UA76687U - System for controlling operational system load - Google Patents

Abstract

A system for controlling operational system load relates to computer security systems, in particular to systems for checking operational system for harmful, potentially dangerous and undesirable components, and is intended for solving problem of effective and prompt detection and removal of foreign components in the operational system.

Description

The useful model belongs to the security systems of computer systems and more specifically to the systems of checking the operating system (OS) for the presence of harmful, potentially dangerous and unwanted components and is intended to solve the problem of effective and prompt detection and elimination of the presence of third-party components in the OS.

In today's world, computer technology is becoming more and more common. It is becoming more accessible, functional, mobile, and users are becoming more experienced in working with computer equipment. Such a high level of development can also carry a number of threats associated, for example, with a weak level of security of digital data and OS.

Data security on personal computers, mobile equipment, and industrial computers is an urgent problem. A large number of new malicious programs appear every day, which can cause computer failures, loss and theft of personal data. Many malware are modified to make them more difficult to detect and neutralize.

Currently, there are many different programs (antiviruses, antirootkits, etc.) (hereinafter called Detectors) that are installed in the OS and play the role of a defender. All known detectors that are installed in

The OS and acting as a defender must be installed in an OS that may already have third-party components installed. These components can be rootkits (from the English Vooikia), which know how to "hide" their presence in the OS. A rootkit is a set of utilities or a special kernel module that includes various functions to "sweep the traces" of an intrusion into the system. The rootkit attaches itself to the operating system and hides the traces of its stay, hiding files, processes and the presence of the rootkit itself in the system. Thus, he can hide not only from the user, but also from the Detector. There is also the possibility that, having gained more privileged rights, the rootkit can somehow damage the Detector itself, thereby ruining its performance.

There are also cases when third-party components are installed in the OS that are not dangerous from the point of view of the Detectors, or as a result of the actions of the user himself, a third-party component was accidentally installed, and the Detector was told that the installed program is legal.

At the same time, the volumes of hard drives are increasing every year, and it can take a lot of time, hours, or even tens of hours, to fully check the OS.

Thus, a solution is needed that would be devoid of the drawbacks of Detectors and would allow y

From any moment of time, check the OS for the presence of third-party components. Such a solution is not a substitute for Detectors, but only eliminates their shortcomings listed above, using other solutions for this, and allows you to determine how damaged the computer system is in order to conclude whether it is necessary to "treat" the computer system or restore it from a previous backup copies (if any) or reinstall the OS on the computer system.

From the state of the art, there is a known method of protecting computers from the action of virus programs (patent of Ukraine Mo 22370, IPC СОбЕ 11/00, publ. 25.04.2007, bulletin Mo 5), which includes the control and detection of non-system applications, in which additionally includes operations for choosing a strategy and setting the monitoring mode, scanning the device's disks and displaying the scan results with their further analysis. The disadvantage of this method is the use of a specially developed application that functions and scans device disks for the presence of virus programs only in the Zutbriap O5 7.0 OS environment.

A known hardware antivirus (Russian Patent No. 92217, МПК СО6М 99/00, publ. 10.03.2010), which prevents the spread of malicious software (software) components, is located between a personal computer and an information storage device, which contains at least two interfaces , one of which is connected to the system bus of the computer, and the other is connected to the data carrier, which is also a transparent filter that ensures data transfer between interfaces, the filtering of the mentioned data is carried out by the central processor of the antivirus, which uses a non-volatile memory device, when Therefore, the main job of an antivirus is to filter the data that comes from the information carrier, and if the component detected by them is malicious software, then the data is blocked, otherwise the data is transferred to the interface that is connected to the system bus. The disadvantage of this antivirus is that it only prevents the spread of malicious software components in computer systems, and does not check the operating system for the presence of harmful and unwanted components.

A well-known system for detecting and treating rootkits (Russian Patent No. 77472, IPC SObE 21/22, publ. 10.20.2008), which includes a tool for creating the first image for selected files of the operating system and the registry, while this tool is designed with the ability to create the first image after the boot drivers are loaded, but before all other drivers are loaded; a means for permanently storing the first image obtained by said means for creating the first image; a tool for creating a second image for selected files of the operating system and the registry, which is created after loading all remaining drivers; means for comparing the first image obtained from said permanent storage means and the second image obtained from the means for creating the second image; a means for issuing a message to the user about the infection of the computer with a rootkit based on the comparison results obtained from the mentioned comparison means, while the means for issuing a message is made with the possibility of issuing this message in case of inequality of the first and second images. This useful model is used only to detect rootkits, and not from all malicious programs that are already loaded into the operating system of the computer system, that is, its use does not allow you to control the actual loading of boot drivers, to detect harmful, potentially dangerous and unwanted components in the OS .

The closest technical solution to the proposed useful model was not found in public access.

The useful model is based on the task of creating an operating system boot control system that performs full software control over the launch of all OS components, including those that are not components of the operating system, and detects harmful, potentially dangerous, and unwanted components in the OS.

