Software systems may typically include individual binary files, each representing a portion of executable code, data, and the like. Such systems may face the malicious tampering of individual files and their respective functionality. Malicious code may be injected into one or more individual files to change, disable, or add functionality to the software. Generally known as malware, malicious code may implement spyware or computer viruses, defeat software authentication, and the like.
For example, a software system implementing an Internet browser may include a number of files. Malware may alter functions within those files, so when a user operates the now altered Internet browser, it inadvertently also operates the malicious functions.
To detect malware generally, one of two options are typically used. First, individual files may be compared with known malware signatures. Second, the integrity of the system may be checked. For example, data integrity systems that use hash functions may be able to compare files against previous versions or trusted versions of the files to detect changes.
To remove malware generally, files may be upgraded or replaced with new code not affected by the malware. After the individual compromised files have been identified, the files may be replaced or the malicious code may be removed. Also, where malicious code has not been identified, regularly replacing files with new code may reduce the impact of undetected malware.
When the malware impacts the system that is used to detect and remove the malware, the malware itself may prevent the compromised components from being replaced. For example, the malware may infect a software system and may monitor the infected file. Any attempts by the user to replace the infected file may be detected and defeated by the malware. For example, the malware may overwrite any changes or replacements the user may make, thereby preventing removal of the malicious code. As a consequence, even after the new version of the software is available to the user, the malicious code may prevent the new version from being installed. For example, while new versions of other files may be incorporated into the system, the infected file may never be updated. Furthermore, the user may go forward with the belief that the malware has been removed, while unwittingly continuing to operate the infected software.
Thus, there is a need for a software system that provides anti-tampering functionality that better detects malware and that promotes renewability of components, such that otherwise undetected malware may be identified.