1. Field of the Invention
The present invention relates generally to systems and methods for maintaining security of computer systems connected to one or more networks (Local Area Networks or Wide Area Networks) and, more particularly, to a security system with methodology for interprocess communication control.
2. Description of the Background Art
The first computers were largely stand-alone units with no direct connection to other computers or computer networks. Data exchanges between computers were mainly accomplished by exchanging magnetic or optical media such as floppy disks. Over time, more and more computers were connected to each other using Local Area Networks or LANs. In both cases, maintaining security and controlling what information a computer user could access was relatively simple because the overall computing environment was limited and clearly defined.
With the ever-increasing popularity of the Internet, however, more and more computers are connected to larger networks. Providing access to vast stores of information, the Internet is typically accessed by users through Web “browsers” (e.g., Microsoft® Internet Explorer or Netscape Navigator) or other Internet applications. Browsers and other Internet applications include the ability to access a URL (Universal Resource Locator) or “Web” site. In the last several years, the Internet has become pervasive and is used not only by corporations, but also by a large number of small businesses and individual users for a wide range of purposes.
As more and more computers are now connected to the Internet, either directly (e.g., over a dial-up or broadband connection with an Internet Service Provider or ISP) or through a gateway between a LAN and the Internet, a whole new set of challenges face LAN administrators and individual users alike: these previously closed computing environments are now open to a worldwide network of computer systems. A particular set of challenges involves attacks by perpetrators (hackers) capable of damaging the local computer systems, misusing those systems, and/or stealing proprietary data and programs.
The software industry has, in response, introduced a number of products and technologies to address and minimize these threats, including firewalls, proxy servers, and similar technologies—all designed to keep outside hackers from penetrating a computer system or corporate network. Firewalls are applications that intercept the data traffic at the gateway to a Wide Area Network (WAN) and check the data packets (i.e., Internet Protocol or “IP” packets) being exchanged for suspicious or unwanted activities.
Another security measure that has been utilized by many users is to install an end point security (or personal firewall) product on a computer system to control traffic into and out of the system. An end point security product can regulate all traffic into and out of a particular computer. For example, an end point security product may permit specific “trusted” applications to access the Internet while denying access to other applications on a user's computer. To a large extent, restricting access to “trusted” applications is an effective security method. However, there are cases in which an untrusted or malicious application may cause the trusted application to perform unauthorized actions on its behalf, thereby circumventing current security mechanisms.
In present-day operating systems, such as Microsoft® Windows for example, a lot of interaction occurs between different processes (e.g., applications, drivers, and the like) which are running on a computer system at the same time. Moreover, considerable interaction occurs between different applications and so-called “services.” A service may be thought of as a special case application that exists to serve other applications (e.g., by providing special functionality or performing particular tasks). For example, a DNS service is provided by a special application that performs DNS lookup services on behalf of other applications.
Notwithstanding the fact that a given computer system may be protected by a firewall or an end point security product, these services pose an additional security risk. Stated more generally, interprocess communication provides additional opportunities for breaching security measures employed to protect computer systems. For example, a rogue application can circumvent conventional security measures by using services or interprocess communication to cause another application to perform actions on its behalf. The rogue application uses services or interprocess communication as a proxy to obtain, in effect, an elevation of its security privileges. This elevation of its security privileges enables it to breach security by causing another application or service to perform actions that the rogue application is not able to do itself (according to operating system privilege settings). In addition, the rogue application is able to disguise the fact that it is accessing the Internet by going through another application or service (e.g., an operating system service) in a manner that is not detected by a conventional firewall.
For example, Windows XP includes a DNS (domain name system) service that performs DNS lookup on behalf of other applications. DNS is itself normally a harmless protocol that contacts a DNS server for translating domain names (e.g., cnn.com) into IP addresses. However, a malicious application has the ability to use Windows' built-in DNS service to communicate with a malicious DNS server. For example, the malicious application may use the DNS service for a DNS lookup of “MySecret.Hacker.com”. The DNS server at the hacker site (“Hacker.com”) would then get a query from the local DNS server asking whether it has an IP address for “MySecret”. In fact, what the hacker site DNS server receives is a token (string of “MySecret”). At this point, the malicious application may engage in almost unlimited communication with the malicious DNS server using an awkward, but also very effective, protocol.
