Over the last two decades, the functionality and convenience of computers has improved steadily. An ever growing number of interconnected computers and mobile devices are used to perform important tasks in many areas of society and in the daily lives of a growing number of people. This development, however beneficial, brings with it new vulnerabilities and concerns for security. A central problem is to allow a user to establish trust in the integrity of a computer system, or more particularly, in the integrity of a software application used for an important or sensitive purpose.
The integrity of a computer system depends not only on the integrity of the data in the non-volatile memory such as ROM or disks but also on the integrity of the runtime image in volatile memory such as RAM. The integrity of the runtime image can be corrupted due to intentional or non-intentional modifications of this image even if the static integrity of the executables before loading is guaranteed. Relevant vulnerabilities include loading of unauthorized code, buffer overflow, insufficient input validation, or, on Microsoft Windows platforms, security attacks based on a technique known as “DLL injection” where a remote process can write to the address space of a running application. Even with genuine code such as some system tools the runtime image of an application can be modified in an unauthorized manner. Since modifications can occur at any time, it is impossible to ensure a dynamic integrity of the runtime image of a software application with a single authentication before execution.
One prior art method for “secure software registration and integrity assessment in a computer system” is described in U.S. Pat. No. 5,944,821. A loader compares hash values of software applications before execution to previously prepared hash values in secure storage. Since no integrity checks during execution are performed, a dynamic integrity of the runtime image cannot be achieved.
The 2003 Microsoft Professional Developers Conference release of Microsoft Corporation's Next-Generation Secure Computing Base technologies for the Microsoft Windows family of operating systems is described in a white paper available at the Microsoft Developer Network library (http://msdn.microsoft.com/library/en-us/dnsecure/html/nca_considerations.asp). The computing environment is divided into two separate and distinct operating modes. Users can perform routine tasks in Standard mode using their existing applications, services, and devices. For their high-security tasks, those same users can run trusted, authenticated Nexus computing agents that execute in a separate and protected operating environment called Nexus mode. While Nexus mode protects Nexus computing agents from any harmful programs that may be running in Standard mode, within Nexus mode a Nexus security kernel uses standard virtual memory protections to isolate itself from Nexus computing agents and to isolate Nexus Computing agents from one another.