The design and implementation of tripwire

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

The design and implementation of tripwire: a file system integrity checker

Full text

Pdf (1.22 MB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 2nd ACM Conference on Computer and communications security table of contents

Fairfax, Virginia, United States

Pages: 18 - 29

Year of Publication: 1994

ISBN:0-89791-732-4

Authors

Gene H. Kim	COAST Laboratory, Department of Computer Sciences, Purdue University, West Lafayette, IN
Eugene H. Spafford	COAST Laboratory, Department of Computer Sciences, Purdue University, West Lafayette, IN

Sponsor

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 20, Downloads (12 Months): 111, Citation Count: 36

Additional Information:

abstract references cited by index terms collaborative colleagues peer to peer

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/191177.191183 What is a DOI?

ABSTRACT

At the heart of most computer systems is a file system. The file system contains user data, executable programs, configuration and authorization information, and (usually) the base executable version of the operating system itself. The ability to monitor file systems for unauthorized or unexpected changes gives system administrators valuable data for protecting and maintaining their systems. However, in environments of many networked heterogeneous platforms with different policies and software, the task of monitoring changes becomes quite daunting.Tripwire is tool that aids UNIX system administrators and users in monitoring a designated set of files and directories for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or altered files, so corrective actions may be taken in a timely manner. Tripwire may also be used on user or group files or databases to signal changes.This paper describes the design and implementation of the Tripwire tool. It uses interchangeable “signature” (usually, message digest) routines to identify changes in files, and is highly configurable. Tripwire is no-cost software, available on the Internet, and is currently in use on thousands of machines around the world.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Maurice J. Bach, The design of the UNIX operating system, Prentice-Hall, Inc., Upper Saddle River, NJ, 1986
	2	Vesselin Bontchev. Possible virus attacks against integrity programs and how to prevent them. Technical report, Virus Test Center, University of Hamburg, 1993.
	3	J. Campbell, C programmer's guide to serial communications, Sams, Indianapolis, IN, 1987
	4	David A. Curry, UNIX system security: a guide for users and system administrators, Addison Wesley Longman Publishing Co., Inc., Redwood City, CA, 1992
	5	Edward DeHart, editor. Proceedings of lhe Securily IV Conference, Berkeley, CA, 1993. USENIX Association.
	6	Data encryption standard. National Bureau of Standards FIPS, 1977.
	7	Paul Fahn. Answers to frequently asked questions about today's cryptography. Technical Report Version 1.0 draft le, RSA Laboratorics, 1992.
	8	Daniel Farmer and Eugene H. Spafford. The COPS security checker system. In Proceedings of the Summer Conference, pages 165-190, Berkely, CA, 1990. Usenix Association.
	9	Simson Garfinkel , Gene Spafford, Practical UNIX security, O'Reilly & Associates, Inc., Sebastopol, CA, 1991
	10	Chuck Gilmore. README file for PROVECRC.EXE. README file with program, 1991.
	11	Brian W. Kernighan and Dennis M. Ritchie. The 1977.
	12	B. W. Kernighan , D. M. Ritchie, The C programming language, Prentice-Hall, Inc., Upper Saddle River, NJ, 1978
	13	Gene H. Kim and.Eugene H. Spafford. Experiences with tripwire: Using integrity checkers for intrusion detection. In Systems Administration, Networking and Security Conference IIl. Usenix, April 1994.
	14	Gene H. Kim and Eugene H. Spafford. Writing, supporting, and evaluating tripwire: A publically available security tool. In Proceedings of the Usenix Applications Development Symposium, Berkeley, CA, 1994. Usenix.
	15	Scott Leadly, Kenneth Rich, and Mark Sirota. Hobgoblin: A File and Directory A udilor. University Computing Center, University of Rochester, 1991.
	16	Ralph C. Merkle, A fast software one-way hash function, Journal of Cryptology, v.3 n.1, p.43-58, 1990
	17	W. T. Polk and L. E. Bassham. A guide to the selection of anti-virus tools and techniques. National Institute of Standards and Technology report, December 1992.
	18	Yisrael Radai. Checksumming techniques for anti-viral proposed. In Edward Wilding, editor, Virus Bulletin Conference Proceedings. Virus Bulletin, Ltd., September 1991.
	19	Robert B. Reinhardt. An architectural overview of UNIX network security. Technical report, ARINC Research Corportation, February 1993.
	20	Ronald L. Rivest, The MD4 Message Digest Algorithm, Proceedings of the 10th Annual International Cryptology Conference on Advances in Cryptology, p.303-311, August 11-15, 1990
	21	R. L. Rivest. RFC 1321: The rod5 message-digest algorithm. Technical report, Internet Activities Board, April 1992.
	22	David R. Safford, Douglas Lee Schales, and David K. Hess. The TAMU security package: An ongoing response to internet intruders in an academic environment. In DeHart {5}, pages 91-118.
	23	Bruce Schneier. Applied Cryptography. John Wilcy& Sons, Inc, 1993.
	24	Gustavus J. Simmons, Contemporary Cryptology: The Science of Information Integrity, IEEE Press, Piscataway, NJ, 1994
	25	Cliff Stoll. The Cuckoo's Egg. Simon & Schuster, Inc., New York, 1990.
	26	Sun Microsystems, Inc. System and Network Administration, 1990. Part number 800-3805-10.
	27	Steve Talbott. Managing Projects with make. O'Reilly & Associates, Inc., 1991.
	28	David Vincenzetti and Massimo Cotrozzi. ATP anti tampering program. In DeHart {5}, pages 79-90.
	29	Yuliang Zheng , Josef Pieprzyk , Jennifer Seberry, HAVAL - A One-Way Hashing Algorithm with Variable Length of Output, Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques: Advances in Cryptology, p.83-104, December 13-16, 1992

