1. Technical Field
The present invention relates generally to an apparatus and method for preventing the falsification of a client screen and, more particularly, to an apparatus and method for preventing the falsification of a client screen, which can defend a user screen against attacks by which data received from a server is modified using a web injection attack, a memory hacking attack, or the like to cause the user screen to be forged.
2. Description of the Related Art
An attack of falsifying a client screen is one of the attack methods used to hack user information, and is carried out in such a way that screen-related information provided by a web server is falsified due to malicious code installed on a user computer (that is, a client), an inappropriate screen is displayed on the client, and then the information of the user is hacked. That is, such an attack of falsifying a client screen is a kind of attack wherein a screen unintended by the user is transferred after falsifying the screen transmitted from a server using web injection, memory hacking or the like before a relevant web page is displayed to the user. In the case of this attack, the data viewed by the user and the data processed by a service provider are different from each other.
The technique of web injection is configured to falsify received data after a server's response to a user's Uniform Resource Locator (URL) request has been received from a user (in the case of a request and a response using Hypertext Transfer Protocol Secure: HTTPS) via a web browser. The server's response is composed of pieces of text configuring a screen such as in Hypertext Markup Language (HTML), JavaScript, or Extensible Markup Language (XML). A hacker can perform his or her desired task under the authority of the user by falsifying (inserting, substituting, deleting, or the like) the server's response using a web injection technique or a memory hacking technique. For example, when there is a homepage that receives an ID and a password from the user and that enables the user's password to be entered using a keyboard security solution, a hacker may add an input tag such as “password confirmation” entry using a screen falsification technique, thus inducing the user to re-enter his or her password. Since the input tag injected by the hacker is not protected by the keyboard security solution, the hacker can easily access the user's password. A memory hacking attack is a method of changing or modifying the values of the memory of a client, and displaying falsified data or transferring the falsified data to a server. Since this attack is made without the service provider's and the user's knowledge, it is difficult for the web page provider and the user to be aware of such an attack.
A conventional representative method of coping with these attacks is implemented using a scheme for installing a vaccine that is capable of detecting and eliminating malicious code installed on a client, and then preventing the attacks from being made. This scheme can cope with well-known malicious code and can fundamentally eliminate such malicious code, thus effectively coping with the attacks. However, this method is disadvantageous in that it cannot defend the client against mutant malicious code which the vaccine cannot detect, and is problematic in that this scheme depends on a user, and thus a service provider cannot cope with such attacks.
Another conventional method of coping may include a method of preventing the forgery of memory data of a computer application program. Such a method is configured to hook a memory data-related Application Programming Interface (API) function during the execution of a specific application program on a computer and then to prohibit access to memory data due to a hacking program from being made. Accordingly, the forgery of memory data can be prevented early so that the results of the execution of the memory data-related API function do not influence a program to be protected. This method has the effect of initially blocking abnormal access to memory data, but has the problem of having to install exclusive software such a secure browser and making it difficult to cope with new memory attack methods.
A further conventional method of coping may include address space randomization. This enables a memory address space, which is used or newly allocated whenever a program is operated, to be handled so that it is randomly changed. Accordingly, even if overflow occurs when an input value forged by a hacker is transmitted, the memory address space is not used in the manner in which the hacker had initially anticipated to be used, thus making it impossible to freely change program control. This method can efficiently cope with buffer overflow attacks, but is problematic in that it cannot cope with web injection attacks.