IE20080383A1 - Method for preventing malicious software from execution within a computer system - Google Patents

Method for preventing malicious software from execution within a computer system

Info

Publication number
IE20080383A1
IE20080383A1 IE20080383A IE20080383A IE20080383A1 IE 20080383 A1 IE20080383 A1 IE 20080383A1 IE 20080383 A IE20080383 A IE 20080383A IE 20080383 A IE20080383 A IE 20080383A IE 20080383 A1 IE20080383 A1 IE 20080383A1
Authority
IE
Ireland
Prior art keywords
computer system
application program
cross
code
execution
Prior art date
Application number
IE20080383A
Other versions
IE85287B1 (en
Inventor
Peter Dirk Hortensius
Rod D Waltermann
David Carroll Challener
Mark C Davis
Original Assignee
Lenovo Singapore Pte Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US11/353,893 external-priority patent/US8694797B2/en
Priority claimed from US11/353,896 external-priority patent/US8041958B2/en
Application filed by Lenovo Singapore Pte Ltd filed Critical Lenovo Singapore Pte Ltd
Publication of IE20080383A1 publication Critical patent/IE20080383A1/en
Publication of IE85287B1 publication Critical patent/IE85287B1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/561Virus type analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Devices For Executing Special Programs (AREA)
  • Storage Device Security (AREA)
  • Retry When Errors Occur (AREA)

Abstract

A method for preventing malicious software from execution within a computer system is disclosed. Before any actual execution of an application program on a computer system, the application program is cross-compiled to yield a set of cross-compiled code of the application program. The set of cross-compiled code of the application program can then be executed in an execution module that is capable of recognizing and translating the set of cross-compiled code of the application program to the actual machine code of the processor.

