We consider the problem of malicious modification of digital objects. We present a protection mechanism designed to protect against unauthorized replacement or modification of digital objects while still allowing authorized updates transparently. We use digital signatures without requiring any centralized public key infrastructure. To explore the viability of our proposal, we apply the approach to file-system binaries, implementing a prototype in Linux which protects operating system and application binaries on disk. To test the prototype and related kernel modifications, we show that it protects against various rootkits currently available while incurring minimal overhead costs. The general approach can be used to restrict updates to general digital objects.

We address the problem of restricting root’s ability to change arbitrary files on disk, in order to prevent abuse on most current desktop operating systems. The approach first involves recognizing and separating out the ability to configure a system from the ability to use the system to perform tasks. The permission to modify configuration of the system is then further subdivided in order to restrict applications from modifying the file-system objects of other applications. We explore the division of root’s current ability to change arbitrary files on disk and discuss a prototype that proves out the viability of the approach for designated system-wide file-system objects. Our architecture exposes a control point available for use to enforce policies that prevent one application from modifying another’s file-system objects. In addition, we review in detail the permissions given to current installers, and alternative approaches for secure software installation.