1. Field of Invention
This invention relates to preventing the emulation of keyboard operation by a program executing within a computing system without the knowledge or consent of the user of the computing system, and, more particularly, to determining whether a character code stored within the output buffer of a keyboard/auxiliary device controller is a result of a keyboard keystroke or of an attempt at such an emulation.
2. Background Art
A conventional computing system includes a keyboard/auxiliary device controller having a keyboard output buffer in which a scan code is placed as a result of a keystroke (i.e., as a result of the depression or release of a keyboard key). The data stored in this output buffer is accessed by various application programs executing within the computing system to determine the input provided by the person using the computing system. Data can also be written to the keyboard output buffer from the processor within the computing system for subsequent transmission to the keyboard. The data and clock lines connecting the keyboard with the keyboard/auxiliary device controller are driven by tri-state logic allowing both ends of the lines to vary the level of the signal so that data can be sent in either direction. For example, commands are sent to the keyboard to control the illumination of the keyboard indicators for Num Lock, Caps Lock, and Scroll Lock, and to control keyboard functions, such as typematic keys.
Since the processor within the computing system has a capability of writing data to the keyboard output buffer, codes representing characters available on the keyboard may also be sent to the keyboard output buffer from the processor within the computing system. These codes are then read by the processor within the computing system and acted upon as if they were supplied by the system user through the keyboard. This capability has been used by routines testing certain system functions, and may be used for other legitimate purposes such as the implementation of application macro programs emulating keystrokes. However, this capability has also been used surreptitiously to obtain control of a computing system in a manner allowing a remote user to gather information, reconfigure the system, and operate the system according to commands typed by the remote user. A routine for gaining control of a computer in this way is typically a part of a xe2x80x9cTrojan horsexe2x80x9d program, which is disguised as a game, utility, or other application to be downloaded or otherwise installed by an unknowing user. Alternately, such a routine may be part of a xe2x80x9cback doorxe2x80x9d program surreptitiously installed by an intruder on a computer left unattended or left behind by a disgruntled employee to gain future access to the computing system.
Back Orifice is a notorious example of a client/server application which has been surreptitiously installed on a computing system to gain control of the system from a remote location. This application is generally distributed in the form of a Trojan horse program, which provides the remote user with over seventy commands for gathering information and sending instructions to the computing system, which acts as a server. These commands include xe2x80x9cList Passwords,xe2x80x9d which retrieves a list of users and passwords, and xe2x80x9cLog Keystrokes,xe2x80x9d which logs keystrokes to a file entered with the command as a parameter.
While a Trojan horse or back door program gaining access to a computing system and operating the system under the control of a remote user can do damage in a number of ways, particularly serious consequences can be expected to result from the use of the system to transmit messages and make transactions in a manner indicating that the transmissions and transactions are being made with the consent of the user of the computing system.
A number of computing system applications rely upon passwords and personal identification numbers (PINs) to establish whether the person using the computing system has the authority to access certain information or to perform certain actions through the computing system. Various types of stored information, from trade secrets of various businesses to top secret defense information are protected, at least in part, through the use of passwords. PINs are typically used to provide access to bank account information and to provide for the electronic transfer of funds from one account to another. Furthermore, PINs and passwords are used with personal certificates to identify the individual sending a message. In a number of types of communication, the proper identification of the person sending a message is crucial to prevent message forgery. For example, a slanderous message may be sent by one person and attributed to someone else. Also, the most common types of credit card fraud do not involve stealing credit card numbers over the Internet, but rather stealing the cards themselves or otherwise copying the numbers for misuse. While such stolen credit card numbers may then be used to make purchases over the Internet, such use can be thwarted by requiring the use of a personal certificate to identify the purchaser. To obtain a personal certificate, an individual contacts a certificate authority, such as VeriSign, Inc., providing information including a password chosen by the individual for use with the certificate. A message is then returned by e-mail, including a PIN, which is subsequently used by a web browser, such as Microsoft INTERNET EXPLORER, to install data representing the certificate on the individual""s system.
Thus, it is understood that a Trojan horse or back door program obtaining control of a computing system can be expected to obtain passwords and PIN numbers from the computing system and, when possible, to additionally use these passwords and PIN numbers and, when possible, other information, such as the numbers of stolen credit cards, to make fraudulent financial transactions and to transmit fraudulent personal certificates. Since this can be accomplished by writing codes to the keyboard output buffer in a manner causing the computing system to act as if the codes have been provided as inputs from the computing system user through the keyboard, what is needed is a way to allow differentiation, within an application program executing within the computing system, between codes placed in the keyboard output buffer through use of the keyboard and codes placed in this buffer from any other source.
A first objective of the present invention is to provide a method for detecting, within a computing system, whether a code stored in the keyboard register has been generated in response to a user keystroke or in response to other means, such as an attempted emulation of a keyboard keystroke.
A second objective of the present invention is to provide an interface to an application program executing within a computing system, with the interface indicating whether a character placed in the keyboard register has been generated in response to a user keystroke or in response to other means.
In accordance with a first aspect of the present invention a method is provided for providing a code resulting from a depression of a keybutton in a keyboard of a computing system and for providing data indicating that the code has resulted from the depression of a keybutton to a program executing within the computing system, wherein the method includes operating a switch within a switch matrix in response to depression of the keybutton; generating a first code in response to operating the switch; transmitting the first code and a clock pulse; receiving the first code and the clock pulse; storing a second code in an output buffer and a flag bit in a security register in response to receiving the clock pulse and the first code; reading the security register; reading the second code from the output buffer; and resetting the security register.