Data processing systems

US 7,562,214 B2
Filed: 03/26/2004
Issued: 07/14/2009
Est. Priority Date: 03/31/2003
Status: Active Grant

First Claim

Patent Images

1. A method for detecting an attack on a data processing system installed on a kernel layer, the method comprising, in the data processing system installed on the kernel layer:

providing, at the kernel layer, an initial secret;

binding, at the kernel layer, the initial secret to data indicative of an initial state of the system, which is installed on the kernel layer between a hardware layer and an operating system layer, via a collision resistant cryptographic function;

recording, at the kernel layer, state changing administrative actions performed on the system in a log, the state changing administrative actions comprising one or more of;

an installation of kernel modules and an alternation of system run-level codes;

prior to performing each state changing administrative action, at the kernel layer, generating a new secret by performing the collision resistant cryptographic function on a combination of data indicative of the administrative action and the previous secret, erasing the previous secret, and recording the new secret in a place of the previous secret;

evolving, at the kernel layer, the initial secret based on the log to produce an evolved secret;

comparing, at the kernel layer, the evolved secret with the new secret;

determining, at the kernel layer, that the system is uncorrupted if the comparison indicates a match between the evolved secret and the new secret; and

determining, at the kernel layer, that the system is corrupted if the comparison indicates a mismatch between the evolved secret and the new secret,wherein the cryptographic function comprises a one-way hash function and the hash function comprises an exponentiation function.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detection of an attack on a data processing system. An example method comprising, in the data processing system: providing an initial secret; binding the initial secret to data indicative of an initial state of the system via a cryptographic function; recording state changing administrative actions performed on the system in a log; prior to performing each state changing administrative action, generating a new secret by performing the cryptographic function on a combination of data indicative of the administrative action and the previous secret, and erasing the previous secret; evolving the initial secret based on the log to produce an evolved secret; comparing the evolved secret with the new secret; determining that the system is uncorrupted if the comparison indicates a match between the evolved secret and the new secret; and, determining that the system in corrupted if the comparison indicate a mismatch between the evolved secret and the new secret.

Citations

17 Claims

1. A method for detecting an attack on a data processing system installed on a kernel layer, the method comprising, in the data processing system installed on the kernel layer:
- providing, at the kernel layer, an initial secret;
  
  binding, at the kernel layer, the initial secret to data indicative of an initial state of the system, which is installed on the kernel layer between a hardware layer and an operating system layer, via a collision resistant cryptographic function;
  
  recording, at the kernel layer, state changing administrative actions performed on the system in a log, the state changing administrative actions comprising one or more of;
  
  an installation of kernel modules and an alternation of system run-level codes;
  
  prior to performing each state changing administrative action, at the kernel layer, generating a new secret by performing the collision resistant cryptographic function on a combination of data indicative of the administrative action and the previous secret, erasing the previous secret, and recording the new secret in a place of the previous secret;
  
  evolving, at the kernel layer, the initial secret based on the log to produce an evolved secret;
  
  comparing, at the kernel layer, the evolved secret with the new secret;
  
  determining, at the kernel layer, that the system is uncorrupted if the comparison indicates a match between the evolved secret and the new secret; and
  
  determining, at the kernel layer, that the system is corrupted if the comparison indicates a mismatch between the evolved secret and the new secret,wherein the cryptographic function comprises a one-way hash function and the hash function comprises an exponentiation function.
- View Dependent Claims (2, 3, 7, 8, 16)
- - 2. The method as claimed in claim 1, wherein the cryptographic function comprises a public/private key pair.
  - 3. The method as claimed in claim 1, further comprising:
    - receiving the initial secret from a system administrator.
  - 7. A computer program element comprising computer program code means which, when loaded in a processor of a computer system, configures the processor to perform a method as claimed in claim 1.
  - 8. A program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for detecting an attack on a data processing system, said method steps comprising the steps of claim 1.
  - 16. The method as recited in claim 1, wherein a proof of knowledge of the evolved secret equates to a cryptographic verification of a history of the administrative actions.

