WO2014007786A1

WO2014007786A1 - System for monitoring an operating system startup

Info

Publication number: WO2014007786A1
Application number: PCT/UA2012/000075
Authority: WO
Inventors: Володымыр Евгэновыч ЦВИГУН
Original assignee: Tsvihun Volodymyr Yevhenovych
Priority date: 2012-07-04
Filing date: 2012-08-09
Publication date: 2014-01-09
Also published as: UA76687U

Abstract

The claimed invention relates to computer system security systems and is intended to provide effective, swift identification and removal of unauthorized OS components. The system for monitoring an operating system startup comprises: a checking means for identifying the state of computer system components participating prior to commencement of an OS startup and subsequently transferring control upon commencement of the OS startup; a monitoring means for monitoring booting for the execution of system components during the OS startup, wherein monitoring is carried out based on lists of system components and the digital signatures thereof and on a list of trusted components and the SHA1 hashes thereof; and a control means, connected to the monitoring means and intended for analyzing data received in the process of the OS startup, for forming lists of trusted components, and also configured to create dumps of file lists and file descriptors and dumps from a catalog and to compare resulting dumps, wherein the control means is also intended for searching for components in a file system according to an SHA1 hash and to a component name template, and, in addition, the control means is also intended to inquire over the Internet about a component.

Description

Operating system load control system

The proposed utility model relates to security systems of computer systems and, specifically, to systems for checking the operating system (OS) for the presence of malicious, potentially dangerous and undesirable components and is intended to solve the problem of efficient and prompt detection and elimination of facts of the presence of extraneous components in the OS. In the modern world, computer technology is becoming increasingly common. It is becoming more accessible, functional, mobile, and users are becoming more experienced in working with computer equipment. Such a high level of development can also create a number of threats associated, for example, with a weak level of security of digital data and the OS.

Data security on personal computers, mobile equipment, industrial computers is an urgent problem. Every day a large number of new malicious programs appear that can cause computer crashes, loss and theft of personal data. Many malicious programs are modified to make it more difficult to detect and neutralize. Now there are many different programs (antiviruses, anti-rootkit, etc.) (Further Detectors) that are installed in the OS

anti-rootkits and act as a defender. All known Detectors installed in the OS and playing the role of defender should be installed in the OS, which already possibly has installed third-party components. These components can be rootkits (from the English Rootkit), which can "hide" their presence in the OS. Under

rootkit means a set of utilities or a special kernel module, which includes a variety of functions to "trace" invasion of the system. The rootkit is fixed in the operating system and hides the traces of its presence, hiding files, processes and the presence of the rootkit in the system. Thus, he can hide not only from the user, but also from the Detector. There is also the possibility that, having received more privileged rights, the rootkit may somehow damage the Detector itself and thereby spoil its performance.

Also, there are cases when third-party components are installed in the OS that are not dangerous from the point of view of the Detectors, or as a result of user actions, a third-party component was accidentally installed, and the Detector was told that the installed program was legal.

At the same time, the volume of hard disks is increasing more and more every year, and it can take a lot of time to complete an OS check - hours, or even tens of hours. Thus, a solution is needed that would be devoid of the shortcomings of the Detectors and would allow at any time to check the OS for the presence of extraneous components. Such a solution is not a substitute for Detectors, but only eliminates their shortcomings listed above, using other solutions and allows you to determine how damaged the computer system is, to make a conclusion, you need to "treat" the computer system or restore it from a previous backup (if there is one) ) or install the OS on a computer system again.

The prior art method of protecting computers from the effects of virus programs (Ukrainian patent jNb 22370, MP G06F 11/00, publ. 04.25.2007, bull. Ν "5), which includes monitoring and identification of non-system applications, which additionally operations were introduced to select a strategy and establish a monitoring mode, scan the device’s disks and display the scan results with their subsequent analysis. The disadvantage of this method is the use of a specially designed application that functions and scans the device’s drives for virus programs only in the Symbian OS 7.0 environment.

