|
|
John Kemp
Senior Security Engineer
kemp@ns.uoregon.edu
With recent pernicious exploits such as "W32/Blaster," "W32/SoBig," and "SQL/Slammer" rapidly infecting large numbers of systems on the Internet, everyone from system administrators to the average PC user has become increasingly aware of the need for basic security.
Because of the increased frequency and severity of the attacks on Microsoft Windows computers, users have become much more savvy about protecting their machines. Antiviral software is now a basic requirement for the operation of a Microsoft Windows computer. Users are also becoming more aware of the importance of keeping their OS patches up-to-date by using the Windows Update site. System integrity, however, is one area of computer protection that is not being addressed by most users.
The basic idea behind system integrity is this: by periodically monitoring the changes that occur to a computer's files and directories, it becomes a simple matter to later determine 1) if a machine has been exploited, and 2) what changes were made to the system by the exploit. Without system integrity, it is difficult to detect if an exploit has occurred, and next to impossible to perform a comprehensive cleanup of the machine, short of a complete OS and application reinstall.
Establishing a baseline. The mechanisms used to generate system integrity information are usually either simple file and directory attribute lists, or more complex cryptographic signatures that are generated by running the file through a computational filter which produces a unique key that can be used to identify the file. These attributes or signatures are stored in a database that can then be used to form a "baseline," or representation of a known, "good" state of the machine.
Successive runs of the system integrity software are compared against the baseline to look for changes. If the changes are warranted, such as when a new product is purchased and installed, the user can simply update the baseline. On the other hand, if the changes are unwarranted, they can show clear evidence that a machine has been infected. You will also be able to identify which files or directories have been added to the machine, or modified.
Fortunately, the availability of useful system integrity tools is improving. In the past, these tools were not much in demand because they were expensive, hogged resources, and were often difficult to use. But that situation is beginning to change. Not only has Microsoft taken steps to generate system integrity information through various built-in mechanisms, but commercial products designed specifically for maintaining system integrity are proliferating. In addition, some current personal software firewall packages now include integrated system integrity components. These tools are discussed in more detail below.
System Restore. The "System Restore" feature of Windows XP and Windows ME is a useful resource for maintaining system integrity. Users typically call on this feature when an application installation has caused problems and they wish to roll the system back to a previous state. System Restore checkpoints are created automatically by Windows during application installations, or periodically during system idle time. The checkpoints contain snapshots of system files, the system registry, and some application files.
"System Restore" operations and settings can be accessed through the "Start/Help and Support" menu, or directly through the "Start/Accessories/System Tools/System Restore" menu. While "System Restore" can be extremely helpful in certain circumstances, it is not a comprehensive integrity tool. Users are still encouraged to utilize "Add or Remove Programs" or the "Uninstall" shortcuts for removing unwanted software.
Windows File Protection. Windows ME, 2000, and XP also have a feature called "Windows File Protection." The most critical Windows system files, a core collection of .sys, .dll, and .exe files, are monitored by the system. If an incorrect version of a system file is installed, Windows automatically replaces the file with either the previous version or the original version from the installation CD. For more information on the details of this system, visit the Microsoft website and look for references to the SFC.EXE or "System File Protection" command.
WHQL Driver Signing. Windows ME, 2000, and XP also have a feature known as "WHQL (Windows Hardware Quality Labs) Driver Signing," which is a method of generating signatures for Windows device drivers. Hardware vendors submit their driver packages to Microsoft, whereupon Microsoft generates signature files to be added to their driver distributions. When a new driver is first installed or activated, Windows automatically checks the files against the signatures and users can then choose whether or not they wish to allow the driver to be added to their system.
Some of the commercial Windows system integrity packages are listed below. Their feature sets vary tremendously. Packages are available for either single servers, or for multiple clients and servers which are distributed through a central management station. Some operate in near real-time, becoming active components of the system. Others run periodically and send out notifications through email. Some of the packages can also be integrated with network management consoles utilizing SNMP mechanisms. Four of these commercial packages are reviewed briefly below:
1. Tripwire for Servers (http://www.tripwire.com/): The grand-daddy of these packages is Tripwire. Tripwire began as a free, command-line utility on Unix systems, but has since developed into a fully distributed, full-featured product for Windows. Tripwire for Servers 4.0 is the current standalone product. Perhaps the biggest complaint about Tripwire is that it is not an inexpensive product. Nevertheless, it continues to lead the field in this product category.
