1.1. Field of the Invention
The present invention relates to the field of computer technology, and relates in particular to a method and system and device to prevent computer programs and data of any kind stored in a computer system from being manipulated and in particular for preventing hacker attacks and virus infection in computer systems.
1.2. Description and Disadvantages of Prior Art
Computer programs, referred to herein as computer applications, often include security-critical use cases, where failure may cause significant financial losses, pollution of the environment, or even endanger human lives. Frequently cited examples include computer systems controlling military equipment or nuclear power plants. However, also emerging areas such as internet-based business like online banking essentially depend on the integrity of data stored in and exchanged between computer systems. Also, the operation of most of today's companies depends on the availability of computer systems and on the integrity of the data stored therein.
Disadvantageously, prior art computer systems are prone to many kinds of so-called hacker attacks. These attacks seek to modify computer programs, to modify data stored in a computer system, or to obtain copies of the programs or data. Two major kinds of such attacks are virus infections and manipulations to programs or data performed by hacker attacks.
A computer hacker tries to get access in some way to the computer system under attack. These attacks include stealing or guessing passwords, or the exploitation of some bugs within the computer system's security mechanism. A typical example of the latter hacking technique is to exploit buffer overflows which, under certain circumstances, may cause the computer system to execute a computer program provided by the hacker.
However, this process of getting unauthorized access to a computer system usually takes lots of time and may simply depend on a lucky chance. Also, it is often the case that the hacker only achieves somewhat limited access rights during the first phase of the attack. After having entered a computer system for the first time, hackers therefore often try to modify the system software controlling the computer system in a way that will provide easy access for the hacker in future, grant additional rights to the hacker, and hides the hacker's modifications and activities from getting discovered by the system administrator. This is understood to implement a “backdoor” for later entering the system again.
For the Linux operating system, such techniques are discussed in certain magazines, and software packages that support the hacker are freely available from certain web sites.
The modifications described above usually require storing some additional files in the computer system under attack. Part of the hacker's activities is to prevent these files from getting discovered.
FIGS. 1 and 2 show a typical example of how a hacker would modify a computer system running Linux as operating system in order to hide files he needs. The Linux command for getting a list of all files stored in the current directory is “ls”, usually with some options, say, “-alh”.
FIG. 1 illustrates how this command after being entered by a user in a step 10 is executed by a Linux system. Once the operator typed this command, the execution 12 of the ls operation will make a so-called system call 13 which is the Linux name for certain services provided by the Linux kernel. In this case, a system call named “getdents64” (an abbreviation for “get directory entries”) stored in a memory region as some data structure (named “sys_call_table”), i.e. a system call table 15, will be executed and returns a list 16 of all files found in the current directory to its caller, the ls program. The ls program then performs some formatting of the list in a step 17, as required by the operator by means of the options “-alh”. Finally, the formatted list 18 of files appears of the display.
It is assumed now that the directory contains one of the files, say HACKER.TXT, that the hacker wants to hide. This is done by a modification to the Linux system, as shown in FIG. 2. Here, the original system call named “getdents64” is replaced by the hacker's version 21, named “hackers_getdents64”. In the case of Linux, replacing system calls is done by modifying an entry in the system call table 15.
The system call issued by the ls program calls “hackers_getdents64”.  This program will, when executed in step 21 then call the original system call 14, getdents64, in order to obtain the list 16 of files. The original system call returns this list to its caller, hackers_getdents64, which then searches the list for names of files that the hacker wants to suppress, i.e. not to be displayed. In this example, hackers_getdents64 will remove the name HACKER.TXT from the list and return the list of the remaining files to the is program which then formats and finally displays the result, as described before with reference to FIG. 1.
Virus infection also involves modifications to programs stored in a computer system. A major difference to hacker attacks is that the operation of a virus occurs automatically. Also, computer viruses and similar programs are able to spread automatically via networks. They infect computer systems by manipulating some executable code in a way that the code sequence belonging to the virus gets executed.
Viruses and hacker attacks have in common that the contents of some storage get changed.
State of the art to prevent virus infection is to apply so-called virus scanning programs. These perform a search for a certain pattern that is believed to identify a virus. Virus scanners can check both, non-volatile storage such as hard discs, and volatile storage as the computer system's RAM.
Unfortunately, the degree of protection achieved this way is limited. Virus scanners can detect virus infections but, in general, do not prevent them. Updates are needed for every new virus which costs money and time. Virus scanners can only detect known viruses which have already been analyzed by some experts, i.e. protection is limited in that a computer system equipped even with the latest virus scanning software is still prone to attacks by newly developed viruses. This is in particular true for “high-tech” viruses that are programmed to fool detection programs. In particular, this concerns self-modifying, polymorphic viruses and encrypted viruses.
Other disadvantages related to the usage of virus scanners are that they may report false positives when a byte sequence attributed to a virus occurs as part of a non-infected file. Also, removing a virus from a computer system is tricky and error-prone because the removal tool must manipulate binary executables.
Yet another way to prevent virus infection is the so-called “trusted computing” approach. Here, services provided by additional hardware calculate a hash value for all files or memory areas that need to be protected. These values are stored by the additional hardware. At some later time, the hash value can be calculated again and compared with the value stored in the additional hardware. If the file or the memory location being protected yields a different hash value during the later scan, it must have been modified.
One disadvantage of this method is that calculating a hash value is a many-to-one mapping, i.e. many different files will yield the same hash value. By chance, or if the developer of the virus gains sufficient knowledge of the way how the hash value is calculated, a virus infection or hacker attack may go undetected. Another disadvantage is that a virus infection may be detected but the method does not prevent an infection. Another disadvantage is the need to have additional hardware which increases cost.
Yet another way to detect virus infection is duplicate storage. Using this approach, any file that needs to be protected is actually stored twice, once in the normal way and a second time on a storage device which is write-protected during normal operation of the computer system. Upon initialization, the file is written to both destinations. Both copies of the file may be compared whenever a check for virus infections needs to be performed. Any difference between the two copies indicates a modification of the working copy. Removing the virus is simple: the infected copy is replaced by the protected copy. Disadvantages of this method are the additional effort for duplicate file storage. Also, the comparison may be time-consuming. The method cannot prevent a virus infection.
One variant of the duplicate storage approach is to save the contents to be protected in a one write-protected partition of the hard disk. This is, however, not secure as the write-protection can be disabled by everyone having administrator privileges.
Known techniques to prevent hacker attacks include using a firewall to protect computer systems from attacks via network. However, this approach will not prevent attacks from people behind the firewall, i.e. the computer system of a certain organization might be attacked by employees of this organization. Also, the firewall is a computer system itself and may not work as intended.