Computer systems today are subject to a variety of attacks that can disrupt or disable expected operation of a computer system and cause the system to behave in damaging or undesirable ways. Computer viruses, worms, and trojan horse programs are examples of different forms of attack. Attacks can also come from unscrupulous users of a computer system or remote hackers. Often these attacks take the form of attempts to modify existing program code executed by the computer system or attempts to inject new unauthorized program code at various stages of normal program execution within the computer system. Systems and methods for preventing such malicious attacks are becoming increasingly important.
Generally speaking, such attacks are implemented by causing the computer to execute foreign code. “Foreign” code, in this case, refers to code that is not intended or expected to execute in the process space of a particular program. It is typically written by a hacker to get into the process space of a program to accomplish some end, such as to delete, corrupt, or manipulate code or data for some other purpose, like unlawfully making unauthorized copies of music.
Preventing such attacks by foreign code assists in assuring the behavioral integrity of a computer system (or, at least, a particular program). One way to maintain integrity is to perform module authentication, in which the security of one or more software modules is protected against tampering. This provides a level of protection against malicious changes to the software such as code patching, redirection, and software breakpoints.
One form of module authentication is to ensure that content contained in the software module is unchanged (or, at least, that the portions of the module that are not expected to change, such as the code portions, actually remain unchanged). This may be done via static module authentication. Static module authentication is the process of verifying the persistently stored image of the module, which in some cases can be thought of as the “on-disk” module. For example, one mechanism to check the module on-disk may be accomplished by hashing the file and comparing the resulting hash value with a pre-computed hash value of the file that has been signed by a trusted signatory.
The process of hashing, is a well-known cryptographic technique for identifying data with a relatively unique, but substantially smaller representation than the original data. A good hashing algorithm, like SHA-1, will produce significantly different hash values even for minute changes in the source data, or binary file in this case. Thus, when the expected attack is modification of the stored code, hashing is very effective at allowing the modification to be detected.
There is, however, a fundamental limitation on checking the integrity and security of code and data. Simply put, all the code and data cannot be checked all the time. From a performance point of view, users may not want a computer system to dedicate an inordinate amount of its resources to constantly search for code or data tampering. For example, a big software program like Microsoft Suite is dozens of megabytes in size and would take substantial resources to repeatedly check the entire program for evidence of code or data tampering.
One way to address this performance issue is to check for foreign code by selecting some number of random pages in memory and then scan them. These pages can be scanned at some set intervals of time or occurrence of events. By checking a limited amount of code and data randomly, more resources are freed up for the user to use while at the same time providing reasonable checks against breach of computer system integrity by foreign code.
However, an improved way to check for attacks on a computer system is to carefully select what portions of the program to audit for possible tampering. For instance, if code is not referred to, then it cannot be executed, which means that it does not pose a risk to computer system integrity. Thus, it would be advantageous to provide for smart techniques to detect foreign code, where code that is about to be executed, or that has a significant possibility of being executed, is examined and verified. Specifically, it would be advantageous to determine the presence of foreign code by examining the thread stacks in a process space that may refer to any foreign code. Additionally, it would be advantageous to check the code the instruction pointer is pointing to, the page fault history, and any pointers and their associated functions that might execute, such as pointers and functions throughout the dynamic link libraries (DDLs), pointers and functions of event handlers, etc.