Description

METHOD FOR PREVENTING MALICIOUS SOFTWARE FROM EXECUTION WITHIN A COMPUTER SYSTEM Iwrra (zox> aotf κ/oo The present invention relates to avoiding malicious software in general, and, in particular, to a method for preventing malicious software from execution within a computer system.
Malicious software, such as computer viruses, can enter a computer system in many ways. For example, they can enter a computer system via a disk that is to be inserted into the computer system or they can enter the computer system via an email that is to be opened by a user of the computer system. Malicious software can cause problems to the computer system if they are executed within the computer system. For example, computer security may be compromised or files within the computer system may be destroyed.
Certain types of malicious software can easily be detected using simple detection techniques, such as scanning for a search string. However, this type of detection process can also easily be subverted by converting malicious code via compression or encryption, thus bypassing scanning filters. Another approach to detecting malicious software is to run a program while attempting to intercept malicious actions during program execution. This technique, which is known as behavior blocking, has a number of disadvantages. Despite of the attempt to intercept malicious actions, the program may nevertheless cause harm to the computer system. Furthermore, the behavior blocking mechanism typically cannot view an entire log of actions in making a blocking determination. Hence, the behavior blocking mechanism may make sub-optimal blocking JS® 8 Ο 3 8 3 decisions, which means harmless programs may be blocked while harmful programs may be allowed to execute.
Yet another approach to detecting malicious software is to emulate suspect code within an insulated environment of a computer system so that the computer system is protected from malicious actions of the suspect code. One drawback of emulation is that while it may protect parts of the computer system from virus attacks, it is not itself protected. Additionally, data can be infected, which leads to a break in the isolation environment.
Consequently, it would be desirable to provide an improved method for preventing malicious software from execution within a computer system.
In accordance with a first embodiment of the present invention, a permutation is performed on a subset of instructions within an application program to yield a permuted sequence of instructions before any actual execution of the application program on a computer system. A permutation sequence number of the permuted sequence of instructions is stored in a permuted instruction pointer table. The permuted sequence of instructions is executed in an execution module that is capable of translating the permuted sequence of instructions to an actual machine code of a processor within the computer system according to the permutation sequence number of the permuted sequence of instructions stored in the permuted instruction pointer table.
In accordance with a second embodiment of the present invention, before any actual execution of an application ΙΕΟ 80 3 @3 program on a computer system, the application program needs to be cross-compiled to yield a set of cross-compiled code of the application program. The set of cross-compiled code of the application program can then be executed in an execution module that is capable of recognizing and translating the set of cross-compiled code of the application program to the actual machine code of the processor.
All features and advantages of the present invention will become apparent in the following detailed written description.
The invention itself, as well as a preferred mode of use, further objects, and advantages thereof, will best be understood by reference to the following detailed description of an illustrative embodiment when read in conjunction with the accompanying drawings, wherein: Figure 1 is a conceptual view of a method for preventing malicious software from execution within a computer system, in accordance with a preferred embodiment of the present invention; Figure 2 is a block diagram of a computing environment in which a preferred embodiment of the present invention is incorporated; and Figures 3a-3e depict a sequence in which instructions is being permuted, in accordance with a preferred embodiment of the present invention. ΙΕο 80 3 83 Typically, there are several levels of instruction sets within a computer system. The first (lowest) level is the machine level instructions, and the second level is the operating system application binary interface instructions. At the second level, the operating system has abstracted some of the machine level instructions to make them easier to be understood.. The third level is the macro level instructions, at which an application has further abstracted control of the computer system to allow for ease of programming.
Since many techniques have been dedicated to the protection of the second and third levels of instructions, the present invention is solely directed to the protection of the first level of instruction, especially when this is the level that is used by many computer viruses.
Generally speaking, it is improbable, if not impossible, to write a machine level program that can be executed within a computer system without knowing the machine level instruction set of a processor within the computer system. In addition, an installation of software on a computer system requires the software to first understand the instruction set of the computer system on which it is being installed. Thus, in accordance with a preferred embodiment of the present invention, an application program is initially transformed to a set of cross-compiled code of the application program, and the set of cross-compiled code of the application program is then executed within an execution module that is capable of recognizing the set of cross-compiled code of the application program.
IIλ »0 3 8 3 Referring now to the drawings and in particular to Figure 1, there is depicted is a conceptual view of a method for preventing malicious software from execution within a computer system, in accordance with a preferred embodiment of the present invention. As shown, a computer system 10 includes a transformation module 11 and an execution module 12. Any application program that is to be executed within computer system 10 needs to undergo an installation process. During the installation process, a user of computer system 10 can decide whether or not an application program should be installed within computer system 10. If the user decide the application program should be installed within computer system 10, the application program is then sent to transformation module 11 in which the application program will be transformed to a set of cross-compiled code of the application program. The set of crosscompiled code of the application program can subsequently be executed within execution module 12 that is capable of recognizing and translating the set of cross-compiled code of the application program to the actual machine code of the processor.
Without going through the installation process, an application program will not be able to be executed by execution module 12. For example, as shown in an illicit path 15, even if a virus program has sneaked under the detection of a user and was placed within computer system 10 without the user’s knowledge, the virus program still cannot be executed by execution module 12 because the virus program has not undergone the installation process. As such, computer system 10 Λ * is safe from the potential harm that could have been brought on by the virus program.
In practice, transformation module 11 and execution module 12 should be isolated from each other. In fact, execution module 12 should be prevented from accepting code from any source other than transformation module 11.
With reference now to Figure 2, there is depicted a block diagram of a computing environment in which a preferred embodiment of the present invention is incorporated. As shown, a computer system 20 includes a hardware structure 21, a virtual machine manager (VMM) or hypervisor 22 and virtual machines 23a-23b. Virtual machines 23a and 23b are preferably located in separate partitions such that any execution within virtual machine 23a is isolated from virtual machine 23b, or vice versa. VMM 22 controls all communications between virtual machines 23a and 23b. In addition, VMM 22 can directly communicate with hardware structure 21. Hardware structure 21 includes such known structures as processors, registers, memory management units, memory devices, input/output devices, etc.
An operating system and multiple application programs can be executed concurrently within each of virtual machines 23a-23b. For example, an operating system 24 and an application program 25 are executed within virtual machine 23a, while an operating system 26 and an application program 27 are executed within virtual machine 23b.
JSeeO 3β3 Although it is not required, operating system 24 can be 26. For example, open source Linux system 25 can be virtual machine 23a manufactured by the different from operating system operating system 24 can be an operating system, while operating Windows® operating system manufactured by the Microsoft Corporation. Similarly, the underlying processor emulated by virtual machine 23a can also be different from the underlying processor emulated by virtual machine 23b. For example, the underlying processor emulated by can be a Pentium® processor Intel Corporation, while the underlying processor emulated by virtual machine 23b can be a PowerPC* processor manufactured by the International Business Machines Corporation.
