1. Field
The present disclosure relates to attempting to monitor and control memory access and, more specifically, to attempting to limit memory access to a specific registered software agent.
2. Background Information
A typical computer or processing system is controlled by an operating system that allows the execution of various programs. A kernel or kernel mode program is often referred to as the core of an operating system; the portion of the system that manages memory, files, and peripheral devices; maintains the time and date; launches applications; and allocates system resources. In this context a “computer” refers to any device with a processing unit and is a term not limited to the traditional PC or laptop.
It is typically desirable that kernel level software, the state of the software, and software's configuration information be protected from unintended alteration or access. With the increase is sophistication of computer worms, viruses, and other malware and the complexity of monolithic operating systems (e.g. Windows and Linux) this protection has become increasingly difficult.
Typically used memory protection schemes enforce course-grain access control. These schemes often control memory access based upon a privilege level assigned to the accessing software. Typically, programs are assigned one of only two possible privilege levels. These two privilege levels may often be referred to as kernel mode and application/user mode. These schemes do not offer any protection against memory access from other software running within the same privilege level in the monolithic operating system.
This implies that on a typical system, a kernel mode program is typically allowed unbounded access to all memory pages on the system. The kernel mode program may intentionally or accidentally corrupt data or reconfigure other programs, possibly to execute malicious code
Furthermore, standard processor protection mechanisms are often operating system enforced. As such, these protection mechanisms may be overridden by malicious code that has kernel level privileges. For example, a malicious kernel level program can change the memory page table protection bits corresponding to a valid driver to allow tampering. A need therefore exists, to detect and control access to memory.