Home
Patent Search
IMT Blog
REGISTER
|
SIGN IN
United States Patent Application
20030159070
Kind Code
A1
Mayer, Yaron ; et al.
August 21, 2003
System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
Abstract
Malicious software attacks (such as for example stealing data, changing data or destroying data) on personal computers and/or servers and/or other computerized gadgets (especially through the Internet) are becoming more and more common and more and more dangerous, causing damages of tens of billions of dollars each year. The state-of the-art solutions are inherently limited because they solve only a limited number of problems on the surface, instead of going deeply into the roots of the problem. The most common solutions are Anti-viruses and firewalls. Anti-viruses are limited because they can only detect known viruses or worms that have already been identified (usually after they have already attacked many computers). Network firewalls are typically based on packet filtering, which is limited in principle, since the rules of which packets to accept or not may contain for example subjective decisions based on trusting certain sites or certain applications. However, once security is breached for any reason, for example due to an error or intended deception, a hostile application may take over the computer or server or the entire network and create unlimited damages (directly or by opening the door to additional malicious applications). They are also not effective against security holes for example in browsers or e-mail programs or in the operating system itself According to an article in ZDnet from Jan. 24, 2001, security holes in critical applications are discovered so often that just keeping up with all the patches is impractical. Also, without proper generic protection for example against Trojan horses, which can identify any malicious program without prior knowledge a about it, even VPNs (Virtual Private Networks) and other form of data encryption, including digital signatures, are not really safe because the info can be stolen before or below the encryption. Even personal firewalls are typically limited, because once a program is allowed to access the Internet, there are no other limitations for example on what files it may access and send or what it might do. The present invention creates a general generic comprehensive solution by going deeply into the roots of the problem. One of the biggest absurdities of the state-of-the-art situation is that by default programs are allowed to do whatever they like to other programs or to their data files or to critical files of the operating system, which is as absurd as letting a guest in a hotel bother any other guests as he pleases, steal their property or copy it or destroy it, destroy their rooms, etc., or for example have free access to the hotel's safe or electronic switchboard or phone or elevator control room. The present concept is based on automatic segregation between programs: It is like limiting each guest by default to his room and limiting by default his access to the Hotel's strategic resources, so that only by explicit permission each guest can get additional privileges.
Inventors:
Mayer; Yaron
(Jerusalem, IL)
, Dechovich; Zak
(Jerusalem, IL
)
Correspondence Name and Address:
YARON MAYER
21 AHAD HA'AM ST.
JERUSALEM
92151
IL
Series Code:
301575
Filed:
November 22, 2002
U.S. Current Class:
713/201
U.S. Class at Publication:
713/201
Intern'l Class:
H04L 009/00
Claims
We claim:
1. A security system for computers, adapted to creating automatic segregation between programs.
2. The system of claim 1, further comprising: a. A monitoring and capturing system; b. A database of security rules, comprising at least one of: a set of default rules, a set of pre-distribution acquired rules that are good for many users of the selected operating system, and acquired additional user-defined rules; c. A user interface, which can interact with the user in order to at least one of: learn acceptable behavior patterns, warn the user of perceived dangers and wait for his authorization whenever necessary.
3. The system of claim 2, wherein: a. Said monitoring and capturing system constantly monitors the security-sensitive elements of the computer system, and mainly all relevant peripheral device activities, and especially storage devices and communication devices, and detects and selectively intercepts any security-sensitive or suspicious or dangerous behaviors and acts upon it in accordance with at least one of default and acquired sets of security rules, and may ask for user authorization and guidance whenever necessary; b. Said database of security rules comprises at least one of: a set of default rules, a set of pre-distribution acquired rules that are good for most users of the selected operating system, and acquired additional user-defined rules, said database being constantly monitored as a high-security protected area; c. Said user interface, which can interact with the user for at least one of: learning acceptable behavior patterns, warning the user of perceived dangers and waiting for his authorization whenever necessary, and allowing the user to view and modify the database of authorizations.
4. The system of claim 2 wherein said user interface at least also warns the user explicitly in cases of potentially highly dangerous activities.
5. The system of claim 2 wherein said database comprises also at least learned statistics of normal and reasonable behavior of programs in the user's computer.
