Generally, a service providing system executed in a network environment comprises a service user (hereinafter, referred to as a user) configuring a client and a service provider (hereinafter, referred to as provider) configuring a server. The provider installs server applications in the server, and the user installs client applications, which are application programs distributed by the provider, in its system in order to use provider's services. The server applications interact with the client applications to provide the services. However, in many cases, the user cannot trust the provider, and inversely, the provider also cannot trust the user. Such a lack of trust hampers development of service industry that is based on information technology (IT) and is abused as means for crimes at times.
Since the application programs distributed by the provider can be a malignant program, such as a spyware or an addware, or some of configuration files may be infected with computer viruses, the user cannot trust the provider. In this case, if a malignant program or a file infected with a virus is installed, a user system also will be infected with the malignant program or virus.
Inversely, since the user system is generally vulnerable in security, the provider cannot trust the user. A provider system becomes vulnerable due to the vulnerability of the user system. Occasionally, the user can analyze the application program distributed by the provider through a reverse engineering technique and hack important logics. In a financial transaction service, such as Internet banking or the like, internal logics should be protected from hacking, and an enterprise that provides business services to cooperative enterprises through an extranet should protect its service system not to be unstable due to vulnerability in security of a cooperative enterprise's system.
A variety of methods for constructing mutual reliability between such a client and server has been proposed. In a conventional service provided through a network environment, a client side security apparatus for protecting a hacking attack includes an anti-virus product, a patch management system, and the like, and a server or network side security apparatus includes a network firewall, a web firewall, a vulnerability scanner, a source code analysis tool, and the like. Hereinafter, details and limitations of each technique will be described.
The anti-virus product diagnoses each file using a signature list of well-known malignant codes and determines whether the file is infected with a malignant code. However, since the signature list may not contain a malignant code until the malignant code becomes well-known and is reported to a call center, there is a limitation in diagnosing the malignant code.
The patch management system applies a latest security patch to an operating system or an application, thereby maintaining a personal computer (PC) in a secure state. However, a vulnerable point for which a patch is not released cannot be protected.
The network firewall blocks an attack of an external hacker on a vulnerable point existing in the network layer, i.e., layer 3 of open systems interconnection (OSI) 7 layers, and the transportation layer, i.e., layer 4 of OSI 7 layers.
FIG. 1 is a view conceptually showing functions of the network firewall 150, in which a user establishes an access control rule 151 using an Internet protocol (IP) address and a port number on the basis of the network firewall and blocks network packets of an unauthorized attacker.
For example, if a user 100 authorized to use file transfer protocol (FTP) services tries to connect to an FTP service 160, the network firewall 150 permits a corresponding connection, and if a person 110 who is not authorized to use FTP services tries to connect to an FTP service 160, the network firewall 150 blocks a corresponding connection. However, since the connection is permitted or rejected based on an IP address and a port number when the network firewall is used, if an attacker hacks into an authorized person's machine and attacks by way of the authorized person's machine or an authorized person attacks with a bad will, there is no way to protect such an attack.
On the other hand, since all users 120 are permitted to access a web service 170, the network firewall 150 permits all packets headed for the web service 170. However, if a web application of a server that is open to outside such as web service is vulnerable, anyone can attack a corresponding vulnerable point, and thus the network firewall 150 cannot protect the vulnerable point from an attack of an external hacker. That is, the network firewall 150 can control services to be permitted and services not to be permitted, but cannot protect an attack on a vulnerable point of a permitted service.
An application firewall has been introduced to solve above problems. The application firewall operates in the application layer, i.e., layer 7 of OSI 7 layers, and thus can recognize a variety of protocols, such as hyper text transfer protocol (HTTP), file transfer protocol (FTP), simple message transfer protocol (SMTP), and the like, and can protect an attack on a vulnerable point existing in a corresponding application.
FIG. 2 shows a web application firewall 220, which is a typical application firewall. The web application firewall 220 is provided with a packet filter system 222 and operates in a packet filtering method, in which a received packet is compared with a predefined pattern 221. If the received packet is a malignant packet 200, the packet is blocked, and if the received packet is a normal packet 210, the packet is transmitted to a web server 230.
However, since the web application server 220 creates the pattern 221 based on a known attacking technique, there is a problem in that an attacker can easily detour the pattern filter system 222 by slightly transforming an existing attacking technique, and an unknown attacking technique cannot be protected. Since all incoming packets should be compared with tens of thousands of predefined patterns 221, speed of a web service is significantly slowed down. Furthermore, if a normal packet 210 matches to a predefined pattern 221 by chance, the packet is mistakenly regarded as a malignant packet, and thus there may be a side effect such that a normal user is blocked from using a web service.
In addition, since the web application firewall 220 can monitor only general attacking patterns, a vulnerable point localized to a specific web site is difficult to be protected. For example, since an attack that changes a merchandise price from 10,000 Korean Won to 1,000 Korean Won in a web site related to home shopping is meaningful only to a corresponding site, the web application firewall 220 cannot effectively protect such attacks.
