Generally, in a network environment, a System Administrator is the only person authorized to modify some vital programs and system files either on the computer itself or from a centralized monitoring computer. More and more hostile hackers try to compromise these files in order to gain later access to the system. New system leaks are regularly discovered, leading to so-called “exploits” allowing almost anybody—from the inside or from the outside of a Company—to gain the System Administrator privileges for a while. Those means may include—but are not limited to—“race conditions”, buffer overflows, stack overflows, etc.
As soon as pirates gain a System Administrator privilege access, they will modify some system files and/or data files in order to enter the system more easily at a later time, because they know the breach they came in by will some day be colmated. They can for instance introduce “backdoors”, either by discreet modification of user and/or system directories (and/or permissions), or by a recompilation of some system files, especially on open-source systems. They can even modify a compiler on the compromised system so that any program compiled with it automatically includes such a back door.
A solution to detect such kinds of intrusion is (a) to compute a “MD5 signature” (or a similar signature method as SHA-1 which is better, but slower too) of all the vital files, at computer installation time before the computer is connected to any network, and (b) to store these MD5 signatures in a safe place (e.g. on a diskette which will be set read-only once written; on a CD/R; or by sending them securely on another computer on the network where they will be crypted).
In this method, the periodic monitoring of a data processing to system, checking for files with modified MD5 signatures or files without a MD5 signature in the MD5 signature database, may indicate the presence of an undesirable modification. Remedial action is taken whenever one or many of these conditions occur. The “remedial” generally takes the form of one or many messages to the system administrator or security administrator indicating the list of files without a MD5 signature and/or with a modified MD5 signature.
Although the MD5 signature is a good approach insofar as the MD5 signature of a file is necessarily changed when this file is modified, this solution requires to check all the files on a regular basis, by applying an auto-checking procedure on each computer and collecting the results on a security log that is to be analyzed by the System Administrator or by a software tool. More specifically, (a) if the checking is done too often, the computer resources are intensively solicited. And on the contrary, (b) if the checking is made at larger time intervals, the pirate will have more available time to experiment with the compromised system before he/she is detected. In the majority of environments, these checkings are done every night, for example around 3 a.m., thereby leaving on the average twelve hours to the pirate to cause a lot of trouble on the system. Moreover, he/she gets also a lot of time to restore a sane situation before the checking begins. It should be noted that even the system timestamps associated the last operations on each file can be modified when the pirate has System Administrator's access, thereby covering his/her traces. The local system logs have the same vulnerability.
Therefore, there was a need for a method detecting offensive intrusions in real-time. Such a method, described in the IBM patent application referenced FR 920020083, consists in declaring, at boot time, the vital files of a computer to a program starting at boot time, and which launches a daemon detecting any modification related to the declared vital files. Upon the detection of such a system call, this method raises an interrupt and sends a message to the administrator computer. Some seconds later, it identifies which vital computer file originated the system call and sends it in a second message. Although such a method enables the administrator to know, in real-time, when there is a hacker intrusion, it does not provides a solution to heal the vital computer files which have been attacked.