Running computer programs on a computer system poses challenges. For example, a rogue computer program could execute on the computer system, could at the very least create an annoyance, and could at the very worst cause irreparable damage to the computer system. In addition, a pirated computer program could be executed on the computer system. Also, a computer program may be used on the computer program illegally, perhaps by accident. It is also difficult to ensure that a “value-add” (or deployed) computer program only executes on an intended, or targeted, computer system. A computer program includes at least one computer program executable, which can be run on a computer system.
Need for Assured Execution Environment
Such problems are more acute, and more useful to solve, for a computer program that is “managed”, typically by an information technology (IT) organization. Such computer program management is de-facto in the Enterprise, where users hardly install and maintain all their own computer programs. In such scenarios, asset management and license tracking for the computer programs are cumbersome, complicated, and bothersome to the user. Moreover, policy compliance verification or enforcement is explicit (e.g., an agent must proactively check for compliance).
Computer program executables (including malware) are generated with respect to an Application Binary Interface (ABI), which provides low-level uniformity across computer systems of that type. Thus, malware (e.g., a computer virus, computer worm, a computer Trojan horse) knows the software/hardware architecture on which it would be executing. An “alien” computer program executable must be in a format, and must conform to the ABI, that is understood by the operating system of the computer system. Thus, malware from one type of computer system (platform) does not typically affect another platform. Malware expects a certain runtime environment. Conversely, in order for the operating system of a computer system to run a computer program executable, the executable must conform to the ABI that the computer system and that the operating system supports. In particular, if the executable is “garbage” (i.e., the executable does not conform to the ABI) from the standpoint of the operating system or the computer system, it will not run on the computer system.
Prior Art Defense Systems
As shown in prior art FIG. 1, a typical prior art defense system attempts to defeat malware on a computer system by (1) detecting the malware and (2) preventing malicious operations that the malware tries to perform. Such a prior art system may detect the malware by (a) recognizing malware signatures, deterministically or heuristically, (b) analyzing the behavior of the malware, or (c) running the malware in a “sandbox”. A “sandbox” is a segregated part of a computer system in which an executable can run with a low probability of the executable damaging the computer system. Unfortunately, such techniques have become overly complex today, and none are sufficient. Therefore, a method and system of creating an assured execution environment for at least one computer program executable on a computer system is needed.