Programs for devices using binary computers (sometimes referred to herein as “computing devices”) are assembled as ordered lists of collections of bytes which we refer to here as frames. Each frame comprises whose content comprises: (1) a binary number identifying a particular computer operation that represents an instruction to the central processing unit (CPU), and (2) address(es) of bytes in random access memory (RAM) specifying data to which that operation is to be applied or the results of the operation are to be stored. Sequences of frames describing computer operations to be executed to implement desired functionality are commonly referred to as machine language, binary, or executable programs. When computer programs are written in a higher level programming language, such programs are created by translation of instructions written in source or assembly code into machine language programs.
Definition of machine language programs varies with the design of the computer's CPU (central processing unit), but the frame structure of a program is always the same, comprising: (1) an ordered list of frames defining the program instructions; (2) conventions that define the structure and format of frames of different types; and (3) an ordered list of relative addresses of bytes naming the position of the first bytes in each instruction frame. When executed, the frames are loaded into RAM, starting at a byte selected by the machine to which the ordered list of relative addresses is added to identify the location of frame starts in RAM. Execution of the program then proceeds by step-by-step retrieval and execution of sequences of instructions which is controlled by pointers that calculate the start address of the next instruction from address of the last executed instruction. For convenience of reference herein, the part of the overall computer operating system that implements the controls that determine how the CPU recognizes, reads, and implements machine language instruction frames will be referred to as the interpreter.
To execute a program, the CPU then steps from instruction frame to instruction frame under the control of the interpreter, which notes the start address of the last instruction executed, calculates the pointer to the next logical instruction in order, locates the start byte, reads the instruction frame, and forwards the encoded instruction to the CPU for execution. To accomplish this, the CPU must execute this process by detection of an initiation sequence which, when loaded, directs the CPU to the first address of the first instruction frame of a program, and a termination sequence, which informs the CPU that the program has been executed, and sets the computer to a state to look for another initiation sequence.
Because of the commonality of this structure, computer programs from external sources can be written into active computer memory, and executed by a call to the associated initiation sequence, or stored for later retrieval by the name of the file that begins with its initiation sequence. This enables users to download executable programs directly from external sources via digital data communications like the Internet. However, this convenience also exposes a computing device to surreptitious transmission of undesirable programs like viruses, Trojan horses, worms, and botnet controllers via data links or other means of covert installation. Such undesirable programs are referred to collectively as computer malware.
Because of the threat of malware, there have been extensive efforts to develop means of detecting and preventing surreptitious attempts to insert such programs into RAM. Most attempts to guard a computing device against malware are designed to prevent download or covert installation of the offending binary programs, or to protect against theft of information when they are successfully installed and activated. The measures that have been developed include, for example: scans for viruses that are effected by prescreening data to be downloaded for evidence of covertly embedded executable programs; encryption of data communications links to prevent remote insertion of such programs; changes in communications software to close possible means of surreptitious insertion of malware; and encryption of data on mass storage media, so that data removed from storage without authorization cannot be interpreted.