1. Field of the Invention
The present invention relates to computer security, and more particular, to identifying unauthorized and potentially malicious code running on the operating system's kernel.
2. Description of the Related Art
Computer security is top most priority for an enterprise. With the ubiquitous nature of computing system and ever increasing number of computer applications, computer users are constantly confronted with the need to protect their computers from malicious codes and/or existing code malfunction. Malicious codes have plagued common computer users and large enterprises alike. The damages incurred by the users/enterprises include system downtime, identity thefts and loss of other sensitive information. The most common way a malicious code makes its way into a computer system is by taking advantage of weaknesses in software running on the system. In addition to malicious codes, some of the software loaded on the computer system may become corrupt and might not provide the same functionality as was originally designed. The corrupted software code resides in the system and executes whenever the system boots up or when an application associated with the corrupted code executes.
In order to prevent the malicious codes from making their way into the computer system, enterprises have developed their own anti-virus solutions or installed anti-virus solutions developed by others to ensure that the malfunctioning/malicious codes do not execute on the computer system compromising the secure and sensitive information contained therein. Some of the solutions detect and remove the problem codes while some others detect and repair the malfunctioning code. In the case where the solutions detect and remove the problem codes, the solutions are typically reactive in nature, wherein the solutions are designed and executed after a malicious/malfunctioning code has already executed on the computer. These security solutions have to be updated constantly to address newly developed malicious codes so that adequate protections are met for the computer system.
Preventing malicious codes from running in a computer system may involve a hardware solution wherein access control bits are set for pages in memory in order to prevent the code on a given page of memory from executing. The problem with the hardware solution is there is no guarantee that the data within the page itself is not corrupted. Further, if the code within the operating system components is itself corrupted by malicious codes, the setting of the access control bits will be affected, which, in turn, affects the security of those pages.
Additionally, most of the solutions are reactive and do not guarantee the validity of currently executing code or codes that bypass a segment and jump to a new memory region and begin executing. The bypassing of a segment essentially allows circumnavigating any securities provided at specific pages in memory making these solutions ineffective. Further, these solutions are operating system dependent and reside and execute on each guest virtual machine (GVM or guest). This means that the solutions are distributed. The solutions running on each guest try to intercept viruses at each of the guests as files are accessed on the guest. However, the in-guest viruses may compromise the security within the guest allowing malicious code access to the sensitive data. Also, every time a specific guest's operating system (OS) is updated or service pack or software patch is installed, the solutions running on that guest may have to be updated so that the solutions support the guest's OS updates leading to non-centralized solution updates.
It is in this context embodiments of the invention arise.