1. Field of the Invention
The present invention relates generally to systems and methods for maintaining security of computer systems connected to one or more networks (Local Area Networks or Wide Area Networks) and, more particularly, to a security system with methodology for computing unique security signature for executable file employed across different machines.
2. Description of the Background Art
The first computers were largely stand-alone units with no direct connection to other computers or computer networks. Data exchanges between computers were mainly accomplished by exchanging magnetic or optical media such as floppy disks. Over time, more and more computers were connected to each other using Local Area Networks or “LANs”. In both cases, maintaining security and controlling what information a computer user could access was relatively simple because the overall computing environment was limited and clearly defined.
In traditional computing networks, a desktop computer largely remained in a fixed location and was physically connected to a single local network (e.g., via Ethernet). More recently, however, an increasingly large number of business and individual users are using portable computing devices, such as laptop computers, that are moved frequently and that connect into more than one network. For example, many users now have laptop computers that can be connected to networks at home, at work, and in numerous other locations. Many users also have home computers that are remotely connected to various organizations from time to time through the Internet. The number of computing devices, and the number of networks that these devices connect to, has increased dramatically in recent years.
In addition, various different types of connections may be utilized to connect to these different networks. A dial-up modem may be used for remote access to an office network. Various types of wireless connectivity, including IEEE (Institute of Electrical and Electronics Engineers) 802.11 and Bluetooth, are also increasingly popular. Wireless networks often have a large number of different users that are occasionally connected from time to time. Moreover, connection to these networks is often very easy, as connection does not require a physical link. Wireless and other types of networks are frequently provided in cafes, airports, convention centers, and other public locations to enable mobile computer users to connect to the Internet. Increasingly, users are also using the Internet to remotely connect to a number of different systems and networks. Thus, it is becoming more common for users to connect to a number of different systems and networks from time to time through a number of different means.
As more and more computers are connecting to a number of different systems and networks (including the Internet), a whole new set of security challenges face network administrators and individual users alike. Security is of growing importance and a user and administrators have taken a variety of steps to secure systems and networks, including the use of firewalls, end point security modules, network intrusion detection routines, and the like. Among the steps that have been taken to improve security is file integrity checking. File integrity checking is a way to determine if files have been created, removed or, perhaps most importantly, altered on a system. A similar integrity checking process is also typically used when messages, files, or other data are exchanged between systems.
File integrity checking generally involves passing the file contents through a hashing function, and generating a unique value, referred to as a “checksum”, that represents the hashed value of the contents. A checksum is a mathematical value that is assigned to a file and can be used to “test” the file at a later date to verify that the data contained in the file has not been changed (e.g., maliciously altered or damaged during transmission). A checksum is created by performing a complicated series of mathematical operations (e.g., by using a hashing technique such as MD5 or CRC32) that translate the data in the file into a fixed string of digits. This hashed value or checksum is then used for comparison purposes. Checksums are used in data transmission and data storage and are also known as message authentication codes, message digests, integrity check-values, modification detection codes, or message integrity codes. Another feature of checksums is that they are typically of a fixed length irrespective of the size of a source file. For example, a CRC32 checksum is 32 bits.
These features of the checksums may be used for revealing that files have been damaged or compromised (e.g., in data transmission), for comparing files for identity, and for detecting unauthorized modifications to a file. For example, a file integrity checker typically computes a checksum for every guarded file and stores this checksum. At a later time a checksum for the file can again be computed and the current value tested against the stored value to determine if the file has been modified.
Although computing a checksum is a useful technique, there are a number of challenges in computing and using a checksum, particularly in situations in which a given file (e.g., an executable file such as an application program) may be installed on a number of different machines which may utilize different operating systems. One issue is that for a given executable file (e.g., program, driver, data file, or the like), a checksum calculated on two different machines may be dramatically different because of differences in the machine environment rather than any substantive difference in the executable file itself. For example, a checksum calculated for Microsoft Outlook on a machine running Windows 95 will usually be drastically different than a checksum calculated for the same version of Microsoft Outlook on a machine running Windows 2000. On both machines, the size of a particular version of Microsoft Outlook will be the same (e.g., 700 kilobytes). However, the checksum will be different, primarily because the binding of the file on the two machines will differ because of the different operating systems employed.
The Microsoft Windows operating system provides a function called “ImageGetDigestStream”, which provides a partial filter for the purpose of file integrity checking. However, this filter does not provide sufficient accuracy for the purpose of clearly determining file identity, because the filter frequently generates different data streams (and hence, different checksums) for executable files on different installations.
What is required is a solution which enables the computation of a checksum on an executable file (e.g., program, driver, data file, loadable library, or the like) in order to uniquely identify that file across different machines. The present invention provides a solution for these and other needs.