6. The system of claim 2 wherein said user interface at least also allows the user to view statistics of behavior of important programs and especially programs that are allowed to access communication channels, especially in what is related to sending and receiving data over the communication lines.
7. The system of claim 2 wherein said database comprises also at least a log of the questions that the Security System asked the user and his replies kept at least for a certain period.
8. The system of claim 2 wherein said database comprises also at least, when needed, a log of suspicious activities detected kept at least for a certain period.
9. The system of claim 2 wherein said security rules and functions performed by the Security System comprise automatic segregation of programs into their natural environments and at least some of the following functions: a. Constantly monitoring the security-sensitive elements of the computer system, and mainly all relevant peripheral device activities, and especially storage devices and communication devices, and detecting and selectively intercepting security-sensitive behaviors, suspicious behaviors and dangerous behaviors and acting upon them in according with default and acquired sets of security rules, b. At least one of Warning the user and request for authorization and automatic interception for security-sensitive activities and especially any first-time attempts to access communication channels, c. Enabling the user to request at least one of automatic blocking and warning of the user of any attempts of external programs from the network to connect to the user's computer through the communication channels, d. Interception and more explicit warning of the user about potentially highly dangerous activities.
10. The system of claim 9, comprising also at least warning the user about significant statistical deviations from normal behaviors of applications and operating system and especially as relates to suddenly sending out large amounts of data.
11. The system of claim 9, comprising also at least enabling the user to request enforcing of at least one of additional limitations on the communication ports allowed to be opened and when needed also limitations on types of protocols allowed.
12. The system of claim 9, comprising also at least monitoring and intercepting as much as possible all attempts of applications to gain direct port accesses to security sensitive devices and especially the storage media and the communication channels.
13. The system of claim 9, comprising also at least implementing Virtual Shared data areas on the storage media, for at least one of temporary files and accessing keys in the registry and other files, so that programs are given the illusion that they are accessing the shared area, but in reality are each redirected to a separate private area.
14. The system of claim 2, comprising also pushing at least part of the operating system from the most privileged processor ring to a lower privilege ring and enabling needed functions to run in said lower privilege ring.
15. The system of claim 14 wherein said pushing is done in order to catch also backdoors and loopholes in the operating system itself.
16. The system of claim 2 wherein said monitoring and capturing system includes also a hardware element which monitors hardware accesses, so that the Security System can discover events where access has been made to the security-sensitive ports, especially the storage media and the communication channels, without an apparent corresponding event on the system level as monitored by said Security System's software.
17. The system of claim 2 wherein said default automatic segregation is implemented so that, by default, each program is allowed to access, such as read, write, execute, create, and delete, files only within its natural environment.
18. The system of claim 17 wherein said natural environment is mainly the directory in which it is installed, its sub-directories, and--for reading only--non-strategic shared files, unless the program is explicitly given more rights.
19. The system of claim 1 wherein said computer is at least one of a personal computer, a network server, a cellular phone, a palm pilot, a car computer, and/or other computerized gadget.
20. The system of claim 3 wherein high security protected areas are also encrypted.
21. The system of claim 3 wherein high security protected areas are also automatically backed up to as least one more area for additional safety.
22. The system of claim 20 wherein high security protected areas are also automatically backed up to as least one more area for additional safety
23. The system of claim 3 wherein said communication devices include also USB interfaces.
24. The system of claim 3 wherein said communication devices include also at least one of Bluetooth devices and other wireless devices.
25. The system of claim 3 wherein monitoring access to communication devices includes also protocols for sending Faxes.
26. The system of claim 9 wherein high security protected areas are also encrypted.
27. The system of claim 9 wherein high security protected areas are also automatically backed up to as least one more area for additional safety.
28. The system of claim 26 wherein high security protected areas are also automatically backed up to as least one more area for additional safety
29. The system of claim 9 wherein said communication devices include also USB interfaces.
30. The system of claim 9 wherein said communication devices include also at least one of Bluetooth devices and other wireless devices.