The task is solved by proposing a system for monitoring the loading of the operating system, which includes: - a verification tool designed to find out the state of the components of the computer system, which participate before the start of the OS loading and which subsequently transfer control to the start of the OS loading; - a control tool designed to control the launch of system components when loading the OS, while the control is carried out on the basis of lists of system components and their digital signatures and a list of trusted components and their hashes of ZNA 1; - the control tool is connected to the control tool and is intended for the analysis of the received data during the OS loading process and the formation of lists of trusted components, and which is configured to create dumps of lists of files and their descriptors, dumps from the registry and to compare the received dumps, in addition, the tool the control is additionally designed to search for components in the file system both by the hash of the ZNA and by the pattern of the component name, and at the same time, the control tool is additionally designed for requests on the Internet about the component.

З The described useful model allows guaranteed control of the entire loading process

OS, starting with the earliest possible non-system component, checking it against a list of system components and their digital signatures. This is achieved by two-stage booting of the OS.

It should be noted that these stages are independent of each other, so they can be performed, or not performed, or repeated as many times as necessary to determine the state of the OS on the computer system.

In the description of the utility model, the following definitions are introduced: "Measure of verification" is Controller 1, "Measure of control" is Controller 2, "Measure of control" is Console.

The system works as follows.

The first stage. When the computer system is turned on, the download is performed from the downloaded image of minimum dimensions, which contains the Controller 1 (Verifier) module.

To do this, prepare a removable medium (for example, a CD-ROM, UMO or flash drive) on which the downloaded image is written, inside which the Controller 1 module is located, and indicate in the VIO5 settings that the download should be performed first of all from the removable medium, if it is connected during the download to the computer. So, when the computer system is turned on, the removable media is connected and the invitation "Рге55 апу Кеу 0 роой ійот" is displayed on the screen

Wed 0MO.". By pressing any button, we actually execute the "Download from removable media" option. After loading, this module compares the loaded MBA sector of the hard disk, sector

MBA/LRI of the file system, OS bootloader, digital signatures of the OS kernel, the priority of loading the Controller 2 module (Control Tool), the presence of the Controller 2 module and issues a summary report of the results.

This report can have positive results as well as negative results. For example, when a warning is issued that the main download MBA record (eng. tavieeg rooi gesoga,

MBA) of the hard disk is unknown, then before continuing to boot the OS, you need to eliminate this problem. To do this, there are utilities from the OS manufacturer and other producers that solve this problem. Or if the user has installed a custom bootloader himself, then this warning can be ignored.

In the event that Controller 1 detects during the check that the registration of the priority of loading Controller 2 is violated, then it itself corrects this deviation and registers this event in the report.

This stage unambiguously guarantees that when the computer system is turned on, from the moment of receiving control from VIO5 (this is the first program that the computer uses immediately after turning on, and which has the task of recognizing devices on the computer system (processor, memory disk, video, etc.), check their serviceability, initiate and transfer control to the OS bootloader (the OS bootloader, in turn, loads the OS kernel and modules (drivers) with the "rooi" loading type into memory and transfers control to the OS kernel. The OS kernel, in turn, begins to launch (initiate) previously loaded modules (drivers) with the "rooi" download type, and Controller 2 is always the first in this startup list) and no outsider will gain control until Controller 2 starts operating.

The operation of Controller 1 is completed by rebooting the computer system to further load the main OS, if there are no errors in the report, or if there are errors, then use the auxiliary utilities of other producers or the OS manufacturer, with which the errors are eliminated.

The second stage. When booting the computer system, the invitation "Rgezz apu Keu o rooi iot CO og OMO" will be displayed again, but this time you do not need to press any button, so after 5 seconds of waiting, the system will transfer control to boot from the hard disk.

At this stage, a list of possible OS boot options is displayed. If one OS is installed on the computer system, then such a list is not displayed, but if the E8 button is pressed during the initial interval after turning on the computer system, then this list will also be displayed. In our case, the list will be displayed in any case. Because, even if there was only one entry, the second such entry is created by the utility model installer when it is installed on the computer system. This entry is distinguished by the fact that it is named as the main OS in which the useful model is installed, but has a specific substring in its name that indicates that only when this OS boot option is selected, the second stage will be performed. This choice allows more flexible and safer analysis of the main OS.

There are actually two boot options for the main OS, this is the normal one where Controller 2 is inactive and does no work. The option when the Controller 2 is turned on and actively performs its work.

Such a choice makes it possible to: "use the second stage not constantly, but as needed, for example, when there are suspicions of abnormal OS behavior;

Zo "- to compare the operation of the OS without the operation of Controller 2 and with it, in the event that the OS is "treated", for example, when the OS is loaded, it needs the registry to have "standard" values in certain keys that are mandatory for further successful loading. In such cases, Controller 2, having detected deviations, "emulates" (artificially reproduces) the presence of the necessary information in such keys, while noting such cases in the log file. The user can enter the correct data in such a key and reboot the OS in normal mode and check the correctness of one's actions; "- remove the installed useful model from the computer system, if the need arises. Although this can be done when booting with Controller 2 turned on, but in this case, you need to use the option in the Console that would allow you to disable the operation

Controller 2 and then it is possible to remove a useful model from the computer system using the usual means of the OS;

In our case, by choosing the download option with a specific substring in the name, we actually activate the execution of the second stage of the useful model, that is, the activation is carried out

Controller 2. As mentioned earlier, the first stage ensures the priority of receiving control from the OS kernel by Controller 2. Therefore, Controller 2 is always loaded first in the list and, starting from this moment, checks all others against the list of OS components and their digital signatures, while rejecting everyone who is not included in this list or who is not in the trusted list.

