The present invention relates to computer security.
Conventional computer systems include an operating system. The operating system is loaded at startup during a boot process. At startup, a first program run is typically a set of instructions stored in the computer's read-only memory (“ROM”). The first program can examine system hardware as part of a power-on self test (“POST”) to make sure that all hardware components are functioning properly. The POST typically checks one or more of a processor, a memory, and basic input-output systems (“BIOS”) for errors. After completing the POST, other software programs loaded into ROM (sometimes called the BIOS or firmware) can be run to activate one or more of the computer's disk drives. In a conventional computer system, when the computer activates a hard disk drive, a first piece of the operating system is accessed (conventionally referred to as a bootstrap loader).
Typically, the bootstrap loader is a program that can be run to load the operating system. In general, the bootstrap loader loads one or more driver programs that interface with and control one or more of the computer hardware subsystems. The bootstrap loader can also set up divisions of memory for holding the operating system, user information, and applications. Additionally, the bootstrap loader can establish data structures for holding one or more signals, flags, and semaphores that can be used by the operating system to communicate within and between subsystems and applications. Finally, the bootstrap loader can turn over control of the computer to the operating system.
A typical operating system can function to provide an interface for one or more hardware devices (e.g., disks and other I/O devices) to provide an application programmer with an abstract model for programming without knowledge of technical details for each of the hardware devices. The operating system can load and run multiple programs simultaneously and independently of each other. The core component of a conventional operating system is a kernel. The kernel is a piece of software that allows various computer programs access to computer system hardware. The kernel typically provides hardware access through a set of hardware abstractions. The hardware abstractions can be used to hide the complexity of the particular hardware components, and therefore provide a clean and uniform interface for accessing the underlying hardware. Since there can be many programs, and access to the hardware (e.g., a processor) is limited, the kernel can schedule when and how long a program can be able to make use of a piece of hardware. Typically, the operating system runs a program by creating one or more processes. Each process can be controlled and managed by the kernel. The operating system loader creates a new process, for example, in response to a user action (e.g., user selection of an executable file). The loader can then generate a list of files associated with the program. The files on the list can be retrieved from a memory store (e.g., a hard disk drive) and copied to an address space in a main memory (e.g., random access memory (“RAM”)). Once gathered, each file of the list of files can be compiled in order to execute the process and therefore run the program.
In some instances, a program can be used to monitor or alter the behavior of other programs or processes. For example, programs such as security software, spyware, and viruses and worms can each act to monitor or affect one or more programs or processes. Viruses and worms, for example, can take over other processes in order to obtain unauthorized privileges. Some programs (e.g., a virus) can be injected into another program without a user's knowledge such that the virus is executed when the process including the virus is run. For example, a target process of a program can make calls to one or more files or libraries (e.g., dynamic link libraries (“DLLs”)) in order to obtain unauthorized access to other processes. Therefore, some processes, when executed, can be damaging to a computer system.