Browse Prior Art Database

Extending the chain of trust to executable state in memory Disclosure Number: IPCOM000236015D
Publication Date: 2014-Apr-02
Document File: 1 page(s) / 30K

Publishing Venue

The Prior Art Database


Integrity measurement is a widely used technique for establishing that an on-disk executable file or library has not been tampered with. Once the executable is started, however, this form of integrity measurement can no longer ensure that the in-memory copy of the code remains unexploited. This invention provides a technique by which the chain of trust can be extended to in-memory copies, ensuring the detection of exploited executables during run time.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 55% of the total text.

Page 01 of 1

Extending the chain of trust to executable state in memory

Currently it is impossible to verify that a program in running memory has not been compromised. Unlike the situation with buffer overflows (which do not modify the text section), it is possible to modify the text section of a running program using, for example, ptrace or some unknown vulnerability. This means that a hacked running system can have no permanent signs of compromise and appear to be trusted. There are no current techniques for comparing a running program to its on-disk representation, because the in-memory executable is modified by symbol resolution and relocation.

Use current integrity measurement technology to verify the current known good state of executable on disk.

Use current integrity measurement technology to verify that the loader is trusted.

After the binary is fully resolved and loaded into memory, this invention adds the step of saving a checksum of the current state of the pages containing the text section in memory; the checksum can be taken by the loader or any other trusted program that runs prior to handing control over to the executable.

The saved checksum can be signed and timestamped with a key associated with the operating system / loader.

The signed and timestamped checksum can be stored in one of several locations, such as an xattr that is protected by EVM, or the NVRAM of a TPM.

This state can be trusted because the on-disk binary was verified and the loader itself wa...