RU2460133C1 - System and method of protecting computer applications - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: system and method enable to intercept program requests to secure application projects, analysis thereof for malicious nature and in case of danger, block the request, virtualise application objects and the host system and, depending on the request analysis results, provide a link to the object or virtual copy thereof.

EFFECT: preventing unauthorised access to secure application objects.

16 cl, 10 dwg

Description

Technical field

The present invention relates to systems and methods for protecting information and, more specifically, to systems and methods for virtualizing applications to ensure the security of information processed by this application.

State of the art

The accelerated growth of malware and attacks on information resources leads to the fact that information security specialists are not able to process all new files for their subsequent detection, even using automated tools.

When working with confidential information, security becomes even more relevant. The effectiveness of a threat detection tool varies depending on the novelty and complexity of the malicious code and is not absolute. There is a need for a new frontier of protection, which should protect critical objects of the system or application from unauthorized access. A similar tool can be a “sandbox” - a tool for executing application instructions in a virtual environment with specified rules. Program execution may be limited, which excludes access to critical memory areas and processes. The main purpose of using such tools is to protect the system from unverified program code, including malware.

The likelihood that a computer system is infected and contains a virus (hereinafter, the virus refers to any type of malware) always exists. This case indicates a new direction in the development of security tools when it is necessary to perform actions with confidential or secret information in a safe mode on an infected computer system, i.e. limit processes, memory, files and other objects of the protected application from other programs, while maintaining the functionality of this application. A similar solution is disclosed in this invention.

There are technologies defining the prior art. The systems and methods of application virtualization described in applications US 20100024936 and US20100192224, and in more detail web browsers, are aimed at protecting the host system from threats coming from the Internet, but do not allow safe operation of the application when the host system is already infected with malware . In the application US 20090300307 a more detailed description of the virtualization method on the fly by introducing a virtualization level between the operating system and the memory module, which controls the read / write commands in the memory area. This technology does not allow you to filter requests by types of operations other than read / write, analyze requests by anti-virus scanning algorithms and dynamically change the rules for filtering requests.

This invention eliminates the described disadvantages of the prior art and improves the level of security of applications and its objects.

SUMMARY OF THE INVENTION

The present invention is intended to protect applications from other processes running on a computer. The technical result of the present invention is the prevention of unauthorized access to the objects of the protected application. The invention described below allows you to intercept software requests to the objects of the protected application, analyze them for malicious character and, in case of danger, block the request, virtualize the application and host system objects and, depending on the results of the request analysis, provide a link to the object or its virtual copy. The security system for computer applications consists of: (a) a security driver that is designed to intercept software requests; (b) a safe runtime processor that is designed to isolate program requests to the objects of the protected application from the host system processes, process selected requests in accordance with the established restrictions, and send a response to the intercepted request, including the requested object, error, or virtual object, depending on the installed restrictions; (c) a secure execution environment designed to create virtual copies of objects to which intercepted requests are addressed.

The computer application security system can also be configured to process requests from applications to the host system.

An embodiment of the invention involves intercepting requests including a process open operation, or a thread open operation, or a process memory read operation, or a direct memory access operation, or a file system access operation, or a registry access operation, or an access operation to OS kernel objects , or operation to obtain privileges, the name of the object as an operand.

In one embodiment, the application protection system comprises a threat detection means for determining the malicious nature of the intercepted request and blocking the request if the malicious nature of the intercepted request is established.

In another embodiment, the secure runtime monitors changes to virtual objects and allows you to apply changes by transferring virtual objects to the host system or discard changes by deleting edited virtual objects.

In one example of an application security system, host system objects or application objects are registry entries, file system directories, the kernel of the operating system, and user services.

Brief description of the attached drawings

The accompanying drawings, which are included to provide an additional understanding of the invention and form part of this description, show embodiments of the invention and together with the description serve to explain the principles of the invention.

The claimed invention is illustrated by the following drawings, in which:

Figure 1 shows an example architecture of a computer system with an installed operating system and applications running in it.

Figure 2 shows an example architecture of a computer system with an installed operating system, applications running in it, and an application security system.

Figure 3 shows an example of virtualization of the COM subsystem.

Figure 4 shows one embodiment of an interception scheme and processing application requests.

Figure 5 shows the composition of virtual objects in a secure runtime.