A well-known hardware antivirus (RF Patent N ° 92217, IPC G06N 99/00, published March 10, 2010) that prevents the spread of malware components (software) located between a personal computer and an information storage device containing at least two interfaces, one of which are connected to the system bus of the computer, and the other is connected to the storage medium, while being a transparent filter that provides data transfer between interfaces, the mentioned data is filtered by the central antivirus processor, which uses a random access memory, while the main work of the antivirus is to filter incoming data from the storage medium, and if a malware component is detected in them, then data is blocked, otherwise the data is transmitted to an interface that is connected to the system bus. The disadvantage of this antivirus is that it only prevents the spread of malicious software components in computer systems, and does not check the operating system for malicious and unwanted components.

The well-known system for detecting and treating rootkits (RF Patent JN ° 77472, IPC G06F2 1/22, publ. 20. 10.2008), which contains: a tool for creating the first image for the selected files of the operating system and registry, while this tool is executed with the ability to create the first image after loading the boot drivers, but before loading all the other drivers; means for permanently storing the first image obtained by said means for creating the first image; means for creating a second image for the selected files of the operating system and registry, which is created after loading all the remaining drivers; means for comparing the first image obtained from said permanent storage means and the second image obtained from the means for creating the second image; means for issuing a message to a user about a rootkit infection of a computer according to the comparison results received from said means of comparison, while the means for issuing a message is configured to issue this message in case of inequality of the first and second images. This utility model is used only to detect rootkits, and not from all malicious programs that are already loaded into the operating system of a computer system, i.e. its use does not allow to control the loading of boot drivers, to identify harmful, potentially dangerous and undesirable components in the OS.

The closest technical solution to the proposed utility model in public domain is not found.

The utility model is based on the task of creating an operating system boot control system that provides full programmatic control of the launch of all OS components, including those that are not components of the operating system, and detects malicious, potentially dangerous, and undesirable components in the OS.

The problem is solved by the fact that the proposed system

control the loading of an operating system that contains:

- a verification tool designed to determine the status of computer system components involved prior to the start of OS loading and subsequently transferring control to the beginning of OS loading;

- a control tool designed to control the start-up of the execution of system components when loading the OS, while monitoring is based on lists of system components and their digital signatures and a list of trusted components and their SHA1 hashes; - a management tool associated with a control tool and designed to analyze the received data during the OS boot process and generate lists of trusted components, and also configured to dump file lists and their descriptors, dump dumps from the registry and to compare received dumps, in addition, a control tool it is additionally designed to search for components in the file system both by S.HA1 hash and by the component name template, and at the same time, the control tool is additionally designed for queries on the Internet t about the component.

The described utility model allows guaranteed control of the entire process of loading the OS, starting with the very first possible non-system component, comparing it with a list of system components and their digital signatures. This is achieved by two step loading of the OS. It should be noted that these steps are independent of each other, so they can be performed or not performed, or repeated as many times as necessary to determine the state of the OS on a computer system.

The following definitions are introduced in the description of the utility model: “Verification Tool” is Controller 1, “Means of Control” - Controller 2, “Management Tool” - Console.

The work of the proposed system, after installing it on the computer system of a personal computer, is implemented as follows.

First step. When you turn on the computer system, the download is performed from the boot image of the minimum size containing the module Controller 1 (Means of verification). To do this, prepare removable media (for example, a CD, DVD or flash drive) onto which the boot image is recorded, inside which the Controller 1 module is contained and indicate in the BIOS settings that the boot should be performed primarily from removable media if it is connected to the computer during boot. Thus, if when the computer system is turned on, removable media is connected and the prompt “Press any key to boot from CD or DVD” is displayed, then by pressing any button we actually execute the option “Download from removable media”. Once loaded, this module checks the boot sector of the MBR of the hard disk, the VBR / I.PL sectors of the file system, the boot loader of the OS, the digital signatures of the OS kernel, the initial boot of the Controller 2 module (Control Tool), the presence of the Controller 2 module and generates a final report of the results.

