Note: [1] This work has been supported by Air Force Research Laboratory/Rome under grant F30602-98-C-0264. A preliminary version of this paper appeared under the title “Protecting file systems against corruption using checksums”, in: Data and Applications Security: Developments and Directions, B. Thuraisingham, R. van de Riet, K.R. Dittrich and J. Tari, eds, Kluwer Academic Publishers, Boston, 2001, pp. 113–124.
Abstract: We consider the problem of malicious attacks that lead to corruption of files in a file system. A typical method to detect such corruption is to compute signatures of all the files and store these signatures in a secure place. A malicious modification of a file can be detected by verifying the signature. This method, however, leaves the system vulnerable to an attacker who has access to some of the files and the signatures (but not the signing transformation) and who replaces some of the files by their old versions and the corresponding signatures by the signatures of the old versions. In this paper, we present a technique called Check2 that also relies on signatures for detecting corruption of files. The novel feature of our approach is that we compute additional levels of signatures to guarantee that any change of a file and the corresponding signature will require an attacker to perform a very lengthy chain of precise changes to successfully complete the corruption in an undetected manner. If an attacker fails to complete all the required changes, Check2 can be used to pinpoint which files have been corrupted. Two alternative ways of implementing Check2 are offered, the first using a deterministic way of combining signatures and the second using a randomized scheme. Our results show that the overhead added to the system is minimal.