31. The system of claim 9 wherein monitoring access to communication devices includes also protocols for sending Faxes.
32. A security method for computers, capable of creating automatic segregation between programs.
33. The method of claim 32, further comprising: a. Providing a monitoring and capturing system; b. Creating and maintaining a database of security rules, comprising at least one of: a set of default rules, a set of pre-distribution acquired rules that are good for many users of the selected operating system, and acquired additional user-defined rules; c. Providing a user interface, which can interact with the user in order to at least one of: learn acceptable behavior patterns, warn the user of perceived dangers and wait for his authorization whenever necessary.
34. The method of claim 33, wherein said main 3 elements are: a. Providing a monitoring and capturing system, which constantly monitors the security-sensitive elements of the computer system, and mainly all relevant peripheral device activities, and especially storage devices and communication devices, and detects and selectively intercepts any security-sensitive or suspicious or dangerous behaviors and acts upon it in accordance with at least one of default and acquired sets of security rules, and may ask for user authorization and guidance whenever necessary; b. Creating and maintaining a database of security rules, comprising at least one of: a set of default rules, a set of pre-distribution acquired rules that are good for most users of the selected operating system, and acquired additional user-defined rules, said database being constantly monitored as a high-security protected area; c. Providing a user interface, which can interact with the user for at least one of: learning acceptable behavior patterns, warning the user of perceived dangers and waiting for his authorization whenever necessary, and allowing the user to view and modify the database of authorizations.
35. The method of claim 33 wherein said user interface at least also warns the user more explicitly in cases of potentially highly dangerous activities.
36. The method of claim 33 wherein said database comprises also of at least continuously learned statistics of normal and reasonable behavior of programs in the user's computer.
37. The method of claim 33 wherein said user interface at least also allows the user to view statistics of behavior of important programs and especially programs that are allowed to access communication channels, especially in what is related to sending and receiving data over the communication lines.
38. The method of claim 33 wherein said database comprises also of at least a log of the questions that the Security System asked the user and his replies kept at least for a certain period.
39. The method of claim 33 wherein said database comprises also of at least, when needed, a log of suspicious activities detected kept at least for a certain period.
40. The method of claim 33 wherein said security rules and functions performed by the Security System comprise automatic segregation of programs into their natural environments and at least some of the following functions: a. Constantly monitoring the security-sensitive elements of the computer system, and mainly all relevant peripheral device activities, and especially storage devices and communication devices, and detecting and selectively intercepting security-sensitive behaviors, suspicious behaviors and dangerous behaviors and acting upon them in according with default and acquired sets of security rules, b. At least one of Warning the user and request for authorization and automatic interception for security-sensitive activities and especially any first-time attempts to access communication channels, c. Enabling the user to request at least one of automatic blocking and warning of the user of any attempts of external programs from the network to connect to the user's computer through the communication channels, d. Interception and more explicit warning of the user about potentially highly dangerous activities.
41. The method of claim 40, comprising also at least warning the user about significant statistical deviations from normal behaviors of applications and operating system and especially as relates to suddenly sending out large amounts of data.
42. The method of claim 40, comprising also at least enabling the user to request enforcing of at least one of additional limitations on the communication ports allowed to be opened and when needed also limitations on types of protocols allowed.
43. The method of claim 40, comprising also at least monitoring and intercepting as much as possible all attempts of applications to gain direct port accesses to security sensitive devices and especially the storage media and the communication channels.
44. The method of claim 40, comprising also at least implementing Virtual Shared data areas on the storage media, for at least one of temporary files and accessing keys in the registry and other files, so that programs are given the illusion that they are accessing the shared area, but in reality are each redirected to a separate private area.
45. The method of claim 40, comprising also at least pushing, to the extent possible, at least part of the operating system from the most privileged processor ring to a lower privilege ring and enabling needed functions to run in said lower privilege ring,
46. The method of claim 45 wherein said pushing is done in order to catch also backdoors and loopholes in the operating system itself.
47. The method of claim 40 wherein said monitoring and capturing system includes also a hardware element which monitors hardware accesses, so that the Security System can discover events where access has been made to the security-sensitive ports, especially the storage media and the communication channels, without an apparent corresponding event on the system level as monitored by said Security System's software.
48. The method of claim 40 wherein said default automatic segregation is implemented so that, by default, each program is allowed to access, such as read, write, execute, create, and delete, files only within its natural environment
49. The method of claim 17 wherein said natural environment is mainly the directory in which it is installed, its sub-directories, and--for reading only--non-strategic shared files, unless the program is explicitly given more rights.
