Computer systems, networks and data centers are exposed to a constant and differing variety of attacks that may compromise the security and/or operation of the system. Examples include various forms of malicious software program attacks such as viruses, worms, Trojan horses and the like that computer systems can obtain over a network such as the Internet. Quite often, users of such computer systems are not even aware that such malicious programs have been obtained within the computer system. Once resident within a computer, a malicious program that executes might disrupt operation of the computer to a point of inoperability and/or might spread itself to other computers within a network or data center by exploiting vulnerabilities of the computer's operating system or resident application programs. Virus attacks, worm attacks, and Trojan horse attacks are variants of each other that generally involve the execution of a program, for which a user often is unaware of its existence, that performs some undesired processing operations to comprise a computer's proper operation.
Other malicious programs operate within a computer to secretly extract and transmit information within the computer to remote computer systems for various suspect purposes. As an example, spyware is a form of software that can execute in the background (e.g., unbeknownst to users) of a computer system and can perform undesirable processing operations such as tracking, recording and transmitting user input from the spyware-resident computer system to a remote computer system. Spyware can allow remote computers to silently obtain otherwise confidential information such as usernames and passwords required to access protected data, lists, contents of files or even a remote web site's user account information.
Computer system developers, software developers and security experts have produced many types of conventional preventive measures that operate within conventional computer systems in an attempt to prevent operation of malicious programs from stealing information or from compromising proper operation of the computer systems. As an example, conventional virus detection software operates to periodically download a set of virus definitions from a remotely located server. Once the virus detection software obtains the definitions, the security software can monitor incoming data received by the computer system, such as email messages containing attachments, to identify viruses defined within the virus definitions that might be present within the data accessed by the computer. Such data might be obtained over a network or might be unknowingly resident on a computer readable medium, such as a disk or CD-ROM, which a user inserts into the computer. Upon detection of inbound data containing a virus or other malicious program, the virus detection software can quarantine the inbound data so that a user of the computer system will not execute code or access the data containing the detected virus that might result in compromising the computer's operation.
Other examples of conventional malicious attacks, intrusions, or undesirable processing that can cause problems within computer systems or even entire computer networks include denial-of-service attacks, buffer overflow operations, execution of malformed application data, and execution of malicious mobile code. A denial-of-service attack operates to provide an intentional simultaneous barrage of packets (e.g., many connection attempts) emanating from many different computer systems to one or more target computer systems, such as a web site, in order to intentionally cause an overload in processing capabilities of the target computer resulting in disruption of service or a business function provided by the target computer. Denial of service attacks may also seek to crash the targeted machine, rather than simply consume resources. Buffer overflow attacks occur when programs do not provide appropriate checks of data stored in internal data structures within the software that result in overwriting of surrounding areas of memory. Attacks based on buffer overflows might allow an attacker to execute arbitrary code on the target system to invoke privileged access, destroy data, or perform other undesirable functions. Malformed application data attacks might result in an application containing a code section that, if executed, provides access to resources that would otherwise be private to the application. Such attacks can expose vulnerabilities due to an incorrect implementation of the application, for example by failing to provide appropriate data validity checks or allowing data stream parsing errors.
Many of the conventional malicious programs and mechanisms for attack of computer systems, such as viruses and worms, include the ability to redistribute themselves to other computer systems or devices within a computer network, such that several computers become infected and experience the malicious processing activities discussed above. Some conventional attempts to prevent redistribution of malicious programs include implementing malicious program detection mechanisms such as virus detection software within firewalls or gateways between different portions of networked computer systems in order to halt propagation of malicious programs to sub-networks.
Another type of computer attack (known as rootkits) employs kernel-level components to compromise systems, then hide their tracks. This is often done by loading rootkit kernel modules into the host Operating System (OS), e.g., “/sbin/insmod/tmp/haxor” on Linux. Thus, Host Intrusion Prevention Systems (HIPS) attempt to ensure that a protected host loads only those kernel modules allowed by security policies. The general idea is to hook a kernel routine in the module-loading path; when a user action invokes this path; the hook takes control to verify that the about-to-be-loaded module conforms to the security policy.
Some operating systems try to authenticate kernel modules. Examples included Driver Signing in Microsoft Windows, whose purpose is stability as much as security. HIPS on Windows and Solaris has been using kernel-level hooking, Rule Engine and Management Console (MC) policy-based mechanisms to control and verify file paths of module executables.
A shim, as known in the art, is a relatively small ancillary piece of software that can be added to an operating system. The shim intercepts specified actions or data at one interface, replicate these at a second interface, and also forward the intercepted items to an interface to a monitoring application. One well-known application programming interface (API) used in network communications is the Transport Data Interface or TDI, and thus one example of a shim is a TDI shim. Certain systems may employ a file server (FS) shim.
In certain operating systems (e.g., Linux) a loader (e.g., Insmod) is used to install loadable kernel module in the running kernel. The loader tries to link a module into the running kernel by resolving all symbols from the kernel's exported symbol table. If the module file name is given without directories or extension, the loader will search for the module in some common default directories.