Each of virtual machines 23a-23b, which includes its operating system and associated application programs, operates at a user-level. When VMM 22 uses direct execution, VMM 22 is set to a so-called user-mode (i.e., with reduced privileges) so that none of virtual machines 23a-23b can directly access the various privileged registers that control the operation of hardware structure 21. Rather, all privileged instructions will be trapped into VMM 22.
In Figure 2, virtual machine 23a is shown to include a cross compiler 28 for performing initial crosscompilations of application programs. In addition, virtual machine 23b is shown to include an execution module 29 for executing the cross-compiled code of the application programs. The cross-compilations are preferably performed via a permutation algorithm, and the results are stored in a permuted instruction pointer fl 3 8 3 table 30. Permuted instruction pointer table 30 includes multiple entries of permutation sequences. Each of the permutation sequences is associated with a set of crosscompiled code of an application program. All the permutation sequences within permuted instruction pointer table 30 are likely to be different from each other, although they are not required to be different from each other. In Figure 2, permuted instruction pointer table 30 is shown to be placed within VMM 22; however, permuted instruction pointer table 30 can also be placed within virtual machine 23a provided that it can also be accessed by virtual machine 23b.
An exemplary method for performing permutations is as follows. First, a subset of instructions n is selected from a group of instructions for the purpose of permutation. Not all instruction permutations would be equally useful. For example, permutations of identity instructions would be of no use at all. So certain machine instructions (such as a JUMP instruction) should be identified as critical instructions in order to ensure all critical instructions will get permuted.
There are several ways to generate permutations. One method is to utilize a hash or encryption based function such that each instruction in a data segment has a different mapping, i.e., Η(Αχ), H(A2),..., H(Ai), where H is the hash based function, and A is an instruction. The problem with using a hash or encryption based function is that, from a general compilation standpoint, same instructions may have different hashed results. For example, instruction A5 and instruction A9 may be the same instruction, but H(A5) does not necessarily equal to Η (Α9) . β·βθ383 Another method is to utilize a different mapping function P (A), where P is the permutation, and A is an instruction, which generates: Pi (A), P2(A), ..., Pn(A) . This method yields a more predictable cross-compilation result, since Pi (J), where J is the given instruction, should be the same no matter where it appears in code segments.
A permutation sequence dictates the way the subset of instructions n is to be permuted or transformed. Each permutation sequence can be viewed as an entry having multiple slots, and each slot is to be filled with an instruction number. In order to generate an rth permutation sequence, a random number between 0 and n!-l is initially chosen. For example, if the subset of instructions n needed to be permuted is 5 (which means there are 5! = 120 permutation sequences), a random number 101 can be chosen between 0 and 5!—1 as the 101th permutation sequence.
The slot position Pos of the first instruction number is indicated by the dividend of the chosen random number r divided by (n-1)!, as follows: The remainder of the division replaces the chosen random number r for the determination of the slot position Pos of the subsequent instruction number until all the slots are filled with instruction numbers. For each determination, n in the denominator (n-1) ! is decremented by one. 1Εθ 80 383 Thus, for the chosen random number 101, the slot position of the first instruction number is 101/(5-1)! = 4, as shown in Figure 3a. The remainder of 101/(5-1)! is 5, and the slot position of the second instruction number is 5/(4—1) ! - 0, as shown in Figure 3b. The remainder of 5/(4-1) ! is 5, and the slot position of the third instruction number is 5/(3-1)! = 2, as shown in Figure 3c. The remainder of 5/(3-1)· is 1, and the slot position of the fourth instruction number is 1/ (2-1)! = 1, as shown in Figure 3d. The fifth instruction number goes to the remaining open slot position, as depicted in Figure 3e.
The permutation sequence 25431 (from Figure 3e) is then entered into permuted instruction pointer table 30 (from Figure 2) as an entry for the 101th permutation sequence. An application program can be permuted according to the 101th permutation sequence into a set of cross-compiled code via cross compiler 28 (from Figure 2) . During execution, the set of cross-compiled code can be executed via execution module 29 (from Figure 2) according to the 101th permutation sequence stored in permuted instruction pointer table 30.
For example, if the five instructions chosen to be permuted are ADD, SUBTRACT, JUMP, BRANCH and STORE, then each of these instructions is assigned an instruction number accordingly, i.e., instruction number 1 = ADD, instruction number 2 = SUBTRACT, instruction number 3 = JUMP, instruction number 4 = BRANCH and instruction number 5 = STORE. When the 101th permutation sequence is utilized for performing cross-compilation of an application program within cross compiler 28 of Figure 2, each occurrence of the above-mentioned five instructions within the application program will be transformed according to the permutation sequence ''25431. In other words, each ADD instruction within the application program will be transformed into a SUBTRACT instruction, each SUBTRACT instruction within the application program will be transformed into a STORE instruction, each JUMP instruction within the application program will be transformed into a BRANCH instruction, each BRANCH instruction within the application program will be transformed into a JUMP instruction, and each STORE instruction within the application program will be transformed into an ADD instruction. A reversal of the above-mentioned transformation is performed within execution module 29 of Figure 2 during the execution of the cross-compiled code of the application program.
The permutation can be performed in either a static or a dynamic manner. If the permutation is performed in a static manner, then a group of computer systems can be set to use the same permutation sequence. Such practice would be easier for an information technology manager because cross compilation of each application program would be required to be performed only once during installation.
If the permutation is performed in a dynamic manner, there are several choices. A set of permutation sequences can be changed periodically. Cross compilation for those permutations can be performed once, and then each time a computer system boots, it can run a different set of cross compiled programs, based on the permutation sequence actually in use. Further, the permutation sequence can randomly change each time the computer system boots. In such a case, cross compilation would have to be done on the fly by a cross compiler running on the computer system.
In addition, the permutation sequence can also be changed for each application program, and it can be accomplished by different methods. The simplest implementation is to have the VMM use the signature hash of an application as a key for a streaming encryption algorithm, thereby generating a unique instruction set for that application program. Any altered application program (such as being altered in a main memory due to a virus that causes a buffer overflow) will start generating a different instruction set.
Alternatively, the VMM can generate a random number each time an application program is being loaded, and the code segments of the application program are run through an streaming encryption, or hash (since it does not need to be reversible) engine to change the cross compilation. This method provides an additional level of security in that the Pn(A) function becomes P(A) a constant function and remains unpredictable.
As has been described, the present invention provides a method for preventing malicious software from execution within a computer system. If the VMM keeps a permutation associated with the hash of each permuted application that is to be run, then even a sampling attack (where a sample permuted application is somehow obtained by an attacker, and the permutation determined, applied to a virus, and then sent to perform an 383 infection) fails.
It is also important to note that although the present invention has been described in the context of a fully functional computer system, those skilled in the art will appreciate that the mechanisms of the present invention are capable of being distributed as a program product in a variety of forms, and that the present invention applies equally regardless of the particular type of signal bearing media utilized to actually carry out the distribution. Examples of signal bearing media include, without limitation, recordable type media such as floppy disks or compact discs and transmission type media such as analog or digital communications links.
While the invention has been particularly shown and described with reference to a preferred embodiment, it will be understood by those skilled in the art that various changes in form and detail may be made therein without departing from the spirit and scope of the invention.

