MID-009: Operating System-based Runtime Integrity Check
Mitigation Tier: Intermediate
Description
Runtime integrity checks can be performed by the operating system kernel to verify the integrity of files, data, and executables read from storage before use or execution. Checks may be performed at different levels of granularity depending on the implementation, for example at the file level [1], or as filesystem blocks are read from a storage device [2]. Signatures and hashes of the data is stored as metadata and used by the mechanism to check the integrity of data as it is accessed by the kernel and prepared for reading of execution. If the integrity check fails, an error condition will be raised which may range from triggering an audit event, producing a read error for the data, or even halting the system.
Limitations: This is an OS-enforced control; therefore, an attacker may bypass it by exploiting a privilege escalation vulnerability to obtain access to the kernel at runtime or by undermining the integrity of the OS kernel early in the boot process.
IEC 62443 4-2 Mappings
- CR 3.4 – Software and information integrity
References
[1] H. Sidhpurwala. “How to use the Linux kernel’s Integrity Measurement Architecture.” redhat.com. Accessed: Aug. 28, 2024. [Online.] Available: https://www.redhat.com/en/blog/how-use-linux-kernels-integrity-measurement-architecture
[2] Android. “Implementing dm-verity.” android.com. Accessed: Aug. 28, 2024. [Online.] Available: https://source.android.com/docs/security/features/verifiedboot/dm-verity
[3] V. Pamnani. “System Guard: How a hardware-based root of trust helps protect Windows.” microsoft.com. Accessed: Aug. 28, 2024. [Online.] Available: https://learn.microsoft.com/en-us/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows#secure-launchthe-dynamic-root-of-trust-for-measurement-drtm