The present invention relates to computer system security and virtual machine emulators.
Anti-virus systems and methods typically protect a computer system from viruses, also referred to herein as malevolent applications or malevolent code, by examining the computer's memory and file system for signs of virus infestation. This examination process is called scanning. Anti-virus programmers use two main scanning strategies, on demand and on access scanning. Using on-demand scanning, end-users activate a virus-scanning program each time they want to examine the computer for viruses. Using on-access virus scanning, the virus scanner continually examines the computers memory and file system and automatically activates each time one of these resources is accessed by an application.
While on-access and on-demand scanners may have some similarities, including some of the same programming code, the on-access scanner is typically tasked with more than just examining files and therefore often shoulders the responsibility for most of the active anti-virus protection provided to the computer system and end-user. On-access scanners are typically responsible for halting the execution of Viruses, Trojan horses, and other malevolent applications.
In many cases, in order to scan a given computer system's memory and file system, a suspect, or unknown, application, also referred to herein as simply an application, must be allowed to execute so it has the opportunity to decrypt, and open, its code, including any malevolent code, i.e., virus code. Once the suspect application decrypts its code, the code can be checked for known virus code. However, ideally, anti-virus systems and methods should examine a suspect application's behavior, i.e., execute the application, before the suspect application is passed onto the native computer system and then halt any application containing virus code before the application executes in the native computer system. Consequently, the issue becomes how to execute a suspect application, and prompt/convince the suspect application to decrypt its code, so that code can be examined, without executing the suspect application on the native computer system. A method commonly used by prior art anti-virus systems and methods to resolve this issue was to simulate running all, or part, of a suspect application's code in a virtual machine emulator before allowing the application access to the native computer system.
A virtual machine emulator is typically interposed between any suspect applications and the operating system of the native computer system. The virtual machine emulator then provides an environment, typically implemented in software, which tricks suspect applications into decrypting their code by simulating running conditions on the native computer system, typically by appearing to provide all the hardware services that a real computer would provide. The anti-virus system employing the virtual machine emulator then examines the suspect applications, typically all unknown applications are considered suspect applications, checks for known virus code and observes how the application would interact with processors, files, memory areas and network functions, if the suspect application were allowed access to the native computer system.
Since, a virtual machine emulator works as an interposed process, effectively performing a gating function to the native computer system, there are several critical design issues associated with virtual machine emulators. First and foremost, the virtual machine emulator must perform its task in a reasonable amount of time so that there is only minor degradation to the native computer system's performance. This is particularly important because experience has shown that if the scanning process significantly slows computer system performance, the end-user will simply disable the scanning function, typically forfeiting all protection, and thereby completely defeat the purpose of having the virtual machine emulator, or any anti-virus system, in the first place.
In addition, the virtual machine emulator must be complex enough to include sufficient aspects of the environment the virtual machine emulator is tasked to simulate so that the virtual machine emulator can be employed in different native computer system configurations, including various versions, variations and generations of components making up the native computer systems, such as processors, operating systems, patches, and memory size. In addition, the virtual machine emulator must be complex enough to perform well in the presence of anti-emulation and emulation detection techniques employed in some newer virus code. In short, the virtual machine emulator must work on multiple possible native computer system configurations and work even in the presence of protected viruses.
In the prior art, these two design issues for virtual machine emulators had to be constantly balanced by the prior art anti-virus system and/or method employing the virtual machine emulator and, at times, were almost mutually exclusive. That is to say, in the prior art, in order for a virtual machine emulator to work well, even in the presence of multiple possible native computer system component versions and anti-emulation and emulation detection protected viruses, the virtual machine emulator typically ran for far too long and significantly hindered the native computer system performance. On the other hand, in the prior art, if the virtual machine emulator were designed such that it did not significantly hinder the native computer system performance, all too often, the virtual machine could itself be tricked by a virus employing anti-emulation and/or emulation detection or the presence of virus code that was adapted to a specific variation or version of a computer system component. Consequently, in the prior art, there was a constant trade-off between system performance and effective emulation that resulted in less than ideal performance and protection.
