Networked computers are vulnerable to malicious computer code attacks, such as worms, viruses and Trojan horses. As used herein, “malicious computer code” is any code that enters a computer without an authorized user's knowledge and/or without an authorized user's consent.
A majority of malicious code today is targeted at computers running the Microsoft Windows® operating system, because of its market prevalence. Therefore, it is important to identify and patch security vulnerabilities in Windows®. One important security vulnerability today is the vulnerability of the registry database. The information stored in the registry database is of two primary classes: the parameter field class, which defines certain data values, and the executable entity path class, the entries of which refer to names of executable entities.
Malicious code such as computer viruses and computer worms use executable path entities to inject themselves into the Windows® system environment. For example, malicious code can append a value to the registry database “Run” entity, such that a malicious executable will be loaded by Windows® on start-up. Malicious code can also replace the name of one of the well-known COM objects or system DLLs with the name of itself or another malicious program. In such cases, the malicious code would then receive all traffic that was meant to go directly to the original COM object or system DLL. There are many other examples of executable path entities that can be used by malicious code to sabotage a Windows® system. Malicious code can even infect Windows® by reading an executable path entry from the registry, for example by reading the full path name of one of the standard system DLLs and copying itself to that location with the same name.
There are two existing mechanisms to apply an access rights policy to the registry. Under Windows NT® (and 2000, XP and 2003), all the registry database entries are Windows® securable objects. Through using the normal object security modification Windows® system services, an application can grant or block specific users access to individual registry database entries. However, this access rights system is based only on user identity. Therefore, any malicious application running with the right user privilege can gain write access to sensitive registry database entries. Furthermore, this approach also requires enumeration of all the sensitive registry database entries, each of which needs to be individually assigned a valid security descriptor. Due to the huge number of those entries, it is not practicable for system administrators to manage access rights this way.
Some third party systems such as Entercept Security Framework Solution provide a registry database security access policy by allowing the setting of access control for individual registry entries based on the requesting application, the user, or the time at which the access is requested. Although better than the security provided within Windows®, these systems still require manual enumeration of all sensitive registry database entries for which a security policy is desired. Furthermore, the security policy is still based only on a small number of factors.
What is needed are methods, systems and computer readable media for regulating access to executable class registry entities according to a flexible security policy, without requiring the enumeration of access rights for each individual registry entry.