50. The method of claim 32 wherein said computer is at least one of a personal computer, a network server, a cellular phone, a palm pilot, a car computer, and/or other computerized gadget.
51. The method of claim 33 wherein high security protected areas are also encrypted.
52. The method of claim 33 wherein high security protected areas are also automatically backed up to as least one more area for additional safety.
53. The method of claim 51 wherein high security protected areas are also automatically backed up to as least one more area for additional safety
54. The method of claim 34 wherein said communication devices include also USB interfaces.
55. The method of claim 34 wherein said communication devices include also at least one of Bluetooth devices and other wireless devices.
56. The method of claim 34 wherein monitoring access to communication devices includes also protocols for sending Faxes.
57. The method of claim 40 wherein high security protected areas are also encrypted.
58. The method of claim 40 wherein high security protected areas are also automatically backed up to as least one more area for additional safety.
59. The method of claim 57 wherein high security protected areas are also automatically backed up to as least one more area for additional safety
60. The method of claim 40 wherein said communication devices include also USB interfaces.
61. The method of claim 40 wherein said communication devices include also at least one of Bluetooth devices and other wireless devices.
62. The method of claim 40 wherein monitoring access to communication devices includes also protocols for sending Faxes.
63. A computer security system capable of automatic segregation of programs into their natural environments so that each program is allowed to at least one of access, read, write, execute, create, and delete files only within its natural environment, which is mainly the directory in which it is installed, its sub-directories, and--for reading only--non-strategic shared files, unless specifically given more rights.
64. A method of implementing security in computers by automatic segregation of programs into their natural environments so that each program is allowed to at least one of access, read, write, execute, create and delete files only within its natural environment, which is mainly the directory in which it is installed, its sub-directories, and--for reading only--non-strategic shared files, unless specifically given more rights.
65. A security system in any of cellular phones, car computers, and other computerized gadgets, wherein access to highly sensitive data, such as credit card details or private encryption keys, needs explicit permission by the user.
66. A security system in any of cellular phones, car computers, and other computerized gadgets, wherein any attempt to automatically generate an outgoing communication needs explicit permission by the user.
67. The system of claim 64 wherein any attempt to automatically generate an outgoing communication needs explicit permission by the user.
68. The system of claim 64 wherein any attempts to alter at least one of EMROMM and important system files and sensitive data, need explicit permission by the user.
69. The system of claim 2 wherein the user is an individual.
70. The system of claim 2 wherein the user is an organization and at least some of the control over authorizations is in the hands of at least one central authority, such as the system administrator.
71. The system of claim 70 wherein the Security System of the central authority also automatically checks at least once in a while if the Security System is functioning properly on the other computers.
72. The system of claim 70 wherein the Security System on the central authority's computer can also notice and intercept communication attempts from computers where the amount of actual communication does not fit the amount reported by the Security System of that computer.
73. The system of claim 1 wherein the communications device of each computer can also notice and at least report back to the computer about cases where the amount of actual communication does not fit the amount reported by the Security System of that computer.
74. The system of claim 70 wherein the communications device of each computer can also notice and at least report back to at least one of the computer and the central authority about cases where the amount of actual communication does not fit the amount reported by the Security System of that computer.
75. The system of claim 70 wherein the communications device of each group of computers can also notice and at least report back to at least one of the relevant computer and the central authority about cases where the amount of actual communication does not fit the amount reported by the Security System of that computer.
76. The system of claim 1 wherein by default each program can only see itself and the operating system and the resources (software & hardware) that it is allowed to see, so that it lives in a Virtual Environment (VE).
77. The system of claim 9 wherein by default each program can only see itself and the operating system and the resources (software & hardware) that it is allowed to see, so that it lives in a Virtual Environment (VE).
78. The system of claim 1 wherein the Security System also identifies if the user or the application initiated accessing a file outside the natural environment of the program or other potential security-risk commands and so can allow more flexibility and less limitations if the command was initiated directly by the user than if it was initiated by the application.