6 shows a method of forwarding requests by changing port names.

7 shows a functional diagram of an application security system.

FIG. 8 shows a flowchart of an application security method.

9 shows a diagram of an application security system.

10 shows an example of a general purpose computer system.

Description of Preferred Embodiments

The objects and features of the present invention, methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, it can be embodied in various forms. The essence described in the description is nothing more than specific details to assist the specialist in the field of technology in a comprehensive understanding of the invention, and the present invention is defined only in the scope of the attached claims.

The computer program protection system is a device designed for safe operation of the application in a software environment that is prone to threats of virus infection and unauthorized access.

The computer program protection system protects files, application processes from other applications and services due to application virtualization and due to a set of rules by which the application interacts with the computer system.

In the absence of a security system in the computer, the program executed in user mode remains vulnerable, for example, to Trojan malware that intercepts I / O information, data from program files that may contain confidential information and sends it to an attacker.

Figure 1 shows an example architecture of a computer system with an installed operating system and applications 100 running in it, which together constitute a host system. Hardware management 120, including the processor, memory, is carried out programmatically. Processors and operating systems support several levels of privileges for executing programs. In particular, the Windows operating system (OS) supports two modes of program execution: kernel mode 110 and user mode 115. Applications run in user mode. This increases the degree of security of the entire system from critical errors and protects system services 130, drivers 140, and other processes necessary for the computer to function correctly. The user’s system also runs services 150, for example, security services, such as anti-virus, which monitor the operation of applications and the state of the system as a whole.

Figure 2 shows an example implementation of an application security system in a host system. The host system in this application should be understood as the main operating system, the applications running in it, and the files processed by it. A security driver 230 is built into the operating system, which intercepts all program requests to and from the application 100, and also forwards them to the secure execution environment 220, which operates in user mode. Safe Execution Environment (BSI) 220 processes the request in a virtual system, after which a response to the request is sent without affecting the host system. Host system is understood as an operating system, applications and their objects working in a given operating system. The objects of the host system and, in particular, the objects of the application are directories and files, processes, registry keys, libraries, memory, etc.

BSI 220 is an operating system service 150 operating at the user level. An example of virtualization of the COM subsystem is shown in Figure 3. The COM model provides the ability to create reusable components. Such components are executable files or dynamic libraries that are created with the ability to call them from any program that supports the COM model. An example of such a program is Internet Explorer or another browser. Through COM, it is possible to access and manage a running copy of the application. When accessing the COM 300 service, the request is redirected to a virtual copy of COM 301 created by the secure runtime. Due to this, access to the COM objects of the operating system and individual applications is not carried out directly. The virtual COM service is no different from the original service. Upon request from the application, it starts the COM server 310, which returns the required object to the application 100. The virtual service accordingly creates a virtual server 311 and returns a virtual object.

Figure 4 shows the general operation scheme of a secure runtime environment to protect the host system from infection. At runtime, application 100 intercepts the following requests:

- opening a process / thread;

- reading process memory;

- direct access to memory / disk;

- access to the file system, registry and kernel objects of the OS 400;

- request for privileges.

The application sends an OS 400 request, where the OS handler 405 should process it. The above requests are intercepted and do not fall into the handler 405. The interception is carried out by the protection driver 230, after which the request is redirected to the secure execution environment 220, where the necessary system objects are virtualized. The request goes to the processor 410 safe runtime environment, where the process is executed.

The progress of the program depends on the level of detail of the host virtualization. To work effectively without errors, you must create a virtual copy of the file system, registry and some OS services. Figure 5 shows the composition of virtual objects included in the secure runtime environment 220. It includes virtualization of user services 500 and COM subsystem 505, virtualization of kernel objects 510 (port, pipe, event, mutex, section, smaphore), registry virtualization 520, and file system 530 virtualization. Virtualization occurs without the installation process, system reboot, because does not require changes in the kernel of the OS.

Virtualization implies that the changes that the application makes in the system are not really made in the system. The original information in the host system (file or registry key) does not change. Virtualization of a process refers to virtualization of its access to OS objects (including files and registry). Virtualizing an object involves creating a virtual copy of it if necessary (access to the real object can also be provided). Creating a copy is performed by the decision of the processor of the safe execution environment. The real object is returned, as a rule, with read-only access. Virtual files are stored in a special directory, and registry keys in a special registry branch. Other OS objects are stored in RAM.