This report may have positive results or negative results. For example, when a warning is issued that the main boot record MBR (English master boot record, MBR) of the hard drive is unknown, then before continuing to boot the OS, you need to eliminate this problem. To do this, there are both utilities from the manufacturer of the OS, and other manufacturers with which this problem is solved. Or if the user himself installed a non-standard bootloader, then this warning can be ignored.

If, during verification, Controller 1 detects that the registration of the boot primacy of Controller 2 is violated, then it itself corrects these deviations and registers this event in the report. This step uniquely ensures that when you turn on the computer system from the moment you receive control from the BIOS (this is the first program that the computer uses immediately after switching on and has the task of recognizing devices on the computer system (processor, memory, disks, video, etc.) , check their health, initiate and transfer control to the OS loader (the OS loader, in turn, loads the OS kernel and modules (drivers) with the boot type into memory and transfers control to the OS kernel. The OS kernel, in turn, starts to work (initiate) previously loaded modules (drivers) with the boot type “boot”, and in this list to start the operation of Controller 2 is always the first and before the start of the operation of Controller 2 no outsider will get control.

The operation of Controller 1 ends with a reboot of the computer system for subsequent loading of the main OS, if there are no errors in the report, or if there are errors, then using auxiliary utilities of other manufacturers or the manufacturer of the OS, with which they eliminate errors.

Second phase. When the computer system boots up, the prompt “Press any key to boot from CD or DVD” appears again, but this time you do not need to press any button, so after 5 seconds. The system will transfer control to boot from the hard drive. At this point, a list of possible OS boot options appears. If one OS is installed on the computer system, then such a list is not displayed, but if you press the F8 button in the initial interval after turning on the computer system, this list will also be displayed. In our case, the list will be displayed in any case, because, even if there was only one entry, then the second such record will be created by the installer of the utility model - “OS Boot Control Systems” when installing it on a computer system. This entry is different in that it has a name as the main operating system in which the claimed system is installed, but it has a specific substring in its name indicating that only when this OS boot option is selected, the second stage will be performed. This choice allows you to more flexibly and safely analyze the main OS. In fact, for the main OS there are two boot options, this is the usual one, in which Controller 2 is inactive and does not perform any work. And the option is when Controller 2 is turned on and is actively doing its job.

This choice makes it possible:

• use the second stage not constantly, but if necessary, for example, when there are suspicions of the presence of unusual behavior of the OS;

• compare the operation of the OS without the operation of Controller 2 and with it, if the OS is “disinfected”, for example, when it is loaded

OS, it needs the registry to have “standard” values in certain keys that are required for further successful loading. In such cases, Controller 2, upon detecting deviations, “emulates” (artificially reproduces) the presence of the necessary information in such keys, while noting such cases in the log file. The user has the opportunity to enter the correct data into such a key and restart the OS in normal mode and verify the correctness of his actions;

• remove the installed utility model - “OS loading control system” from the computer system, if this occurs necessity. Although this can be done when booting with Controller 2 turned on, in this case you need to use the option in the Console that would disable the operation of Controller 2 and then you can remove the claimed system from the computer system using the usual OS tools.

In our case, choosing the boot option with a specific substring in the name, we actually activate the second stage of the utility model, i.e. the activation of Controller 2 is carried out. As mentioned earlier, the first stage provides the first step in obtaining control from the kernel of the OS by Controller 2. So, Controller 2 is always loaded first in the list and, starting from this moment, compares all the components that are loaded onto the list with the list of OS components and their digital signatures, while rejecting all who are not on this list or who are not on the trusted list.

Controller 2 registers all the work done in a log file, which indicates the component itself, its size, access rights to it, its registration in the OS, if any. If the component belongs to the OS and it has a digital signature, then it also falls into this list, but its launch is not rejected, since in this case the computer system may interrupt its download and “freeze or fall into the blue screen”. Subsequently, such a component should be replaced with the original one from the OS distribution.

