AVATAR

(note: equations are formatted for Netscape 3.0 & above. Other browsers may not view them correctly)

Avatar maintains the system Baseline Configuration. It does so by executing system security policies that act as an intrusion detection and response system. The most important function of Avatar is, response. If the system Baseline Configuration is modified, for any reason, it will be detected by Avatar and returned to the correct Baseline Configuration. The value of Avatar's response system is that it enforces discipline by non-subjective automated process which can execute many times per day.

Intrusion is defined as any unauthorized modification to the system Baseline Configuration. The reason for this broader than normal definition is that it allows for unauthorized modifications by authorized and unauthorized personnel. When an unauthorized person breaks into a computer their actions will always be dictated by their goals. If they are a passive reader then their activity will be captured in the system logs. If they are using the system as a platform for further attacks then they will download attack programs for execution and they will want to insure future access. To insure future access they will have to change the Baseline Configuration. Modification of the system logs such as changing permissions, insertion of Trojan back doors into critical system applications, modifications of the Baseline in any form or just plain destruction of critical system files can all be detected and corrected by Avatar. The addition of new inappropriate files to a system can be detected by CIT.

The ability to maintain the Baseline Configuration also provides extensive immunity to new unknown software attacks within the Baseline. If a binary or script virus infects a file then the file will be overwritten by the Baseline version of the file. This effectively destroys the virus and is far superior to any form of virus disinfection used by any other company. When a virus infects a file, it modifies it. In the process of infecting the file, it is common for the file to be damaged. [ f_v(a) = a' ] The disinfection process used by most antivirus companies may or may not remove the actual virus. It is most common to not remove the virus but merely change program pointers so that the program executes around the virus without executing the virus. If necessary, the virus is then modified so that it is no longer detected by the same antivirus program as a live virus. This preserves the damage created by the virus and potentially adds new damage if the pointers are modified incorrectly. [ f_d(a') = a'', a ¹ a'' ] In addition, not all viruses, especially new unknown viruses, can be disinfected. None of these problems exist with Avatar since a captured copy of the original file is used to overwrite the infected file. [ f_avatar(a') º a ] This also works for all forms of software attacks in Baseline configured programs, not just viruses or hacker attacks.

Avatar security policies can be maintained on a file by file basis or on an entire system. Security policies that can be maintained are:

(e - EXISTENCE) The existence rule states that the file(s) must exist. It does not infer any other rules. This is extremely valuable for files that must exist but whose contents constantly change. Two examples of files of this type are log files and password shadow files.

(p - PERMISSIONS) The permissions rule states that the permissions of a file must not deviate from the baseline configured permissions. Generally all system command, log and configuration files have critical permission settings that must not change. This can be combined with the "e" and "o" rules to provide maximum protection for files whose contents need to change over time.

(o - OWNERSHIP) The ownership rule states that the owner of the file must not deviate from the baseline configured ownership. For example, the ownership of the password shadow file can be used as a back door into a system , while ownership of a log file can be used to stealthily erase evidence of activity on a system.

(s- CRYPTOGRAPHIC SIGNATURE) The cryptographic signature also known as a hash value states that an alarm should be activated if the contents of the file change but no further action should take place. This is extremely useful when used within other programs and when attempting to catch hackers. An additional use is to allow a script or program to verify that a critical file conforms to the baseline configured contents without overwriting any deviations from the baseline.

(c - FILE CONTENTS) The contents rule states that the contents of a file must not change. If the contents change for any reason, the file is overwritten with the correct baseline configured contents.

A rule exists (!) to force a pathname to not be baselined. This is most valuable for scratch file areas such as the Unix "/tmp" and "/var/spool" areas. The opposite also exists (R - RECURSIVELY) which forces Avatar to baseline the entire path recursively. Finally a shorthand rule (E - EVERYTHING) exists which has the same operation as selecting the "eposcR" rules.

The Avatar Database was designed so that it can be read only. This means that the Avatar Check, Avatar Correct programs along with an Avatar Database can all exist on a CD-ROM or other read only format, (NFS, DVD, Zip, etc). A read only version of Avatar can not be hacked. Once invoked by a background process such as Unix Cron or remotely invoked from a Security Server the Avatar Correct system will automatically detect and correct any problems.

A significant feature is that an alternative Avatar Database can be defined for automatic fail-over if the primary Avatar Database has a failure. For example, if the primary Avatar Database is located on a network disk and the network failed, Avatar can continue processing with a local database. In fact, multiple Avatar Databases can exist and be invoked in any order necessary. This allows Avatar to be used for multiple purposes including rapid system software update distribution and configuration for thousands of workstations without the need for personnel to visit them. System customization can also be accomplished by a smaller Avatar database which can be stored locally or at a central location.

One of the advantages of the Avatar system for Internet based systems such as web servers is that shortly after a hacker modifies a web page, the Avatar system can be automatically invoked and restore the damaged page. If Avatar is run dozens of times per day then the hacker would literally have to break in and modify the system dozens of times per day. This is a huge incentive to leave the system alone.