Security driver 230 also intercepts local procedure calls (LPCs). This allows the application security system to isolate applications by spoofing port names. An example of such an interception is shown in Fig.6. The application sends a request to create an object to the OLE32.dll 600 object injection library (on Windows). This library calls the function of establishing a connection to the NtConnectPort port ("\\ RPC_Control \ epmapper"), where "\\ RPC_Control \ epmapper" is the port name. The request is intercepted and replaced by the port name. After changing the port name, the request does not arrive at the RPCSS 610 remote procedure call service (on Windows), but at the Virtual RPCSS 615 remote procedure call service. The 615 virtual service returns the epmapper interface to the application for further interaction with the virtual system.

Previous examples have been considered in relation to the interaction of the application with the OS. Such examples reveal the possibility of protecting the OS from malicious exposure on the part of applications. However, virtualizing all applications on a computer is an extremely resource-intensive task and it is not practical to solve the problem of safe work with confidential information. There is a limited set of applications on the computer that store, transmit and receive information containing personal data that the user would like to hide. Such information includes personal correspondence, personal data, secret codes, passwords, credit card numbers and other data. Application virtualization and their interaction with other applications and operating systems according to certain rules is a necessary layer of protection in the face of a constant increase in information security risk. The described invention allows you to limit the application from potentially malicious software without loss of functionality, does not require an additional installation process and reboots.

The application protection system, as a means of application virtualization, primarily organizes the protection of the host system from infection through vulnerabilities and errors in the running application according to the following principles:

- restriction of access to protected objects - objects containing confidential user data;

- protection of the host system from changes: creating and providing a copy of the object to an application running in a safe runtime environment when trying to modify the object in the host system;

- protection of critical processes and services running on the host system from access by an application running in a safe runtime to prevent malicious processes from leaking to the host system.

In this case, the application protection system is a filter of requests from an application running in a safe runtime to the objects of the host system.

On the other hand, due to additional restrictions and integration with the threat detection tool, the application protection system allows you to get a new technical result, which consists in filtering requests received by the application running in a safe execution environment from processes running in the host system.

The implementation of a new approach to application security is additionally characterized by the following positive factors:

- protection against malware penetration during the operation of the application on the Internet in the host system;

- cleaning of temporary files, visit logs and other data storing the history of the application;

- protection of user data processed by the protected application from unauthorized access of processes from the host system;

- safe launch of programs from the protected application, which will be automatically launched in a safe execution environment.

Figure 7 shows the operation of the sandbox to protect the application from a malicious program that was not detected by anti-virus means of protecting the host system. As an example, the browser application 700 is selected as the most common. Similarly, protection is provided for banking applications, means of quick messaging, web agents and other programs. The algorithm for stealing confidential information processed by the program may include reading the process memory and transmitting information to the network 711 with a malicious program 710 installed in the host system. When a certain program accesses the browser, for example, to read the memory of one of the processes, this request is intercepted by the security driver 230. Safe execution environment 220 redirects the request and the name of the calling program to the verification tool 210, which should determine the nature of the request and establish a verdict - allow the request, block the request or redirect the request to the virtual system. The verification tool is an expert system of rules 720 that takes into account the request (action), the request object, request statistics, attributes, and behavior of the program accessing the application. A simple example of such rules is the exclusion of access depending on the object marked in angle brackets in the example:

If {access to <OS kernel object>}, then {access block}

Depending on the verdict, the request is either sent to the OS handler without modification, or it is blocked, or the request is sent to a virtual system created in a secure execution environment. Accesses to processes, data and application memory are filtered in accordance with the rules, which enhances the protection of access to sensitive data 730 of the application.

The application security algorithm in the form of a block diagram is shown in Fig. 8. Request 800 is intercepted to or from the application (application memory, its processes, application files). The request is checked for compliance with safety rules 810 and the decision is made as a result of the verification 815 - the request is blocked 825 if it does not meet the security conditions, the request is allowed 820 (sent to the OS handler) if it does not pose a threat, the request is virtualized if the request does not meet the first two conditions . The secure runtime creates a virtual system 830, the composition of which is shown in FIG. 5. In a virtual system, the request is processed by virtual processor 835 and replaces memory, processes, files, and other objects with virtual copies that are returned to the calling program. The actions performed with the virtual system are stored 840 and then, if desired, 845 can be applied to the host system. In the case of applying the changes, the objects of the virtual system are transferred 850 to the host. This completes the operation cycle 855 until the next request, after which the cycle repeats.

