Run-Time Integrity Check of Executables

last update: Jul 22, 2003

System intrusion is one of the most serious security attacks that can be mounted against a computer system. One of the worst effect is the execution of malicious code designed by the intruder instead of system or user code. The effect of such an attack is to amplify temporary root privileges into more permanent privileges.
The aim of our work is to digitally sign executables and to check their integrity at run time to prevent the execution of malicious code introduced by an intruder or by installing tampered with software distribution.

The paper on WLF (presented at the Third Conference on Security in Communication Networks 2002)

Download WLF sources: WLF 0.4 Snapshot Jul 22, 2003
A brief introduction to WLF

Technical notes:
How we sign executables
Public Key Management through IOCTLs on devices
Public Key Management by in-kernel API
Format of the Key Floppy
Resume of Performance tests

Related links:
Java Code Signing
Microsoft Authenticode
Tool Interface Standards (TIS) ELF format specification v1.1
Signing executables in Linux
Detecting unauthorized changes to files
The tripwire Web Site

Luigi Catuogno
Ivan Visconti