The combination of such systems and devices interconnected by such a network may itself from a distributed data processing system. Such distributed systems may be themselves interconnected by additional data communications networks. In the memory subsystem is stored data and computer program code executable by the CPU. The program code includes operating system software and application software. The operating system software, when executed by the CPU, provides a platform on which the application software can be executed. The operating system software has a core or kernel of code in which the basic functions of the operating system software are defined.
A problem associated with data processing systems is that of security. In particular, it is becoming increasingly difficult to determine with any degree of certainty that a data processing system actually has the properties it is believed to have. This difficulty arises because data processing systems, and particularly the operating systems therein, are becoming increasingly general purpose, configurable, and reconfiguable in nature. The administrative state of a data processing systems can be varied from one moment to the next based on an administrative action. Specifically, the administrative state of a data processing system is defined by the combination of software and data present in the machine. The software may include binary files, patches, applications, and the like added to and deleted from the system from time to time via one or more administrative actions. An administrative action such as the addition or deletion of software in the system can thus be regarded as a change in the state of the system. Many data processing systems can be placed into a corrupt state by users and/or system administrators with or without proper authorization. This form of corruption is difficult to detect. It would be desirable to make such corruption easier to detect.
Many data processing networks employ intrusion detection and diagnosis (IDD) systems. These IDD systems are typically data processing systems resident on the network and dedicated to intrusion detection and diagnosis. It will be appreciated that detection of corruption is important in the field of IDD. Most intruders do not want to be detected. Thus, administration tools employed in IDD systems are among the first to be attacked. Cracker tools allow hackers, crackers, or other attackers to selectively hide files, processes, and network connections in an individual host data processing system. An example of a conventional cracker tool is known as “rootkit”. Rootkit replaces Unix system commands used for investigation, such as ls, ps, netstat, and ifconfig, with so-called Trojan horse versions that hide the activities of an attacker. Conventionally, such Trojan horses have been identified by calculating, storing, and comparing databases of cryptographic checksums of system binaries. However, recent versions of “rootkit” include Trojan horse versions of the programs employed to generate and compare the checksums. Attackers have recently begun to employ loadable kernel modules to introduce Trojan horses to data processing systems. A kernel is difficult to inspect when running. Thus, Trojan horse modules therein remain undetected. A typical defense against such Trojan horse modules is to prevent kernel modules from being loaded. However, system functionality is then limited.
There is growing interest in releasing computer software in source code form under “open source” licenses such as the “General Public License” and the like. Such releases facilitate creation of Trojan horses, particularly when the software in question is operating system software. The detection of Trojan horses is therefore of increasing importance. IDD systems are an early target for infiltration by Trojan horses. Here, the attacker typically alters the IDD system in such a manner that it appears to continue functioning normally, but in reality hides the attacker's activities.
Conventional security schemes for data processing systems include secure logging schemes and forward secrecy of digital signatures.
Secure logging schemes are directed to the protection of integrity, secrecy, and authenticity of records of data processing events. The schemes may be employed in maintaining quality standards of event logging. In general, secure logging schemes assume the existence of a secure logging host data processing system and operate in dependence on a combination of message or stream encryption, hash chaining, authentication codes, and one way key evolution.
Forward secrecy of digital signatures is directed to limiting damage to compromised signature keys. In operation, forward secrecy of digital signatures provides a series of signing keys:SK0SK1SK2So that SKn+1 is a derivation of SKn, and that verification of a signature does not require distribution, traversal, and verification of a chain of keys.