Determining the identity of a software program is a prerequisite to performing operations in many computer or other electronic systems. The identity of a software program has traditionally been tied with the possession or association of secret credentials or keys that only the identified program is supposed to have. Thus, a software program is traditionally presumed to be identified if the credentials are received in response to an identity request. However, most traditional credentials are completely transferable, meaning that if another software program “steals” and presents the credentials, it is presumed to be the software program associated with the credentials. Thus, if a malware attack takes control of a system, the attacker may obtain access to secret credentials by virtue of having access to all the resources on the compromised host. For example if a program stored its secret key (or the algorithm for retrieving or generating the secret key) in main memory or on a hard disk, an attacking program that gained unrestricted access to main memory or the hard disk could subsequently obtain the secret keys. The successful attacker could then masquerade as the real software program whose identity was associated with the secret key.
Attacks that compromise the ability to determine with certainty the identity of a software program may be classified as different types for purposes of discussion herein. Other classifications are possible. For purposes of description, the true software program to which the identity belongs may be referred to as the program of interest. One type of attack is one in which an attacker attempts to stop the program of interest from executing. Stopping execution of the program of interest may be accomplished by crashing the program or an operating system on which the program is running by modifying the machine code to result in an invalid machine instruction or other fatal fault. Alternatively, data associated with the program of interest could be modified, for example, to cause a segmentation fault by changing an array bound. As another alternative, the program could be unloaded from the process table of a task manager to prevent the program from being scheduled for execution.
Another type of attack involves the attacker modifying the program of interest to cause it to perform an operation other than what was originally intended for the program. For example, an attacker may use the compromised host system to execute code to propagate a worm, or code to perform a denial of service attack against a remote target. One way to cause the program of interest to perform an unintended operation is exploitation of an input buffer or stack overflow vulnerability.
Another type of attack involves tampering with the program of interest. Program tampering is demonstrated when an attack successfully modifies the program of interest and attempts to hide its modifications. Hiding its modifications may be considered to be a form of covering the attacker's tracks. An example of program tampering is an attack that modifies the program of interest, executes the modifications, and then reverts the modifications to restore the program of interest to its original state.
Each of these types of attacks may be successfully executed on traditional systems because of their lack of ability to securely identify the software program of interest.