As more and more computers and other computing devices are interconnected through various networks, such as the Internet, computer security has become increasingly more important, particularly from invasions or attacks delivered over a network or over an information stream. As those skilled in the art will recognize, these attacks come in many different forms, including, but certainly not limited to, computer viruses, computer worms, system component replacements, denial of service attacks, even misuse/abuse of legitimate computer system features, all of which exploit one or more computer system vulnerabilities for illegitimate purposes. While those skilled in the art will realize that the various computer attacks are technically distinct from one another, for purposes of the present invention and for simplicity in description, all malicious computer programs will be generally referred to hereinafter as computer malware, or more simply, malware.
Those skilled in the art and others will recognize that malware may become resident on a computer using a number of techniques. For example, a computer connected to the Internet may be attacked so that a vulnerability on the computer is exploited and the malware is delivered over the network as an information stream. By way of another example, malware may become resident on a computer using social engineering techniques. For example, a user may access a resource such as a Web site and download a program from the Web site to a local computer. While the program may be described on the Web site as providing a service desirable to the user; in actuality, the program may perform actions that are malicious.
When a computer is attacked or “infected” by computer malware, the adverse results are varied, including disabling system devices; erasing or corrupting firmware, applications, or data files; transmitting potentially sensitive data to another location on the network; shutting down the computer; or causing the computer to crash. Yet another pernicious aspect of many, though not all, computer malware is that an infected computer is used to infect other systems.
A traditional defense against computer malware, and particularly computer viruses and worms, is antivirus software. Generally described, antivirus software scans incoming data, looking for identifiable patterns associated with known computer malware. Also, increasingly, antivirus software is utilizing heuristic techniques that compare incoming data with characteristics of known malware. In any event, upon detecting a computer malware, the antivirus software may respond by removing the computer malware from the infected data, quarantining the data, or deleting the infected incoming data. However, as antivirus software has become more sophisticated and efficient at recognizing thousands of known computer malware, so, too, have the computer malware become more sophisticated.
In one type of attack, a named object that is typically created by a legitimate program or service is created by a malware before the legitimate program or service. Those skilled in the art and others will recognize that legitimate programs frequently create and use objects to implement functionality of the program including, but certainly not limited to, transferring data between principles of differing identities, inter-process communication, process synchronization, and the like. At a minimum, malware that preemptively creates a named object before a legitimate program has the opportunity to create the object, causes a denial of service problem. In this regard, the legitimate program will not be able to implement program functionality in instances when an object with a specified name was previously created by malware. Moreover, the object may be used to communicate sensitive data, such as user passwords, between a user and malware. In this instance, malware that creates the object before the legitimate program may obtain the sensitive data and use the data to elevate privileges for the purpose of implementing other types of attacks.
More generally, operating systems are increasingly configured to serve multiple users; each user having a different user profile that defines a computer configuration with regard to that user. In these types of operating systems, each user has the authority to access a defined set of resources which may be implemented internally as a named object. Unfortunately, users of a computer system may attempt to create the same named object, resulting in a “collision” in the use of the object. For example, two or more users in a multi-user environment may use the same application program to implement desired functionality. As part of normal operations, the application program may attempt to create an object with the same name for each user. In this instance, after the named object has been created by a first user, a second user of the application program may access program functionality that causes the program to attempt to create the same named object. In this instance, an operating system may not allow two objects to be created with the same name thereby resulting in an error condition.
In any event, a number of different scenarios exist, examples of which are provided above, in which “collisions” on a named object may occur. In some instances, a collision on a named object is deliberate and used by malware to implement malicious functionality. In other instances, the collision on a named object is merely an error that is not anticipated by users or developers. In either case, collisions on named objects reduce the usability of a computer system. While specific disadvantages of existing systems have been illustrated and described in this Background Section, those skilled in the art and others will recognize that the subject matter claimed herein is not limited to any specific implementation for solving any or all of the described disadvantages.