One aspect of an Information Assurance "Defense in Depth" strategy is robust configuration management. Applications such as Tripwire can assist in such management, but these tools are usually difficult to operate, and may provide incorrect results, i.e. a false negative as was the case with the authors of the Internet Auditing Project. The problem with integrity applications is that they depend on the integrity and proper operation of the operating system, i.e. these applications assume that the operating system always operates correctly. When this assumption is not valid the integrity applications cannot provide a reliable result, and as a result the applications provide a false negative. Tools such as those that can be found at RootShell.com provide novice attackers with the capability to defeat integrity tools that rely on the operating system. Additionally, most integrity applications require a database of pre-computed values. The maintenance and protection of this database presents several challenges to effective and secure management on a wide scale.

Komoku provides a solution to the traditional problems, described above, with integrity and configuration management using what we call Out-of-Band Cryptographic Configuration Management. The solution leverages digital signature technology to provide integrity protection for file systems with an out-of-band verification process that does not depend on the underlying operating system. The resultant system provides extremely strong integrity guarantees and configuration management- detecting modifications to approved and objects as well as detecting the existence of unapproved and thus unsigned objects. This is accomplished without ANY modifications to the host operating system. As a result, the system is equivalent to an independent auditor- detecting problems in near real-time.

A "defense in depth" strategy presumes that an adversary will successfully penetrate some defenses, but not ALL of the layered defenses before detection. A key element in such a strategy is to detect when an adversary has a breached a layer in the defense as quickly as possible and take the appropriate action to counter the attack. Intrusion detection systems (IDS) for the host and the network are one detection means. Unfortunately, an intrusion detection approach is not one hundred percent reliable as such systems can only detect known anomalies. Furthermore, intrusion detection systems in practice usually suffer from a high rate of false positive and false negative reports. Integrity detection systems, on the other hand, can reliably detect the un-authorized changes made by an intruder provided that the host operating system has not been modified to return misleading information. The fact that current integrity detection systems can be misled is the fundamental problem with an otherwise sound approach. Komoku's goal is to eliminate that fundamental problem.

1. Komoku is currently funded by DARPA.


Komoku, in Japanese myth, is one of the four guards of the cardinal directions. Komoku is the guard for the west.


Interesting Links

IBM's embedded cryptographic co-processor: IBM 4758

Intel's StrongARM development board: EBSA-285

 An OpenSource embedded OS: eCOS

Linux running on ARM processors: ArmLinux