Controller 2 records all the work performed in a log file, which indicates the component itself, its dimensions, access rights to it, its registration in the OS, if any. If the component belongs to the OS and has a broken digital signature, then it also falls into this list, but its launch is not rejected, since in this case the computer system may interrupt its downloads and "hang or fall into a blue screen". Subsequently, such a component must be replaced with the original one from the OS distribution.

After loading the OS, using the control tool (Console), you can view the Controller 2 log and manipulate these results. That is, add the rejected components to the trusted list, check them on the Internet for danger, if there is uncertainty about them, and if they are harmful, then first, using the hash value of 5FIND of this component, find all the same similar components (regardless of what they will have names, but they are all copies of the desired component) throughout the computer system and only then delete them or move them to the right place. All actions in the Console are performed quickly and intuitively.

For example, to add rejected components to the trusted list, it is enough to open the list of rejected components, select the components that we want to add to the trusted list and select the command to add components to the trusted list from the menu. Accordingly, if we move to

Console in the list of trusted components, then we can see these components. Now, if you reboot the OS, these components will be legitimate and will be loaded and executed accordingly.

Controller 2 also keeps an event log in the course of its work, in which it registers all important events from its point of view. Such as: - Change of MVAE/LRI/UVA; - Starting the process; - Launch process components; - Stopping the process; - Violation of digital signature components; - Attempt to modify the executable component; - An attempt to delete an executable component; - Attempt to execute a component from another component; - Run the component, which may be encrypted; - Starting a stream that is not created by default; - The presence, possibly, of extra entries in the Nozviv file; - Presence of differences in the registration parameters of standard services/OS data in the registry; - The presence in the registration register of a configurable application that is launched in the "Itade Rieu" key

Ehessiop Oriiopv"; - The absence of a system file that the system requests to start, but it is not physically present; - The presence of loading a system module, which is not actually a system module, but replaces a real system module, replacing some functionality of the system module, and other functionality forwards to a real system module , but the file has been renamed; - Availability of downloaded components to receive launch notifications

From the processes/loading of executable images and/or creation of streams and/or registry changes; - The presence of changing the default system value of the address / function

IotiSa|IOhimegVoshiiipe; - The presence of changing the default system value of the address / function

IotSotryieNednynevi.

All these events greatly simplify the understanding of what is happening in the computer system and, together with other information, make it possible to accurately outline the circle of "suspicious" components that require a careful study of their activity. The event table is displayed dynamically in

Console, and in it, in turn, you can perform various actions for faster analysis, that is, set filters on columns, sort by column, write to a file, etc.

The work of the second stage can be completed in two ways. The first is when the OS was checked, security actions were performed according to the information provided in the Console, and the OS was rebooted, for further entry into the OS base in normal mode when Controller 2 is not active.

The second is when we enter all the components used by the user on the computer system into the trusted list of the Console and continue to work in this mode. In this variant, it is extremely difficult to compromise OS components or components of trusted user programs. For example, through the Internet with the help of some previously unknown M-day vulnerability that was not closed by updates of OS components or trusted user components. Such a vulnerability will not be able to "take root" in the OS, to be present in the system during subsequent OS reboots, since the proposed OS boot control system in any case prohibits the creation/modification of executable components by anyone, even if the changes will be initiated by the system itself. Except if you include the component in the trusted list and indicate to it that it can perform "Change executable component" and/or "Remove executable component". Even if the system was compromised only through memory, without accessing the hard disk, it is enough to overload the OS and it will again be without "vulnerabilities".

The proposed OS boot control system allows you to quickly solve several important tasks:

- find and block unwanted objects in the computer system.

Unwanted computer system objects are any module that is not a system object or a substituted system object, but is not such in reality;

- quickly assess the damage caused to the computer system, to determine the scope of work, which is easier: treat the computer system or reinstall it or restore it from a backup copy.

Claims (1)

USEFUL MODEL FORMULA An operating system (OS) boot control system that includes: - a verification tool designed to find out the state of the components of the computer system, which participate before the start of the OS boot and which subsequently transfer control to the start of the OS boot; - a control tool designed to control the launch of system components when loading the OS, while the control is carried out on the basis of lists of system components and their digital signatures and a list of trusted components and their hashes of ZNA 1; - a control tool connected to the control tool and designed to analyze the data received in the process of loading the OS and forming lists of trusted components, and which is configured to create dumps of lists of files and their descriptors, dumps from the registry and to compare the received dumps, in addition, the tool the control is additionally designed to search for components in the file system both by the hash of the ZNA and by the pattern of the component name, and at the same time, the control tool is additionally designed for requests on the Internet about the component.