This invention generally relates to computer programs that are executed in computer systems, and more specifically to techniques for encoding information in computer programs that are executed in computer systems.
Generally, a computer or software virus is a special piece of software code existing within other software. The computer virus may perform actions, for example, producing harmful results to existing information systems that include the software having the computer virus. Generally, computer viruses are recognized today as a serious threat to the integrity of an information processing system due to the devastating effects a computer virus may have, for example, such as interfering with system operations or the destruction of valuable data.
As a result, techniques have been developed for protecting information processing systems from computer viruses. These techniques include both the detection and the removal of computer viruses. Most current techniques for detecting computer viruses do so only after computer code which includes a computer virus has been loaded into an information system and is executed. Thus, existing virus technology requires that an information system be exposed and contaminated prior to being able to detect a computer virus.
Code may be reused in that a section of common code may appear in multiple computer programs. Programming trends such as this make it easier for a computer virus to infect multiple pieces of code since newly developed software, by reusing existing code, often has a similar structure to prior code. Thus, an existing virus may use the same technique to infest itself in new computer software through the same paths that it infected prior software.
A particular computer virus may also mutate. By mutating, a computer virus slightly modifies itself, quite similar to the concept of a biological virus mutation. Generally, by having mutated viruses, several different versions of the same computer virus exist. This poses a problem for existing computer virus techniques for detecting a virus in that the numerous versions of the same computer virus must be detectable. This is one area where existing computer virus detection techniques may fail if they are only able to detect known viruses. Therefore, as a computer virus mutates and produces several versions of itself, a version of an anti-virus software may be unable to detect the different mutated viruses.
Thus, there is required a technique for computer virus detection which does not require an information processing system to be contaminated prior to detection, and provides for increased computer system security as in information processing systems.
In accordance with principles of the invention, a method executed in a computer system for encoding machine executable programs includes generating a machine executable program. A unique key is used to encode the machine executable program. A cipher table is produced in accordance with elements of the unique key and the machine executable program. Portions of the machine executable program to be encoded are determined. These portions of the machine executable program are encoded. The encoded machine executable program is decoded prior to execution.
In accordance with another aspect of the invention, disclosed is an apparatus for encoding machine executable programs. The apparatus includes machine instructions for choosing a unique key to encode the machine executable program. Machine instructions produce a cipher table in accordance with elements of the unique key and the machine executable program. Machine instructions determine portions of the machine executable program to be encoded, and machine instructions also encode the machine executable program are encoded. Machine instructions included in the apparatus also decode the machine executable program prior to execution.
Thus, there is provided a technique for computer virus detection which does not require an information processing system to be contaminated prior to detection, and provides for increased computer system security as in information processing systems.
Encoding information into the structure of a computer program constitutes a covert channel of communication between a source of communication and an execution platform. It is a general technique used to enable the execution platform to determine whether machine executable code is intended for execution on the execution platform. This technique is a form of recognition of xe2x80x9cselfnessxe2x80x9d similar to a biological immune system.
Using the techniques described herein, code is recognized as either intended for execution on the execution platform (xe2x80x9cselfxe2x80x9d), or not intended for execution on the execution platform (xe2x80x9cnon-selfxe2x80x9d). This is a binary condition such that code xe2x80x9cfailingxe2x80x9d the recognition test is recognized as xe2x80x9cnon-selfxe2x80x9d. Generally, this recognition of selfness is not dependent upon purpose of the code. The foregoing are important in comparing previous techniques to the covert channel approach since prior art approaches are generally designed when considering the purpose of the code.
Existing virus detection techniques detect known code sequences based on previous exposure. Also, suspect behavior is detected based on, for example, unusual memory reference patterns, instruction execution sequences, and I/O accesses. Using the foregoing prior art techniques, one needs to know about code sequences, or how xe2x80x9csuspectxe2x80x9d code and other code each execute for comparison purposes to enable detection. The techniques of the invention do not require such prior exposure or prior information as in the previously described prior art techniques.
Another approach to preventing inappropriate execution of code is to verify that the code has not been modified since construction by a xe2x80x9ctrusted sourcexe2x80x9d, as by checking construction with an electronic signature technique. Examples include use of checksums, and Tripwire which is a hash coded signature generated from a source file that may be used to check whether a file has been modified, as described in xe2x80x9cSecure Computing: Threats and Safeguardsxe2x80x9d, McGraw-Hill Computing Series, 1997, by Rita C. Simmons. However, techniques such as Tripwire, verify a source. This prior art technique is unable to detect, for example, self modifying code viruses. Using techniques of the invention, self modifying code viruses may also be detected, for example, without requiring knowledge of variations of a virus. The techniques of the invention also prevent viruses from constructing copies of itself, and from propagating itself and copies of itself.
Existing approaches use the previously described techniques, firewalls, and the like to prevent propagation. Employing self recognition techniques of the invention do not require these other mechanisms.