Field
The present invention relates generally to the field of computers and computer devices. More particularly, the present invention relates to a computer device and a method for isolating untrusted or malicious content on a clipboard.
Description of Related Art
There is an on-going need to protect computer devices from malicious content, as is well recognised in the field of computer security. In particular, it is desired to protect computer devices from malicious content which may be introduced by actions of a user, such as by using a clipboard.
Generally, a clipboard is a facility within the computer device which is used for short-term data storage and/or data transfer between documents or applications, via ‘cut’, ‘copy’ and ‘paste’ type clipboard operations. The clipboard is usually implemented as an anonymous temporary data buffer that can be accessed from most or all programs or applications via defined application programming interfaces (APIs). Typically, applications will access the clipboard facility by mapping user inputs or commands (e.g. mouse, keybindings or menu selections) to these interfaces.
As one example, the Apple ‘OS X’ family of operating systems provide a ‘Pasteboard’. Using a Pasteboard Server, content may be transferred by accessing a shared repository where a data writer and a data reader exchange data. For example, the key binding ‘Cmd-C’ or ‘Cmd-X’ instructs a copy or cut of selected data from a source, such as a web page in a Safari Internet browser. The writer or pasteboard owner (for example, a Safari writer) deposits that data from a writer address space onto a pasteboard instance in a pasteboard address space. The key binding ‘Cmd-V’ then pastes content from the clipboard into a nominated destination, e.g. an Apple Pages document. The relevant reader accesses the pasteboard and retrieves the relevant clipboard content to a reader address space.
In the Microsoft Windows family of operating systems, a ‘Windows Clipboard’ (‘WC’) provides a set of API calls, messages and notifications, to enable data transfer and sharing within or between applications. For example, the key bindings ‘Ctrl+C’ and ‘Ctrl+X’ allow the user to copy or cut data from a source—such as an image from a web page in Internet Explorer or an attachment from email. In response, this data is copied by the operating system from an application memory which is associated with the source, to a globally allocated memory associated with the clipboard. Conversely, the key binding ‘Ctrl+V’ instructs the operating system to paste a current item of clipboard content into an identified destination—e.g. paste the image from the web page into a Microsoft Word document or insert the attachment from the email into a database. In response, the relevant clipboard content is copied by the operating system from the globally allocated memory associated with the clipboard into an appropriate application memory associated with the destination.
In more detail, when the user copies or cuts data from a user application, the following events may take place on the computing device: the clipboard is opened by initialisation, e.g. by calling a clipboard API function OpenClipboard; memory is allocated for the clipboard from a global store, e.g. by calling a memory management function Global Alloc; the clipboard is emptied of any previous content, e.g. by calling another clipboard API function EmptyClipboard; user-copied or user-cut data are copied from the memory associated with the user application to the globally allocated memory, e.g. by invoking a clipboard API function SetClipboardData; a handle returned by the memory allocation function and a data format of the user-copied or user-cut data are passed to the clipboard; and the clipboard is closed, e.g. by a clipboard API function CloseClipboard.
Similarly, when the user pastes data into a user application, the following events associated with the paste operation may take place on computing device: the clipboard is opened by initialisation by the user application (e.g. by calling the function OpenClipboard); available data formats (e.g. text, bitmap) of the clipboard content are retrieved by the user application; a handle to the clipboard data is obtained by the user application (e.g. using a clipboard API function GetClipboardData); a copy of the clipboard data is inserted into the user application; and the clipboard is closed by the user application (by invoking the function CloseClipboard).
In addition, each of the applications on the computer device may query the clipboard regarding a format of the data contained in the clipboard and/or may set up notification mechanisms to determine whenever the clipboard content has changed, via the clipboard API. That is, the applications may place one or more clipboard content objects on the clipboard, in which a clipboard content object represents the clipboard content in a specific data format (for example, the specific data format may be represented by a number of UINT type). For example, Microsoft Windows provides further clipboard API calls that may be invoked to obtain information regarding data formats managed by the clipboard, such as a count and a type of the data formats. Thus, the clipboard API function CountClipboardFormats may be used to retrieve a number of the data formats (for example, different data formats) currently on the clipboard; clipboard API function IsClipboardFormatAvailable may be called to determine whether the clipboard contains the clipboard content in the specific data format; clipboard API function EnumClipbaordFormats enumerates the data formats currently available on the clipboard; clipboard API function GetPriorityClipboardFormat may be called to retrieve a first available data format in a specified list; clipboard API function GetClipboardFormatName may be used to retrieve from the clipboard a name of the specific data format; clipboard API function GetUpdatedClipboardFormats may be similarly used to retrieve currently supported data formats; and clipboard API function RegisterClipboardFormat may be invoked to register a new data format.