The final diagram of the application security system is presented in Fig.9. The protection driver 230 intercepts program requests, which are the input parameters of the system. The intercepted requests arrive in a secure runtime, in which the protected applications are virtualized and the request is processed by the secure runtime processor 900. Examples of intercepted requests are described above. If the request is directed to a critical object with limited access, a virtualized object is created that is returned to the program from which the request was received. As shown in Fig. 9, the objects of virtualization are the file system 530, the kernel of the operating system 510, the registry 520, and user services 500. In addition to the restrictions imposed by the safe runtime environment on the objects of the protected application, the system also has a threat detection tool 210. It is necessary for determining the suspicious activity of programs accessing the protected application, and analyzing the activity of the protected application, in case it does not take actions that could harm the host system. Detection takes place according to updated rules that make up the hazard rating of a process. Upon receipt of the request, the secure runtime sends it to the threat detection tool, which returns a verdict on whether the request is safe or could constitute a threat to the application and the data being processed. A more detailed description of the operation of the aforementioned threat detection tool is contained in patent number US7530106 "System and method for security rating of computer processes". If the request is addressed from a safe process and does not fall under the restrictions of a safe runtime environment, then it is returned to the processor of the operating system without changes. Another case is the need to block the request when the process that made the request may be malicious. Another situation arises when a request falls within the limits of a safe execution environment, for example, reading process memory. In order to protect application data and preserve functionality, the request is sent to the secure execution environment handler, which interacts with virtual objects.

10 is an example of a general purpose computer system, a personal computer or server 20 comprising a central processor 21, a system memory 22, and a system bus 23 that contains various system components, including memory associated with the central processor 21. The system bus 23 is implemented like any bus structure known in the art, which in turn contains a bus memory or a bus memory controller, a peripheral bus and a local bus that is capable of interacting with any other bus architecture. The system memory contains read-only memory (ROM) 24, random access memory (RAM) 25. The main input / output system (BIOS) 26 contains the basic procedures that ensure the transfer of information between the elements of the personal computer 20, for example, at the time of loading the operating system using ROM 24.

The personal computer 20 in turn contains a hard disk 27 for reading and writing data, a magnetic disk drive 28 for reading and writing to removable magnetic disks 29, and an optical drive 30 for reading and writing to removable optical disks 31, such as a CD-ROM, DVD -ROM and other optical information carriers. The hard disk 27, the magnetic disk drive 28, the optical drive 30 are connected to the system bus 23 through the interface of the hard disk 32, the magnetic disk drive interface 33 and the optical drive interface 34, respectively. Drives and associated computer storage media are non-volatile means of storing computer instructions, data structures, software modules and other data of a personal computer 20.

The present description discloses an implementation of a system that uses a hard disk 27, a removable magnetic disk 29, and a removable optical disk 31, but it should be understood that other types of computer storage media 56 that can store data in a form readable by a computer (solid state drives, flash memory cards, digital disks, random access memory (RAM), etc.) that are connected to the system bus 23 through the controller 55.

Computer 20 has a file system 36 where the recorded operating system 35 and additional software applications 37, other program modules 38, and program data 39 are stored. The user is able to enter commands and information into the personal computer 20 via input devices (keyboard 40, mouse) 42). Other input devices (not displayed) can be used: microphone, joystick, game console, scanner, etc. Such input devices are, as usual, connected to the computer system 20 via a serial port 46, which in turn is connected to the system bus, but can be connected in another way, for example, using a parallel port, a game port, or a universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface such as a video adapter 48. In addition to the monitor 47, the personal computer can be equipped with other peripheral output devices (not displayed), for example, speakers, a printer, etc. .

The personal computer 20 is capable of operating in a networked environment, using a network connection with another or more remote computers 49. The remote computer (or computers) 49 are the same personal computers or servers that have most or all of the elements mentioned earlier in the description of the creature personal computer 20 shown in Fig.10. Other devices, such as routers, network stations, peer-to-peer devices, or other network nodes may also be present on the computer network.