2. Intact (http://www.pedestalsoftware.com/): The design of Pedestal Software's Intact program is an interesting variation in this product category. The two most prominent features of the package are anomaly detection and real-time monitoring. During the first few days after the product is installed, it monitors the system for normal activity. Later, it watches for changes that vary outside the norm of the observed behavior. This has the potential to reduce the number of false positives that other system integrity systems might generate. The real-time monitoring feature of Intact comes about through tight integration of the application with the primitive file actions of the operating system. Real-time notification can be an advantage for the administration of critical machines.
3. Veracity (http://www.rocksoft.com/veracity/): Rocksoft's Veracity product is available for number of different platforms. Veracity is reminiscent of the original Tripwire, in that it is invoked as a command-line application or run from a batch file. It will appeal to users who prefer command-line tools over GUI interfaces. Veracity has a flexible monitoring language that can be used to define what types of files and attributes to monitor. Perhaps the most notable feature of this application is the price, which is considerably lower than Tripwire, Intact, or Data Sentinel.
4. Data Sentinel (http://www.ionx.co.uk/): Data Sentinel by Ionx is a more recent product that comes out of the UK. Its interface is probably the cleanest and easiest to use of any of the commercial products listed above. Coarse controls for doing either "fast" or "normal" checks on files are allowed. These kinds of features can produce checks that run much more quickly. Even the more rigorous file checks can run sufficiently fast, since Data Sentinel uses one of the more efficient cryptographic signature generation methodologies. Overall, Data Sentinel has a very clean, easy to use, and polished interface. Perhaps fittingly, the price of the product is somewhat high.
Data Sentinel's main program window.
For a good computer programmer, the process of producing a list of the files on a system and then generating a list of signatures for those files should be fairly simple. A number of respectable freeware, shareware or otherwise inexpensive programs are currently available for performing this task:
MD5summer. MD5summer is "postcardware," that is, the author requests only that you send him a postcard if you find the product useful. As the name suggests, the program is used to generate MD5 cryptographic checksums of Windows files. While not as fast or clean looking as some of the high-end packages, the program has a fairly intuitive GUI interface, and checksums are saved to a simple file at the end of a run. Later, the file can be used by the application to verify that the current system checksums match those in the saved file. It becomes a relatively simple task to take a snapshot of the C:\WINDOWS directory and then check it again later for changes. MD5summer is designed to run on all Windows versions and is also available in a command-line version.
Winalysis. The Winalysis program is an inexpensive, lightweight system integrity checker. The GUI interface, while not quite as clean as some of the other programs in this roundup, is still fairly easy to navigate. Over time, the author has added additional features (such as file archiving) and improvements to the user interface to make it a more attractive product.
GFI LANguard. GFI Software is the maker of GFI LANguard System Integrity Monitor. GFI is perhaps better known for its commercial Network Security Scanner product, so it's a pleasant surprise to see GFI offer a system integrity product that's available as freeware.
Any of the products mentioned in this section should be suitable for rudimentary system integrity checking.
Personal Software Firewalls are fairly inexpensive, and their features and capabilities have developed over time. Some of the more popular packages are listed below. Along with the traditional features like address range, port number, and protocol filtering, these products often include additional protections such as ad blocking, cookie management, and Active-X and Java script controls. Some of these products also incorporate system integrity components:
ISS BlackICE PC Protection 3.6. BlackICE PC Protection, for example, has a feature called "BlackICE Application Protection." This component of the program looks for all system executable files, specifically those files which end with an extension such as: .com .dll .drv .exe .ocx .scr .sys .vxd. BlackICE builds a baseline database of these files that includes the associated file and directory size and modification times. Applications that do not appear in the database are considered "unknown." When an unknown or modified application is launched, it can trigger a popup prompt to appear, or the application can be automatically terminated. BlackICE includes similar features for controlling network access by unknown applications.
BlackICE Application Protection window.
Other programs in this category also include similar basic system integrity features. Both Zone Alarm Pro 4.0 and Sygate Personal Firewall 5.1 include basic system integrity monitoring mechanisms for applications that access the network. A checksum library is developed as network applications are used, and the applications are monitored for changes. In addition, .dll libraries are also monitored by these programs. Such features are becoming more common as a selling point because of the additional protection they can provide.
It is better to prevent a break-in from happening than it is to have to cleanup after a break-in has occurred. Most security professionals emphasize "intrusion prevention" over "intrusion detection," which is why the mantra of computer support personnel is "run antiviral software, keep your system patches up to date, and enable the Internet Connection built-in firewall if you're not running a server."
Nevertheless, at some point most users wish they had a good snapshot of their system. That point usually comes immediately after they have discovered that their system has been infected. System integrity checking is only one piece in the puzzle of computer security, but clearly it's a valuable one—and one that is becoming more important every day.