CITED BY 36

	Paul C. van Oorschot , Anil Somayaji , Glenn Wurster, Hardware-Assisted Circumvention of Self-Hashing Software Tamper Resistance, IEEE Transactions on Dependable and Secure Computing, v.2 n.2, p.82-92, April 2005
	Daniel Barbará , Rajni Goel , Sushil Jajodia, A checksum-based corruption detection technique, Journal of Computer Security, v.11 n.3, p.315-329, 1 March 2003
	Lionel Litty , David Lie, Manitou: a layer-below approach to fighting malware, Proceedings of the 1st workshop on Architectural and system support for improving software dependability, p.6-11, October 21-21, 2006, San Jose, California
	Giovanni Di Crescenzo , Faramak Vakil, Cryptographic hashing for virus localization, Proceedings of the 4th ACM workshop on Recurring malcode, November 03-03, 2006, Alexandria, Virginia, USA
	Marcel Winandy , Armin B. Cremers , Hanno Langweg , Adrian Spalka, Protecting Java component integrity against Trojan Horse programs, Integrity and internal control in information systems V, Kluwer Academic Publishers, Norwell, MA, 2003
	Yi-Min Wang , Doug Beck, Fast user-mode rootkit scanner for the enterprise, Proceedings of the 19th conference on Large Installation System Administration Conference, p.3-3, December 04-09, 2005, San Diego, CA
	Nguyen Anh Quynh , Yoshiyasu Takefuji, A novel approach for a file-system integrity monitor tool of Xen virtual machine, Proceedings of the 2nd ACM symposium on Information, computer and communications security, March 20-22, 2007, Singapore
	Kiran Lakkaraju , William Yurcik , Adam J. Lee, NVisionIP: netflow visualizations of system state for security situational awareness, Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, October 29-29, 2004, Washington DC, USA
	Swapnil Patil , Anand Kashyap , Gopalan Sivathanu , Erez Zadok, FS: An In-Kernel Integrity Checker and Intrusion Detection File System, Proceedings of the 18th USENIX conference on System administration, November 14-19, 2004, Atlanta, GA
	Ashvin Goel , Kenneth Po , Kamran Farhadi , Zheng Li , Eyal de Lara, The taser intrusion recovery system, ACM SIGOPS Operating Systems Review, v.39 n.5, December 2005
	Michael Atighetchi , Partha Pal , Franklin Webber , Richard Schantz , Christopher Jones , Joseph Loyall, Adaptive Cyberdefense for Survival and Intrusion Tolerance, IEEE Internet Computing, v.8 n.6, p.25-33, November 2004
	Ashvin Goel , Kamran Farhadi , Kenneth Po , Wu-chang Feng, Reconstructing system state for intrusion analysis, ACM SIGOPS Operating Systems Review, v.42 n.3, April 2008
	Shawn Embleton , Sherri Sparks , Cliff Zou, SMM rootkits: a new breed of OS independent malware, Proceedings of the 4th international conference on Security and privacy in communication netowrks, September 22-25, 2008, Istanbul, Turkey
	Christopher A. Stein , John H. Howard , Margo I. Seltzer, Unifying File System Protection, Proceedings of the General Track: 2002 USENIX Annual Technical Conference, p.79-90, June 25-30, 2001
	Glenn Wurster , P. C. van Oorschot, Self-signed executables: restricting replacement of program binaries by malware, Proceedings of the 2nd USENIX workshop on Hot topics in security, p.1-5, August 07, 2007, Boston, MA
	C. C. Michael , Anup Ghosh, Simple, state-based approaches to program-based anomaly detection, ACM Transactions on Information and System Security (TISSEC), v.5 n.3, p.203-237, August 2002
	Lihao Xu, Hydra: a platform for survivable and secure data storage systems, Proceedings of the 2005 ACM workshop on Storage security and survivability, November 11-11, 2005, Fairfax, VA, USA
	Kenichi Kourai , Shigeru Chiba, HyperSpector: virtual distributed monitoring environments for secure intrusion detection, Proceedings of the 1st ACM/USENIX international conference on Virtual execution environments, June 11-12, 2005, Chicago, IL, USA