Furthermore, the operating system may allow an application to register to be notified when the clipboard content has changed. In this way, applications may monitor the clipboard. The operating system may send messages to applications that have registered to be notified when the clipboard content has changed. For example, Microsoft Windows allows an application to add itself to a clipboard viewer chain by calling another clipboard API function SetClipboardViewer. A clipboard viewer thus will receive a clipboard content change message (WM_DRAWCLIPBOARD) whenever the clipboard content changes. The application may invoke related clipboard API function GetClipboardViewer to retrieve a handle to a first clipboard viewer in the clipboard viewer chain. Further, the application may register as a clipboard data format listener by simply calling clipboard API function AddClipboardFormatListener. When the clipboard content changes, the application is posted another clipboard content change message (WM_CLIPBOARDUPDATE). The registration remains valid until the application unregisters by calling related clipboard API function RemoveClipboardFormatListener. In addition, the application may query a clipboard sequence number of the clipboard. When the clipboard content changes, the clipboard sequence number is incremented. The application may also retrieve a current clipboard sequence number by calling clipboard API function GetClipboardSequenceNumber. Hence, by comparing the current clipboard sequence number with a previous clipboard sequence number, the application may determine whether the clipboard content has changed. Further, the application may also retrieve a window handle of a current owner of the clipboard by calling clipboard API function GetClipboardOwner. Additionally, the application may obtain a handle to another application that currently has the clipboard open by calling clipboard API function GetOpenClipboardWindow.
A challenge arises in that malicious code (malware) may attempt to access a clipboard on the computer device for malicious purposes, such as to obtain sensitive information or to corrupt the content stored therein. The clipboard is normally user-driven, such that the application should transfer data to or from the clipboard only in response to interaction from the user. However, malicious software may access the clipboard without requiring any user interaction. In practice, malware may access the clipboard through relevant calling functions (e.g. through the clipboard API as described above) without requiring any user interaction. Further, malicious software may access the clipboard through deliberate or non-deliberate user interaction. For example, untrusted content may be copied by the user from an untrusted source (e.g. untrusted content, untrusted application) and pasted into a trusted destination (e.g. trusted content, trusted application) thus introducing a vector of attack into the previously trustworthy destination.
Considering these example arrangements for providing the clipboard, it will be appreciated that malware may relatively easily register to be notified when contents of the clipboard have changed, may query the clipboard sequence number, may retrieve a window handle of a current owner of the clipboard, may obtain a handle to a window that currently has the clipboard, may obtain a handle to the clipboard data, or may copy data to or from the clipboard. Any one of these actions may provide an opportunity to perform malicious acts on the computer device.
In the related art, it is known to isolate untrusted content by limiting the resources of the computer device which are accessible by the untrusted content. A difficulty arises in that many of the current mechanisms for content isolation are relatively insecure, in that they still allow malicious content to reach important resources of the computer device. Also, many known implementations of content isolation are relatively resource intensive, such as by needing a relatively large amount of memory, disc space or computer processing power.
As a further difficulty, content isolation often requires a relatively skilled and knowledgeable user of the computer device. Therefore, it is quite difficult for an ordinary user to implement content isolation in a way which is safe, effective and reliable, yet also simple and intuitive. In some cases, content may need to be adapted in advance for the purposes of isolation, by being specifically prepared in a manner capable of being isolated, which increases costs and makes content isolation less likely to be implemented in practice.
The example embodiments have been provided with a view to addressing at least some of the difficulties that are encountered in current computer devices and computer networks, whether those difficulties have been specifically mentioned above or will otherwise be appreciated from the discussion herein.