Claims (21)

1. A method for preventing malicious software from execution within a computer system, said method comprising: cross-compiling an application program to yield a set of cross-compiled code of said application program before any actual execution of said application program on said computer system; and executing said set of cross-compiled code of said application program in an execution module that is capable of recognizing and translating said set of crosscompiled code of said application program to an actual machine code of a processor within said computer system.
2. The method of Claim 1, wherein said application program can be executed in a computer system without being cross-compiled.
3. The method of Claim 1, wherein said method further includes providing a first virtual machine to perform said crosscompiling; and providing a second virtual machine to perform said executing.
4. The method of Claim 3, wherein said method further includes providing a virtual memory manager within said computer system for controlling said first and second virtual machines.
5. The method of Claim 3, wherein said method further includes placing said first and second virtual machines Ho »0 J S3 in separate partitions.
6. The method of Claim 3, wherein said method further includes providing different operating systems in said first and second virtual machines.
7. A computer usable medium having a computer program product for preventing malicious software from execution within a computer system, said computer usable medium comprising: program code means for cross-compiling an application program to yield a set of cross-compiled code of said application program before any actual execution of said application program on said computer system; and program code means for executing said set of crosscompiled code of said application program in an execution module that is capable of recognizing and translating said set of cross-compiled code of said application program to an actual machine code of a processor within said computer system.
8. The computer usable medium of Claim 7, wherein said application program can be executed in a computer system without being cross-compiled.
9. The computer usable medium of Claim 7, wherein said computer usable medium further includes program code means for providing a first virtual machine to contain said program code means for crosscompiling; and program code means for providing a second virtual machine to contain said program code means for executing. <80385
10. The computer usable medium of Claim 9, wherein said computer usable medium further includes program code means for providing a virtual memory manager within said computer system for controlling said first and second virtual machines.
11. The computer usable medium of Claim 9, wherein said computer usable medium further includes program code means for placing said first and second virtual machines in separate partitions.
12. The computer usable medium of Claim 9, wherein said computer usable medium further includes program code means for providing different operating systems in said first and second virtual machines.
13. A computer system capable of preventing malicious software from being executed, said computer system comprising: means for cross-compiling an application program to yield a set of cross-compiled code of said application program before any actual execution of said application program on said computer system; and means for executing said set of cross-compiled code of said application program in an execution module that is capable of recognising and translating said set of cross-compiled code of said application program to an actual machine code of a processor within said computer system.
14. The computer system of Claim 13, wherein said application program can be executed in a computer system without being cross-compiled.
15. The computer system of Claim 13, wherein said computer system further includes a first virtual machine to contain said means for cross-compiling; and a second virtual machine to contain said means for executing.
16. The computer system of Claim 15, wherein said computer system further includes a virtual memory manager for controlling said first and second virtual machines.
17. The computer system of Claim 15, wherein said first and second virtual machines are located in separate partitions.
18. The computer system of Claim 15, wherein an operating system within said first virtual machine is different an operating system within said second virtual machine.
19. A method for preventing malicious software from execution within a computer system, as claimed in claim 1 and substantially as described herein with reference to the accompanying drawings.
20. A computer usable medium having a computer program product for preventing malicious software from execution within a computer system, as claimed in claim 7 and substantially as described herein with reference to the accompanying drawings.
21. A computer system adapted to prevent malicious software from being executed, as claimed in claim 13 and substantially as described herein with reference to the accompanying drawings.
IE2008/0383A 2007-02-13 Method for preventing malicious software from execution within a computer system IE85287B1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
USUNITEDSTATESOFAMERICA14/02/20061
US11/353,893 US8694797B2 (en) 2006-02-14 2006-02-14 Method for preventing malicious software from execution within a computer system
US11/353,896 US8041958B2 (en) 2006-02-14 2006-02-14 Method for preventing malicious software from execution within a computer system