The web application firewall 220 is a method of blocking an attack on a vulnerable point of an application, leaving the corresponding vulnerable point as is. Contrarily, a vulnerability scanner or a source code analysis tool uses a method of removing a vulnerable point itself.
The vulnerability scanner is a tool that checks existence of vulnerable points by transmitting packets for diagnosing existence of vulnerable points from outside of an application server and confirming responses thereof, and the source code analysis tool is a tool that directly examines a source code and determines existence of vulnerable points.
FIG. 3 is a view showing the process of using the vulnerability scanner and the source code analysis tool. If development of an application is started 300, generally, a design and coding step 310 is gone through. If a certain part of the application is completed, a vulnerability analysis step 320 is performed, in which the vulnerability scanner or the source code analysis tool is executed in order to confirm whether vulnerable points exist in the code created until then. At this point, if vulnerable points are found, the application performs a modification step 330, which is iterated until all the vulnerable points are removed, and then the development is finished 340.
Generally, a vulnerability scanner or a source code analysis tool only shows existence of vulnerable points in security, and removing the security vulnerable points is the work of developers. Accordingly, the developers should have expertise in vulnerabilities as much as high-class hackers in order to remove the security vulnerable points, and a considerable amount of cost and time is required to remove the vulnerable points. In addition, as is the same with the application firewall, there is a weak point in that the vulnerability scanner or the source code analysis tool cannot find out a vulnerable point localized to a specific web site, such as changing a merchandise price from 10,000 Korean Won to 1,000 Korean Won.
On account of such reasons, according to a conventional technique, a fundamental security system for enhancing reliability of a network-based client/server system is difficult to construct. Hereinafter, a new method for overcoming technical limitations of the conventional security system mentioned above will be described in detail.
On the other hand, in a client/server service providing system, it is general that a provider distributes users a client application needed for providing services and guides the users to use the client application. However, although distribution of the client application is indispensable for providing services, measures to deal with security are inadequate, and thus current method of distributing the client application is unstable. Therefore, the current distribution method becomes another important factor degrading mutual reliability of the service providing system.
A typical method of distributing service users an application program needed for providing services in a conventional way includes an Active X control method, a program direct installation method, and a streaming method. Hereinafter, details and limitations of each technique will be described.
The Active-X control method is frequently used for a web service. The service provider creates software needed for providing services in an Active-X control form and records the software on a webpage. If a user visits a corresponding webpage, a user's web browser inquires the user whether to install the Active-X control in the PC, and if the user agrees, the Active-X control is installed.
The Active-X control method is advantageous in that a program can be conveniently installed. However, an Active-X control to be installed occasionally happens to be a malignant code, such as an adware or a spyware. On this account, there is a problem in that a PC is unknowingly infected with a malignant code while web-surfing. In order to solve the problem, a system for determining security of a control based on whether a certificate is issued by a reliable authentication institution is nation-widely adopted. However, a system will always have a loophole such that even an adware manufacturer can acquire a certificate if the adware manufacturer pays a certain amount of fees, and if the option of confirming an electronic signature is turned off in a web browser, such a system is of no use at all. In addition, if a vulnerable point in security exists in a normal Active-X control, it is possible to hack a user's PC through such a vulnerable point.
The program direct installation method is a method in which a user downloads an installation program such as Setup.exe and installs software by executing the downloaded installation program. The installation program method fundamentally has the same problems as the Active-X method.
Since the Active-X control method or the installation program method directly installs software in a client system, problems of version collision, complexity of installation, capacity of the system, and the like will occur. To solve the problems, a streaming type software distribution method has been introduced.
The version collision is a problem such that when a shared library called as ab.dll is simultaneously used by software A and B, if software incompatible to a currently used version is installed, or another piece of software updates a corresponding file, the file operates abnormally.
In the streaming method, software of a client/server environment is not directly installed in a client operating system, but a streaming image in which software is installed is used instead. If a process calls ab.dll, a streaming client search for ab.dll from the streaming image and returns the searched file to the process, thereby emulating as if ab.dll exists although ab.dll actually does not exist in the operating system. In this case, since the file is not directly installed in the operating system, problems of version collision, complexity of installation, and the like can be solved. In addition, since not entire system is installed, but a streaming server fetches only a currently needed file or registry, the problem of system capacity can also be solved.
However, the streaming method only emulates a file, a registry, and the like that do not exist in the operating system as if they exist at the application level, and virtualization on the operating system level is not provided. Therefore, an application program is directly executed in the operating system, and a system process, a service process, and an operating system kernel are also shared by a process executed in the streaming server and a general process. Accordingly, if the streaming method is used, modifications of the operating system brought by the installation of an application program can be protected. However, in the aspect of security, a service provider or a service user system cannot be efficiently protected from the problems occurred in the process of executing the application program.
As a result, a conventional method exercised by a provider to distribute a needed application to users in a client/server-based service providing system has a problem in that mutual reliability cannot be constructed. Hereinafter, the present invention proposes a new method that overcomes technical limitations of the conventional client application distribution method described above, which will be described in detail.
