Browse Prior Art Database

Trojan Horse and Virus Detection Using Real Time Auditing

IP.com Disclosure Number: IPCOM000122561D
Original Publication Date: 1991-Dec-01
Included in the Prior Art Database: 2005-Apr-04
Document File: 4 page(s) / 207K

Publishing Venue

IBM

Related People

Steves, DH: AUTHOR [+2]

Abstract

Disclosed is a facility for Trojan Horse and virus detection in a UNIX* based operating system using the real-time auditing facilities. This facility is designed to be used by system administrators to examine the behavior of programs which they install on their system to verify that the programs perform no illicit actions.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 30% of the total text.

Trojan Horse and Virus Detection Using Real Time Auditing

      Disclosed is a facility for Trojan Horse and virus
detection in a UNIX* based operating system using the real-time
auditing facilities.  This facility is designed to be used by system
administrators to examine the behavior of programs which they install
on their system to verify that the programs perform no illicit
actions.

      Trojan Horses and viruses in operating systems are programs
that, in addition to performing their normal function, also take
actions designed to undermine the security of the operating system.

      Trojan Horses are programs which directly violate the system
data integrity or nondisclosure policies. When executed, these
programs use the access rights and privileges of their invoker to
access data beyond the scope of the program's stated function. For
instance, a game program when run by a system administrator may
access the device configuration database. Trojan Horses sometimes
intentionally delay their effects, in which case they are termed
"time bombs".

      Integrity violations can be purposeful (altering a user
database to grant a user more privilege) or simply malicious
(destroying data at random). As an example of a nondisclosure
violation, consider covert channels. In systems where a multilevel
security policy is enforced, all files and processes have a security
level, and it is illegal for a process to read a file that has a
security level greater than its own. A Trojan Horse program which
exploits a covert channel is actually two separate processes, one at
a high level and one at a low level. The covert channel works by
having the program at a high level open the file and read the
information in it, and then signal the information to the process at
the lower level. Since direct communication between the two processes
is forbidden, the process at a higher level will perform actions,
such as excessive resource consumption, which can be detected by the
lower level process in order to communicate the information.

      Viruses are programs which modify other programs when they are
executed. These programs, in turn, infect still other programs.  It
is important to note that viruses propagate by appending code to
program files to which their invoker has write access. Although in
and of themselves, viruses generally do little harm except consume
system resources, the real purpose of the virus is to attach itself
to a program which will be executed by user with 'interesting' access
rights or privileges. At this point, the virus usually becomes a
Trojan Horse and directly attacks the security of the system. In some
cases, though, no such attack occurs because the purpose of the virus
was to consume the system resources and to reduce or eliminate system
availability.

      Trojan Horses and viruses originate from a variety of sources.
The program could come from the system manufacturer, a program vendor
or from an employe...