As one example, in the prior art, when a prior art anti-virus system or method employing a virtual machine emulator encountered a situation where the computer system being emulated included one of multiple variations, or versions, of various computer system components, such as: different generations of processors; different generations of operating systems; different versions of patches and/or updates; or different memory sizes, i.e., an ambiguous state was encountered, the prior art anti-virus system or method employing the virtual machine emulator would typically emulate only one of variations or versions. The result was that if the wrong variation or version were chosen, the behavior of the suspect application being executed, and thereby tested, could be misrepresented.
In particular, in one example, a prior art anti-virus system or method employing a virtual machine emulator might readily emulate a given generation of a processor, for example a Pentium® 1 processor, in a given emulation iteration. Consequently, when the virtual machine emulator encountered a suspect application that decrypted its code using an instruction, or code, that was associated with, and supported by, only a Pentium® 2, or newer, generation processor, the suspect application would not be decrypted so the virus would not be detected. The result was that the virus was potentially passed onto the native computer system. Likewise, if the prior art anti-virus system or method employing a virtual machine emulator were set up such that it could readily emulate a Pentium® 2, or newer, generation processor, and the suspect application decrypted itself using an instruction, or code, that was associated with, and supported by, only Pentium® 1 processors, then, once again, the suspect application would not be decrypted, the virus would not be detected, and the virus could be passed onto the native computer system.
To make matters worse, as discussed above, the creators of viruses, and other malevolent code, have begun to include anti-emulation code in the viruses that is specifically designed to trick virtual machine emulators by making the application appear to be directed to one version, or variation, of a computer system component, when, in fact, the virus code actually decrypts in another version or variation.
Using the Pentium® processor example above, some new virus code containing applications include anti-emulation code, such as a processor specific instruction or flag, that would lead a prior art anti-virus system or method employing a virtual machine emulator to believe that the application is associated with, i.e., decrypted by, a Pentium® 1 processor. Consequently, the prior art anti-virus system or method employing a virtual machine emulator would run a Pentium® 1 processor emulation. However, in some cases, the virus is actually decrypted only by Pentium® 4, or later, processors. Consequently, the prior art anti-virus system or method employing a virtual machine emulator would run the wrong emulation, the virus would not be decrypted, and the virus could be passed onto the native computer system.
One possible solution to this deficiency of prior art anti-virus systems or methods employing virtual machine emulators was to either provide multiple virtual machine emulators, or emulation models capable of emulating each of the multiple possible versions or variations of the various computer system components. However, using this “solution” entailed allowing each virtual machine emulator, or emulation iteration, to run to completion and then running another emulation, or virtual machine emulator, to completion, and so on, until every version or variation was emulated to completion.
Continuing with the Pentium® processor example introduced above, if a prior art anti-virus system or method employing a virtual machine emulator were to run a Pentium® emulation to completion, a separate emulation would have to be run, to completion, for at least each of the Pentium® processor generations, six to date, and arguably, an emulation might also be needed for all legacy x86 processors including the 8086; 286, 386 and 486 series.
Likewise, for operating systems, using a prior art anti-virus system or method employing a virtual machine emulator, a complete emulation would arguably be required for every version of Microsoft Windows®, or MacOS®, or Solaris®. Likewise, a complete emulation might be required for every patch version to the operating system or BIOS, or for various computer system memory capacities and configurations.
Unfortunately, in many cases, running a single emulation to completion requires tens or even hundreds of millions of iterations to execute. Consequently, even a single emulation, run to completion, takes a noticeable amount of time and has a negative effect on overall computer system performance. Therefore, the running of two or more emulations to completion results in unacceptable degradation of overall system performance, and can take in the range of multiple minutes or more to complete. In addition, if, as is often the case, there were more than one computer system component that had multiple possible versions, variations, or generations, such as, multiple processor generation possibilities and multiple operating system version possibilities, there is a potential explosion, and literally exponential expansion, of combinations and potential emulations that would need to be run to completion to adequately test, and protect, a given computer system using prior art anti-virus methods and systems that employed virtual machine emulators. Clearly this is an unacceptable drain on computer system performance and an unworkable situation. Consequently, in the prior art, significant gaps in protection were created, and allowed, as compromises were made to keep native computer system performance at reasonable levels.