1

I am aware that operating systems verify authenticity & integrity of a program file while installing a program to a system.

My question is, do popular OS's provide a way to verify (and warn the user if modified/tampered with by malware on the system) the integrity of a program that resides on a disk, every time a user executes it? My program contents would be signed and would carry a certificate from a valid CA.

I'm also aware that malware could just replace the entire program, and remove any code that asks the OS to run a integrity check. But i am interested in only detecting attacks such as a DLL proxying attack, where the whole program is not replaced/modified.

user3272983
  • 11
  • 2

1 Answers1

1

Linux supports IMA, the Integrity Measurement Architecture. This is a feature which stores a cryptographic hash of every file in extended attributes on the filesystem. When a page from a file is loaded, the entire file is read, hashed, and the hash is verified. The hash is part of a hash tree, verifying the hashes all the way down to a single trusted root hash. This root hash can be signed or protected in the system's TPM. Attempts to load a file that has been changed will return -EIO.

Because the entire file must necessarily be read in order to calculate its hash, a performance optimization called demand paging, which loads only the requested pages into memory rather than the entire file, will no longer function. This can increase the start up time for large executables or executables that link against number of large libraries, especially on slow disks.

forest
  • 66,706
  • 20
  • 212
  • 270