4. A data processing system, which is installed on a kernel layer, comprising:
- a processor;
  
  a memory connected to the processor; and
  
  detection logic connected to the processor and the memory, the detection logic, in use;
  
  providing, at the kernel layer, an initial secret;
  
  binding, at the kernel layer, the initial secret to data indicative of an initial state of the system, which is installed on the kernel layer between a hardware layer and an operating system layer, via a collision resistant cryptographic function;
  
  recording, at the kernel layer, state changing administrative actions performed on the system in a log, the state changing administrative actions comprising one or more of;
  
  an installation of kernel modules and an alternation of system run-level codes;
  
  prior to performing each state changing administrative action, at the kernel layer, generating a new secret by performing the cryptographic function on a combination of data indicative of the administrative action and the previous secret, erasing the previous secret, and recording the new secret in a lace of the revious secret;
  
  evolving, at the kernel layer, the initial secret based on the log to produce an evolved secret;
  
  comparing, at the kernl layer, the evolved secret with the new secret;
  
  determining, at the kernel layer, that the system is uncorrupted if the comparison indicates a match between the evolved secret and the new secret; and
  
  determining, at the kernel layer, that the system is corrupted if the comparison indicate a mismatch between the evolved secret and the new secret,wherein the cryptographic function comprises a one-way hash function and the hash function comprises an exponentiation function.
- View Dependent Claims (5, 6, 9, 17)
- - 5. The system as claimed in claim 4, wherein the cryptographic function comprises a public/private key pair.
  - 6. The system as claimed in claim 4, wherein the detection logic receives the initial secret from a system administrator.
  - 9. A computer program product comprising a computer usable medium having computer readable program code means embodied therein for causing a data processing system, the computer readable program code means in said computer program product comprising computer readable program code means for causing a computer to effect the functions of claim 4.
  - 17. The method as recited in claim 4, wherein a proof of knowledge of the evolved secret equates to a cryptographic verification of a history of the administrative actions.

10. A method for cryptographic entangling of state and administration in a data processing system installed on a kernel layer, the method comprising:
- initializing the system, which is installed on the kernel layer between a hardware layer and an operating system layer, by generating an initial secret releasing binding data;
  
  binding, at the kernel layer, the binding data to the initial secret via a collision resistant cryptographic function;
  
  updating, at the kernel layer, the initial secret in advance of an administrative action by computing a new secret, the administrative action comprising one or more of;
  
  an installation of kernel modules and an alternation of system run-level codes;
  
  erasing, at the kernel layer, the initial secret together with any information from which the initial secret might be derived;
  
  recording, at the kernel layer, the new secret in a place of the initial secret;
  
  recording, at the kernel layer, data indicative of the administrative action;
  
  permitting, at the kernel layer, execution of the administrative action; and
  
  offering, at the kernel layer, a proof that the new secret corresponds to the initial secret as it has evolved according to a record of administrative actions,wherein the cryptographic function comprises a one-way hash function and the hash function comprises an exponentiation function.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method as recited in claim 10, wherein the step of offering retrieves the initial secret via a request for entry of the initial secret by a system administrator, retrieving the record of administrative actions previous stored;
    - andevolving a candidate secret for the initial secret based on the record of administrative actions retrieved;
      
      comparing the candidate secret with a current secret;
      
      if the candidate secret matches the current secret, reporting that the data processing system is still in an uncorrupted state, andif the candidate secret does not match the current secret, reporting that the data processing system is in a potentially compromised state.
  - 12. The method as recited in claim 10, further comprising permitting detection of any Trojan horse within the system.
  - 13. The method as recited in claim 10, wherein the initial secret is supplied via a secure communication channel.
  - 14. The method as recited in claim 10, wherein the binding data takes different forms depending on an application of the data processing system, and a trust mechanisms associated with communication of the initial secret.
  - 15. The method as recited in claim 10, wherein the step of computing the new secret includes applying a one way function to a combination of a previous secret and data indicative of the administrative action.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AirBNB Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Riordan, James F.
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
TRUVAN, LEYNNA THANH

Application Number

US10/811,177
Publication Number

US 20050022026A1
Time in Patent Office

1,936 Days
Field of Search

713 1- 2, 713153-154, 713/168, 713/171, 713/179, 713182-184, 713187-189, 713/194, 713/19, 726 2- 4, 726 17- 18, 726 21- 27, 726/30, 726/34, 709223-225, 380/1, 380/201, 380228-229, 380/239, 380/255, 380/259, 380/32, 380/42, 380/277, 380 28- 30, 380282-286, 380/37
US Class Current

713/164
CPC Class Codes

G06F 21/55 Detecting local intrusion o...

Data processing systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Data processing systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links