Network connections can form a local area network (LAN) 50 and a wide area network (WAN). Such networks are used in corporate computer networks, internal networks of companies and, as a rule, have access to the Internet. In LAN or WAN networks, the personal computer 20 is connected to the local area network 50 via a network adapter or network interface 51. When using the networks, the personal computer 20 may use a modem 54 or other means of providing communication with a global computer network such as the Internet. The modem 54, which is an internal or external device, is connected to the system bus 23 via the serial port 46. It should be clarified that the network connections are only exemplary and are not required to display the exact network configuration, i.e. in reality, there are other ways to establish a technical connection between one computer and another.

In conclusion, it should be noted that the information provided in the description are only examples that do not limit the scope of the present invention described by the claims. One skilled in the art will recognize that there may be other embodiments of the present invention consistent with the spirit and scope of the present invention.

Claims (16)

1. A system for protecting computer applications, consisting of:
(a) a protection driver loaded into memory and executed on the processor of the host system, which is designed to intercept software requests at the kernel level of the host system and is associated with the processor of the safe execution environment;
(b) a processor for a secure execution environment loaded into memory and executed on the processor of the host system, which is intended for:
- allocation of program requests to the objects of the protected application from the processes of the host system and processing of selected requests in accordance with the established restrictions imposed on the object, or on the operation, or on the operation with the object;
- sending a response to an intercepted request, including:
- the requested object, if the request for this object is allowed in accordance with the mentioned restrictions, or
- an error if the request to this object is blocked in accordance with the mentioned restrictions, or
- a virtual object in the event that the request to this object is not blocked and is not allowed in accordance with the mentioned restrictions, while the said processor of the safe execution environment is associated with a safe execution environment;
(c) a secure execution environment loaded into memory executable on the processor of the host system and designed to create virtual copies of objects to which intercepted requests are addressed. 2. The system according to claim 1, which further comprises a threat detection tool loaded into memory executed on the processor and designed to determine the malicious nature of the intercepted request and block the request if the malicious nature of the intercepted request is established. 3. The system of claim 1, wherein the safe runtime processor is also designed to process program requests from the application to the host system objects in accordance with the established restrictions. 4. The system according to claim 1, in which the safe runtime is also designed to save changes to virtual objects. 5. The system according to claim 4, in which the safe runtime is also intended for transferring saved changes of virtual objects to objects of the host system. 6. The system according to claim 4, in which the safe runtime is also designed to delete saved changes to virtual objects. 7. The system according to claim 1, in which the objects of the host system or objects of the application are at least a registry entry, file system directories, the kernel of the operating system and user services. 8. The system of claim 1, wherein the intercepted request includes a process open operation, or a thread open operation, or a process memory read operation, or a direct memory access operation, or a file system access operation, or a registry access operation, or an operation access to the objects of the OS kernel, or the operation to obtain privileges and the name of the object as an operand. 9. A method of protecting applications in which:
(a) intercept program requests at the kernel level of the host system;
(b) the allocation of program requests to the objects of the protected application from the processes of the host system;
(c) process the intercepted request in accordance with the established restrictions imposed on the object, or on the operation, or on the operation with the object;
(d) create a virtual copy of the object to which the intercepted request is addressed;
(e) send a response to the intercepted request, including:
- the requested object if the request to this object is permitted in accordance with the above restrictions, or
- an error if the request to this object is blocked in accordance with the mentioned restrictions, or
- a virtual copy of the requested object in the event that the request to this object is not blocked and is not allowed in accordance with the mentioned restrictions. 10. The method according to claim 9, in which additionally determine the malicious nature of the intercepted request and block the request if the malicious nature of the intercepted request is established. 11. The method according to claim 9, in which additionally intercept program requests from the application to the objects of the host system. 12. The method according to claim 9, in which additionally save changes to virtual objects. 13. The method according to item 12, in which the stored changes of the virtual objects are further transferred to the objects of the host system. 14. The method of claim 12, further comprising deleting the stored changes to the virtual objects. 15. The method according to claim 9, in which the objects of the host system or objects of the application are at least a registry entry, file system directories, the kernel of the operating system and user services. 16. The method according to claim 9, in which the intercepted request includes a process opening operation, or a thread opening operation, or a process memory reading operation, or a direct memory access operation, or a file system access operation, or a registry access operation, or an operation access to the objects of the OS kernel, or the operation to obtain privileges and the name of the object as an operand.

Images