Publications (2)

Publication Number Publication Date
IE20080383A1 true IE20080383A1 (en) 2008-08-20
IE85287B1 IE85287B1 (en) 2009-07-22

Family

ID=

Also Published As

Publication number Publication date
GB0702890D0 (en) 2007-03-28
GB2436442B (en) 2008-04-16
JP2007220091A (en) 2007-08-30
SG135173A1 (en) 2007-09-28
FR2897452B1 (en) 2016-12-09
IE20070090A1 (en) 2007-09-19
DE102007005887A1 (en) 2007-08-30
FR2897452A1 (en) 2007-08-17
DE102007005887B4 (en) 2019-06-13
JP4575350B2 (en) 2010-11-04
GB2436442A (en) 2007-09-26

Similar Documents

Publication Publication Date Title
US8041958B2 (en) Method for preventing malicious software from execution within a computer system
US8694797B2 (en) Method for preventing malicious software from execution within a computer system
JP6142027B2 (en) System and method for performing protection against kernel rootkits in a hypervisor environment
US7603704B2 (en) Secure execution of a computer program using a code cache
US10311227B2 (en) Obfuscation of an address space layout randomization mapping in a data processing system
US7594111B2 (en) Secure execution of a computer program
US7845009B2 (en) Method and apparatus to detect kernel mode rootkit events through virtualization traps
RU2679175C1 (en) Method of behavioral detection of malicious programs using a virtual interpreter machine
US10311228B2 (en) Using a fine-grained address space layout randomization to mitigate potential security exploits
US7251735B2 (en) Buffer overflow protection and prevention
Li et al. Zipper stack: Shadow stacks without shadow
US20200342100A1 (en) System and method for runtime detection, analysis and signature determination of obfuscated malicious code
Xiao et al. Kernel data attack is a realistic security threat
Toffalini et al. SnakeGX: a sneaky attack against SGX Enclaves
Yamiun et al. Detecting windows based exploit chains by means of event correlation and process monitoring
Sato et al. Design and implementation of hiding method for file manipulation of essential services by system call proxy using virtual machine monitor
GB2436442A (en) Preventing malicious software from execution within a computer system
Kumar et al. Protection against buffer overflow attacks through runtime memory layout randomization
Kuzuno et al. KDPM: Kernel Data Protection Mechanism Using a Memory Protection Key
Harini et al. A study on the prevention mechanisms for kernel attacks
GB2443764A (en) Preventing malicious software from execution within a computer system
Hossain et al. Software security with hardware in mind
Kisore et al. FFRR: a software diversity technique for defending against buffer overflow attacks
US11361070B1 (en) Protecting devices from remote code execution attacks
IE85016B1 (en) Method for preventing malicious software from execution within a computer system

Legal Events

Date Code Title Description
MM4A Patent lapsed