Detecting system compromise

Foundational Security

Still Not Convinced?

Runtime integrity is an effective emerging technology that can be used to detect system compromises, enhance existing security mechanisms, and offer peace of mind that likely vulnerable systems have not been compromised and, by extension, that critical functions are operating as expected. Still, when many are introduced to this technology, they question whether it is necessary in their environment.

Sure, their systems might be vulnerable, but they won't be the one attacked, or their system has the latest software updates, or they've already invested in security solutions like virus protection or system monitoring. They see their systems as secure as they're going to get and that any attempt to ensure system integrity, especially at the operating system level, is overkill. These and any other number of rationalizations can be costly positions to take when an attack finally does succeed or some accidental action by an authorized user opens up the system to malicious code and subsequent compromise.

The fact of the matter is that system attacks are widespread, unrelenting, and often automated, indiscriminately looking for vulnerable systems to exploit. Attackers, no matter the vector they take, look to gain execution on a system, exploit a vulnerability to escalate their privileges, and launch whatever attack suits their purpose. In some cases, the strategy could be to inflict immediate damage to the system, but in many instances, it leads to software modifications that allow continued access for an attacker to corrupt or exfiltrate information, interfere with critical system functions, misuse system resources, or impersonate legitimate users and exploit their privileges on the system or out on the Internet.

For most attackers, compromise of the operating system is the ultimate prize because it is the system component that executes with the most privilege on the system. From there, an attacker can pretty much bypass any security mechanisms on the system, modify any existing software, or install any piece of malicious software. Once the operating system is compromised, nothing on the system should be trusted any longer. Any work done or data generated subsequent to the attack becomes suspect. The only safe action is to rebuild the system from scratch.

Knowledgeable system designers and administrators recognize this problem. Systems today incorporate many effective security mechanisms that challenge attackers. Still, only one flaw is needed for an attack to succeed, and new attacks seem always to be just around the corner. Even if it were possible to build flawless operating systems, they would still be vulnerable to attack. Ample opportunities are present along the supply chain or from hardware devices connected to the running system to introduce unauthorized modifications.

Nonetheless, design and implementation flaws will likely remain a reality for some time, keeping system administrators busy patching systems and chasing the latest attacks. For these reasons, I'm convinced that integrity measurement, in particular runtime integrity at the operating system level, is a crucial technology in the battle to secure systems.

Runtime Integrity vs. Monitoring

Many people see system monitoring as the future of attack detection. The theory is, if enough data about a running system, network traffic, or attack trends can be collected, analyzed, and understood in near real time, it can be possible to recognize when attacks have occurred or even predict when they might occur. You can also look back and analyze actions that have already occurred. Indeed, advanced monitoring systems show promise that some of these claims can be realized, already making system monitoring an important weapon in the security arsenal. The emergence of artificial intelligence hints of continued advances in this space, which will only make system monitoring more effective.

As promising as system monitoring is, it would be a mistake to confuse it as a substitute for runtime integrity. Monitoring is a resource-intensive process, requiring intrusive collection of massive amounts of data and complex behavioral system models, and exposes detailed information about system activity, making monitoring systems attractive targets for attackers. Monitoring results can only be as good as the data and models.

In contrast, runtime integrity is independent of behavior. Constructing behavioral models and validating them is difficult, with no way to validate them against previously unseen bad behavior. Runtime integrity only needs a characterization of a good system state to be effective. This straightforward problem is based solely on the deployed system and not on any notion of acceptable actions that can be taken on any given system.

Monitoring systems suffer from another often overlooked problem. The mechanisms used by the monitoring system to collect data come from instrumentations of the operating system itself, with a suitable vantage point to observe. Any operating system compromise immediately calls into question the fidelity of the monitoring data. Admittedly, some configurations of runtime integrity systems could suffer from similar shortcomings, but current alternatives to observe safely from outside the operating system are more convenient for observing system state than for collecting large amounts of data efficiently.

Runtime integrity should not be seen as a competitor to system monitoring; instead, as for so many other security mechanisms, it should be considered a complimentary mechanism. Runtime integrity can be used to increase monitoring system and data fidelity or even as a reliable source of monitoring data if integrity measurements or appraisal results are forwarded to the monitoring system.

Although runtime integrity is not a primary measure of correct system behavior, no assertion that system behavior is good should be relied upon in the absence of a sound assertion that the monitoring system and its behavior have integrity. Furthermore, strong evidence of a system's runtime integrity might be a good indicator of good behavior.

Closing Thoughts

A key takeaway from this article should be that runtime integrity technology is real and can be extremely effective. It has been successfully used in government and commercial situations and is a significant step forward for integrity measurement systems that can substantially improve security decisions across many use cases. Runtime integrity is ripe for wider adoption or even incorporation into systems as a core security service. Given the opportunity, deploy it on systems under your control and demand that it be incorporated into those that you don't.

The Author

Peter Loscocco served for nearly 40 years at the National Security Agency researching problems associated with system security, many years as the technical lead for operating system security research. He is an original creator of Security-Enhanced Linux (SELinux). His foundational research in integrity measurement and attestation led to a novel approach to Runtime Integrity, an area where he holds several patents.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=