	Mohammad Banikazemi , Dan Poff , Bulent Abali, Storage-based file system integrity checker, Proceedings of the 2005 ACM workshop on Storage security and survivability, November 11-11, 2005, Fairfax, VA, USA
	John D. Strunk , Garth R. Goodson , Michael L. Scheinholtz , Craig A. N. Soules , Gregory R. Ganger, Self-securing storage: protecting data in compromised system, Proceedings of the 4th conference on Symposium on Operating System Design & Implementation, p.12-12, October 22-25, 2000, San Diego, California
	Lionel Litty , H. Andrés Lagar-Cavilla , David Lie, Hypervisor support for identifying covertly executing binaries, Proceedings of the 17th conference on Security symposium, p.243-258, July 28-August 01, 2008, San Jose, CA
	Nick L. Petroni, Jr. , Timothy Fraser , Jesus Molina , William A. Arbaugh, Copilot - a coprocessor-based kernel runtime integrity monitor, Proceedings of the 13th conference on USENIX Security Symposium, p.13-13, August 09-13, 2004, San Diego, CA
	Adam G. Pennington , John D. Strunk , John Linwood Griffin , Craig A. N. Soules , Garth R. Goodson , Gregory R. Ganger, Storage-based intrusion detection: watching storage activity for suspicious behavior, Proceedings of the 12th conference on USENIX Security Symposium, p.10-10, August 04-08, 2003, Washington, DC
	Gopalan Sivathanu , Charles P. Wright , Erez Zadok, Ensuring data integrity in storage: techniques and applications, Proceedings of the 2005 ACM workshop on Storage security and survivability, November 11-11, 2005, Fairfax, VA, USA
	Alina Oprea , Michael K. Reiter, Integrity checking in cryptographic file systems with constant trusted storage, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
	Guanling Chen , Robert S. Gray, Simulating non-scanning worms on peer-to-peer networks, Proceedings of the 1st international conference on Scalable information systems, p.29-es, May 30-June 01, 2006, Hong Kong
	Samuel T. King , Peter M. Chen, Backtracking intrusions, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
	Samuel T. King , Peter M. Chen, Backtracking intrusions, ACM Transactions on Computer Systems (TOCS), v.23 n.1, p.51-76, February 2005
	Anil Somayaji, Immunology, diversity, and homeostasis: The past and future of biologically inspired computer defenses, Information Security Tech. Report, v.12 n.4, p.228-234, January, 2007
	Ashvin Goel , Wu-chang Feng , Wu-chi Feng , David Maier, Automatic high-performance reconstruction and recovery, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.5, p.1361-1377, April, 2007
	Charles Reis , Steven D. Gribble , Tadayoshi Kohno , Nicholas C. Weaver, Detecting in-flight page changes with web tripwires, Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, p.31-44, April 16-18, 2008, San Francisco, California
	Sean Peisert , Matt Bishop , Keith Marzullo, Computer forensics in forensis, ACM SIGOPS Operating Systems Review, v.42 n.3, April 2008
	Ali R. Butt , Rongmei Zhang , Y. Charlie Hu, A self-organizing flock of condors, Journal of Parallel and Distributed Computing, v.66 n.1, p.145-161, January 2006
	Christopher R. Lumb , Jiri Schindler , Gregory R. Ganger , David F. Nagle , Erik Riedel, Towards higher disk head utilization: extracting free bandwidth from busy disk drives, Proceedings of the 4th conference on Symposium on Operating System Design & Implementation, p.7-7, October 22-25, 2000, San Diego, California
	Florian Kerschbaum , Eugene H. Spafford , Diego Zamboni, Using internal sensors and embedded detectors for intrusion detection, Journal of Computer Security, v.10 n.1-2, p.23-70, 2002
	Vishal Kher , Yongdae Kim, Securing distributed storage: challenges, techniques, and systems, Proceedings of the 2005 ACM workshop on Storage security and survivability, November 11-11, 2005, Fairfax, VA, USA