This example of a malicious application using the DNS service to communicate with a malicious DNS server is illustrated in the diagram shown in FIG. 1A. As shown, on client machine 10, malicious application (“malware”) 13 communicates with a local DNS service 15 to perform a DNS look-up of “MySecret.Hacker.com” (where, in this example, “Hacker.com” is a malicious DNS server at a remote site). In response to this request, the local DNS service 15 sends a request over the Internet to the malicious DNS server 18 asking whether the Hacker.com DNS server has an IP address for “MySecret”. Upon receipt of this request, the malicious DNS server 18 has the token containing confidential information, “MySecret”, from the client machine 10. A conventional client-side firewall (e.g., application-oriented firewall software 11) would not block this transmission of confidential information as it only looks to see whether the malware application 13 was communicating (directly) with the Internet. Since the foregoing security breach does not involve direct communication between a potentially malicious application and the Internet, a conventional firewall would not detect the security breach. In other words, since the malicious application was able to masquerade its Internet access by going through an operating system service, the malicious application was able to breach security in a manner that would not be detected by a conventional firewall.
The malicious application may also use some of the same approaches to attack a computer's underlying security application itself. For instance, the malicious application may use interprocess communications with another application to attack the security application, or the malicious application may attack the security application directly by posting user input messages (e.g., keystrokes, mouse input, or the like) to the security application. If the malicious application can disable the security application, it can gain unfettered access to the entire computer system.
Referring again to FIG. 1A, the client machine 10 includes application-oriented firewall (end point security) software 11, which serves to monitor potentially malicious applications (e.g., malware 13) for unauthorized Internet access. For environments which allow one application to send messages to another application (e.g., Microsoft Windows environments), malware 13 may send messages to firewall software 11 in an attempt to disable the firewall. As illustrated by an interprocess communication path 17, malware 13 may send keystroke and/or mouse input messages (e.g., using a Microsoft Windows “SendMessage” API call) that masquerade as user input. For example, when malware 13 attempts to access the Internet, assume that the firewall software 11 displays a dialog box to the user inquiring whether malware 13 should be allowed to access the Internet. At this point, malware 13 could masquerade as the user by sending forged user input (e.g., keystroke and/or mouse input messages) to the firewall software 11, via the interprocess communication path 17, thereby effectively overcoming the security provided by firewall software 11. This is an instance of a malicious application using interprocess communications to either abuse/misuse a service or shut down or interfere with a service that is critical for security.
One current approach for preventing unauthorized communications is to attempt to obfuscate or “hide” application interfaces from other (potentially malicious) applications. For example, random names can be assigned to windows, the appearance of items and title prompts can be changed, and so forth so that these interfaces are more difficult for a malicious application to locate and misuse. However, this approach is only of limited utility and does not fully solve the problem.
Current systems also provide facilities for users to establish access privileges. However, this solution is difficult to implement as considerable expertise is required and the facilities provided by certain operating systems are subject to well-known weaknesses and vulnerabilities. It is very difficult to configure access privileges in a manner which provides security but at the same time does not interfere with the users' ability to perform normal business and/or personal activities. In addition, not all operating systems provide support for establishing access privileges. For example, personal editions of certain operating systems do not include this type of access permission setting feature. In fact, a considerable number of current operating systems (e.g., personal edition operating system versions) broadly permit applications to communicate with each other with few limitations. For these reasons, the permission setting features of current systems do not provide adequate protection against misuse of interprocess communications.
A security solution is required that controls communication channels among processes (including applications, services, and the like) to provide improved security. The solution should not only address the problem of a malicious application misusing another application or service, but should also provide a solution to the more general problem of using interprocess communications to breach security. The present invention provides a solution for these and other needs.