TR-09-07: Towards Reducing Unauthorized Modification of Binary Files

Abstract

We consider the problem of operating system and application binaries on disk being modified by malware. We present a file-system protection mechanism designed to protect the replacement and modification of binaries on disk while still allowing authorized upgrades. We use a combination of digital signatures and kernel modifications to restrict replacement without requiring any centralized public key infrastructure. To explore the viability of our approach, we implement a prototype in Linux, test it against various rootkits, and use it for everyday activities. The system is capable of protecting against rootkits currently available while incurring minimal overhead costs. Our design motivates general recommendations for kernel design to improve security, including restricting currently exported kernel interfaces, and conditions related to the granting of privileges for configuration activities. We do not protect configuration files, instead focusing on establishing a beachhead through protecting binaries the user does not modify.

TR-09-07.pdf