Data processing systems
First Claim
1. A method for detecting an attack on a data processing system installed on a kernel layer, the method comprising, in the data processing system installed on the kernel layer:
- providing, at the kernel layer, an initial secret;
binding, at the kernel layer, the initial secret to data indicative of an initial state of the system, which is installed on the kernel layer between a hardware layer and an operating system layer, via a collision resistant cryptographic function;
recording, at the kernel layer, state changing administrative actions performed on the system in a log, the state changing administrative actions comprising one or more of;
an installation of kernel modules and an alternation of system run-level codes;
prior to performing each state changing administrative action, at the kernel layer, generating a new secret by performing the collision resistant cryptographic function on a combination of data indicative of the administrative action and the previous secret, erasing the previous secret, and recording the new secret in a place of the previous secret;
evolving, at the kernel layer, the initial secret based on the log to produce an evolved secret;
comparing, at the kernel layer, the evolved secret with the new secret;
determining, at the kernel layer, that the system is uncorrupted if the comparison indicates a match between the evolved secret and the new secret; and
determining, at the kernel layer, that the system is corrupted if the comparison indicates a mismatch between the evolved secret and the new secret,wherein the cryptographic function comprises a one-way hash function and the hash function comprises an exponentiation function.
2 Assignments
0 Petitions
Accused Products
Abstract
Detection of an attack on a data processing system. An example method comprising, in the data processing system: providing an initial secret; binding the initial secret to data indicative of an initial state of the system via a cryptographic function; recording state changing administrative actions performed on the system in a log; prior to performing each state changing administrative action, generating a new secret by performing the cryptographic function on a combination of data indicative of the administrative action and the previous secret, and erasing the previous secret; evolving the initial secret based on the log to produce an evolved secret; comparing the evolved secret with the new secret; determining that the system is uncorrupted if the comparison indicates a match between the evolved secret and the new secret; and, determining that the system in corrupted if the comparison indicate a mismatch between the evolved secret and the new secret.
-
Citations
17 Claims
-
1. A method for detecting an attack on a data processing system installed on a kernel layer, the method comprising, in the data processing system installed on the kernel layer:
-
providing, at the kernel layer, an initial secret; binding, at the kernel layer, the initial secret to data indicative of an initial state of the system, which is installed on the kernel layer between a hardware layer and an operating system layer, via a collision resistant cryptographic function; recording, at the kernel layer, state changing administrative actions performed on the system in a log, the state changing administrative actions comprising one or more of;
an installation of kernel modules and an alternation of system run-level codes;prior to performing each state changing administrative action, at the kernel layer, generating a new secret by performing the collision resistant cryptographic function on a combination of data indicative of the administrative action and the previous secret, erasing the previous secret, and recording the new secret in a place of the previous secret; evolving, at the kernel layer, the initial secret based on the log to produce an evolved secret; comparing, at the kernel layer, the evolved secret with the new secret; determining, at the kernel layer, that the system is uncorrupted if the comparison indicates a match between the evolved secret and the new secret; and determining, at the kernel layer, that the system is corrupted if the comparison indicates a mismatch between the evolved secret and the new secret, wherein the cryptographic function comprises a one-way hash function and the hash function comprises an exponentiation function. - View Dependent Claims (2, 3, 7, 8, 16)
-
-
4. A data processing system, which is installed on a kernel layer, comprising:
-
a processor; a memory connected to the processor; and detection logic connected to the processor and the memory, the detection logic, in use; providing, at the kernel layer, an initial secret; binding, at the kernel layer, the initial secret to data indicative of an initial state of the system, which is installed on the kernel layer between a hardware layer and an operating system layer, via a collision resistant cryptographic function; recording, at the kernel layer, state changing administrative actions performed on the system in a log, the state changing administrative actions comprising one or more of;
an installation of kernel modules and an alternation of system run-level codes;prior to performing each state changing administrative action, at the kernel layer, generating a new secret by performing the cryptographic function on a combination of data indicative of the administrative action and the previous secret, erasing the previous secret, and recording the new secret in a lace of the revious secret; evolving, at the kernel layer, the initial secret based on the log to produce an evolved secret; comparing, at the kernl layer, the evolved secret with the new secret; determining, at the kernel layer, that the system is uncorrupted if the comparison indicates a match between the evolved secret and the new secret; and determining, at the kernel layer, that the system is corrupted if the comparison indicate a mismatch between the evolved secret and the new secret, wherein the cryptographic function comprises a one-way hash function and the hash function comprises an exponentiation function. - View Dependent Claims (5, 6, 9, 17)
-
-
10. A method for cryptographic entangling of state and administration in a data processing system installed on a kernel layer, the method comprising:
-
initializing the system, which is installed on the kernel layer between a hardware layer and an operating system layer, by generating an initial secret releasing binding data; binding, at the kernel layer, the binding data to the initial secret via a collision resistant cryptographic function; updating, at the kernel layer, the initial secret in advance of an administrative action by computing a new secret, the administrative action comprising one or more of;
an installation of kernel modules and an alternation of system run-level codes;erasing, at the kernel layer, the initial secret together with any information from which the initial secret might be derived; recording, at the kernel layer, the new secret in a place of the initial secret; recording, at the kernel layer, data indicative of the administrative action; permitting, at the kernel layer, execution of the administrative action; and offering, at the kernel layer, a proof that the new secret corresponds to the initial secret as it has evolved according to a record of administrative actions, wherein the cryptographic function comprises a one-way hash function and the hash function comprises an exponentiation function. - View Dependent Claims (11, 12, 13, 14, 15)
-
Specification