On the other hand, recently, studies on a virtual machine are actively under progress. The virtual machine is a concept introduced in 1960s to share a mainframe in the form of a plurality of virtual machines. However, as the price of a microcomputer or a PC is lowered, purchasing a plurality of PCs is further advantageous than sharing a mainframe from the aspect of cost, and thus the virtual machine technique is scarcely used in 1980s. However, in 1990s, using a plurality of small-capacity computers rather increased management and maintenance cost. Further, efficient use of computing resources has become an issue (for example, occasionally, server A uses the CPU 10%, whereas server B uses the CPU as much as 99%), and thus the virtualization technique attracts concern again. However, a virtualization technique for efficiently managing resources of a large-scale server is the mainstream, and studies on a virtualization technique for a client system are insufficient yet.
It is mentioned in advance that a virtual machine is operated in a client system in order to install and execute a client application in the present invention.
The method of implementing a virtual machine is diverse. Arranging the methods of implementing virtualization known until today, there are command set level virtualization, para-virtualization, library level virtualization, application level virtualization, operating system level virtualization, and the like.
In the command set level virtualization method, the central processing unit, memory, chipset, bus, and a variety of peripherals (a network card, hard disk, floppy disk, and CD-ROM) are emulated in software to create a virtual machine. In the command set level virtualization method, all commands created in the virtual machine are processed by software, and thus there are many problems in performance, such as degradation in processing speed.
In the para-virtualization method, it is not to emulate a command contrarily to the command set level virtualization method, but to modify a source code or a binary code of an operating system to execute a plurality of operating systems in a hardware machine. Recently, a CPU that allows a plurality of operating systems to be executed in a single hardware machine without modifying the operating systems is developed. In the para-virtualization, since a command set is not reanalyzed in software, processing speed is improved.
Since a completely independent operating system can be installed in each virtual machine, the command set level virtualization method and the para-virtualization method are appropriate for server virtualization, such as a virtual private server (VPS), server integration, and the like, and they are utilized in the fields of software development, test, and the like. However, these methods have some problems to be used for virtualization of a client system pursued by the present invention. They are inconvenient in that a new operating system should be installed in each virtual machine, and as many operating system licenses as the number of virtual machines should be purchased.
The library level virtualization method is a method of virtualizing libraries within an operating system. Specifically, it is a method of virtualizing application program interfaces (APIs). For example, Windows Emulator (WINE) implements Win32 API in a UNIX/X system to execute a Windows application on the UNIX, or contrarily, the Windows provides POSIX or OS/2 subsystems.
The application level virtualization method is a method that creates an application in the form of a bytecode, like Java Virtual Machine developed by Sun MicroSystems, which allows an application to be executed in a variety of heterogeneous hardware and software environments.
Finally, the operating system level virtualization method is a method of virtualizing each constitutional element of an operating system (a processor, file system, network resource, system call interface, name space, and the like). Conventional operating system level virtualization methods have been developed mainly for the purpose of server virtualization, such as a Virtual Private Server (VPS).
When a VPS is implemented using a full virtualization or para-virtualization method, memory and hard disk resources required by a virtual machine are the same as those of a real machine, and thus it is difficult to create a plurality of virtual machines in a physical machine. However, since all virtual servers can be driven by an operating system if the operating system level virtualization is used, resources needed for driving an operating system in an individual virtual machine are not required, and a plurality of virtual machines can be driven with a small amount of resources compared with the full virtualization or para-virtualization method. Or otherwise, the operating system level virtualization method has been used as a method for efficiently providing an independent operating system space to a user who needs a plurality of operating system environments for the purpose of software development and test.
Virtualization techniques are currently much used in the fields of server integration, software development and test, and hosting. In the field of security, studies are mainly progressed in the manner of executing an unreliable application in a virtual machine, i.e., unreliable programs are executed in a virtual machine to protect a host operating system or to test whether a malignant program is concealed. However, in a method for a client/server-based service providing system, studies on a security technique for client applications and server applications using a virtual machine have not been yet progressed. In addition, as is described below, any conventional virtualization method is not adequate for the client/server-based service providing system. In the present specification, a new virtualization method that is different from conventional virtualization is proposed.
On the other hand, conventionally, in order to use a personal computer, needed is knowledge that is somewhat complicate to access for an ordinary person who is ignorant of a computer, such as knowledge of operating systems, program installation, and program setting. Personal computers are exclusive possessions that only a few experts can freely use. If a personal computer is to be a popular home appliance, such as a television set or a refrigerator, the computer should be much easier to use than now. In the case of a television set, a user can easily and rapidly watch a desired program only if the user can switch channels using a remote controller. Computing environments should be changed so as to use a computer as easily as a television set.
In order to easily distribute a computing environment, a variety of techniques, including a graphic user interface (GUI), has been provided. However, even today, a method of installing and setting a program is still not easy for an ordinary person to access, and a variety of viruses and malignant programs make ordinary people more difficult to use a computer.