After loading the OS, using the management tool (Console), you can review the log of the work of Controller 2 and perform manipulations with these results. That is, add the rejected components to the trusted list, check them on the Internet for danger, if there is uncertainty in them, and if they are harmful, then first, using the SHA1 hash values of this component, find all the same similar components (regardless of what names they will have, but they are all copies of the component you are looking for) throughout the computer system and only then remove or move them to the right place. All actions in the Console are performed quickly and intuitively. For example, to add rejected components to a trusted list, simply open the list of rejected components, select the components that you want to add to the trusted list and select the command to add components to the trusted list through the menu. Accordingly, if we go to the Console in the list of trusted components, we can see these components. Now, if you reboot the OS, then these components will be legitimate and will accordingly be loaded and executed.

Also, Controller 2, in the course of its work, keeps a log of events in which it registers all important events, from its point of view. Such as:

- Change MBR IPL / VBR;

- Starting the process;

- Launching a process component;

- Stopping the process;

- Violation of the digital signature of the component;

- An attempt to modify the component being executed;

- Attempting to delete an executable component;

- An attempt to execute a component from another component;

Starting a component that is possibly encrypted; - Launching a thread that is not standard created;

- The presence of possibly extra entries in the Hosts file;

- The presence of differences in the registration parameters of standard OS services / applications in the registry;

- The presence in the registry of the debugger registration for the launched application in the key "Image File Execution Options";

- The absence of a system file requested by the system to run, but it is physically not;

- The presence of loading a system module, which in reality is not such, but replaces the real system one, replacing some functionality of the system module, and redirects the rest of the functionality to a real system, but renamed file;

- The presence of downloaded components subscription to receive notifications of the start of processes / loading of executable images and / or creation of threads and / or registry changes;

- The presence of a change in the system default value of the address of the function lofCallDriverRoutine;

- The presence of a change in the system default value of the address of the IofCompleteRequest function.

All these events greatly simplify the understanding of what is happening in the computer system and, in combination with other information, make it possible to accurately outline the circle of “suspicious” components that require close examination of their activities. The table of events is reflected dynamically in the Console, and in turn, you can perform various actions in it for quick analysis, i.e. set filters to columns, sort by column, write to file, etc. The second stage can be completed in two ways. The first

- this is when the OS boot was checked, security actions were performed according to the information provided in the Console and restarting the OS for subsequent login to the main OS in normal mode, when Controller 2 is not active.

The second is when we add to the trusted list of the Console all the components that are used by the user on the computer system and remain in this mode. In this option, it is extremely difficult to compromise OS components or components of trusted user programs. For example, via the Internet using a previously unknown дня-day vulnerability that was not closed by updates to OS components or trusted user components. Such a vulnerability cannot be “fixed” in the OS for presence in the system at the next OS reboots, since the proposed OS loading control system in any case prohibits everyone from creating / changing executable components, even if the system itself initiates changes. Except, if you add a component to the trusted list and indicate to it that it can perform “Change the executable component” and / or “Delete the executable component”. Even if the system was compromised only through memory, without accessing the hard drive, then it is enough to reboot the OS and it will again be without “vulnerabilities”.

The proposed OS load control system allows you to quickly solve several important problems:

- Find and block unwanted objects in the computer system. Unwanted objects in a computer system are any module that is not an object of the system or a substituted object of the system, but it is not such in reality;

- Quickly assess the damage to the computer system, to determine the amount of work, which is easier: treat the computer system or reinstall it or restore it from the backup option.

Claims

Formula

The control system for loading the operating system (OS), which contains:

- a control tool designed to control the start-up of the execution of system components when loading the OS, while monitoring is based on lists of system components and their digital signatures and a list of trusted components and their SHA1 hashes;

- a management tool associated with a control tool and designed to analyze the received data during the OS boot process and generate lists of trusted components, and also configured to dump file lists and their descriptors, dump dumps from the registry and to compare received dumps, in addition, a control tool it is additionally designed to search for components in the file system both by the SHA1 hash and by the template of the component name, and at the same time, the control tool is additionally designed for queries on the Internet t about the component.