79. The system of claim 76 wherein the Security System also identifies if the user or the application initiated accessing a file outside the natural environment of the program or other potential security-risk commands and so can allow more flexibility and less limitations if the command was initiated directly by the user than if it was initiated by the application.
80. The system of claim 78 wherein the Security System also makes sure that programs cannot create the false impression that certain actions were initiated by the user by falsifying user input through one of the input devices.
81. The system of claim 79 wherein the Security System also makes sure that programs cannot create the false impression that certain actions were initiated by the user by falsifying user input through one of the input devices.
82. The system of claim 1 wherein the Security System also makes sure that when it requests authorization no other programs can enter false answers as if they were entered by the user through one of the input devices.
83. The system of claim 9 wherein the Security System also makes sure that when it requests authorization no other programs can enter false answers as if they were entered by the user through one of the input devices.
84. The system of claim 1 wherein in the cases where private keys are generated or stored by the browsers, additional rules are used in order to identify the directories where these keys are held, since otherwise accessing the keys by the browser would be within the browser's default authorization.
85. The system of claim 9 wherein in the cases where private keys are generated or stored by the browsers, additional rules are used in order to identify the directories where these keys are held, since otherwise accessing the keys by the browser would be within the browser's default authorization.
86. The method of claim 34 wherein the user is an organization and at least some of the control over authorizations is in the hands of at least one central authority, such as the system administrator.
87. The method of claim 86 wherein the Security System on the central authority's computer can also notice and intercept communication attempts from computers where the amount of actual communication does not fit the amount reported by the Security System of that computer.
88. The method of claim 34 wherein the communications device of each computer can also notice and at least report back to the computer about cases where the amount of actual communication does not fit the amount reported by the Security System of that computer.
89. The method of claim 86 wherein the communications device of each computer can also notice and at least report back to the central control about cases where the amount of actual communication does not fit the amount reported by the Security System of that computer.
90. A security system wherein the user is an organization and at least some of the control over authorizations is in the hands of at least one central authority, such as the system administrator and Security System on the central authority's computer can also notice and intercept communication attempts from computers where the amount of actual communication does not fit the amount reported by the software of that computer.
91. A security method wherein the user is an organization and at least some of the control over authorizations is in the hands of at least one central authority, such as the system administrator and Security System on the central authority's computer can also notice and intercept communication attempts from computers where the amount of actual communication does not fit the amount reported by the operating system of that computer.
92. A security system wherein the communications device of each computer can also notice and at least report back to the computer about cases where the amount of actual communication does not fit the amount reported by the software of that computer.
93. A security system wherein the user is an organization and the communications device of each computer can also notice and at least report back to the central control about cases where the amount of actual communication does not fit the amount reported by the software of that computer.
94. A security method wherein the communications device of each computer can also notice and at least report back to the computer about cases where the amount of actual communication does not fit the amount reported by the software of that computer.
95. A security method wherein the user is an organization and the communications device of each computer can also notice and at least report back to the central control about cases where the amount of actual communication does not fit the amount reported by the software of that computer.
96. The system of claim 72 wherein the security system of each computer also encrypts the outgoing data packets with a unique identifier for each computer and reports also additional data identifying the packets that are being sent out, and so that at least one of the communication devices or the central authority can also find out if outgoing data packets have been changed.
97. The system of claim 73 wherein the security system also encrypts the outgoing data packets and reports also additional data identifying the packets that are being sent out, so that the communication devices can also find out if outgoing data packets have been changed.
98. The system of claim 74 wherein the security system of each computer also encrypts the outgoing data packets with a unique identifier for each computer and reports also additional data identifying the packets that are being sent out, and so that at least one of the communication devices or the central authority can also find out if outgoing data packets have been changed.
99. The system of claim 90 wherein the security system of each computer also encrypts the outgoing data packets with a unique identifier for each computer and reports also additional data identifying the packets that are being sent out, and so that at least one of the communication devices or the central authority can also find out if outgoing data packets have been changed.
100. The system of claim 92 wherein the security system also encrypts the outgoing data packets and reports also additional data identifying the packets that are being sent out, so that the communication devices can also find out if outgoing data packets have been changed.
101. The system of claim 2 wherein the security system intercepts the operating system the moment it is being loaded into memory and transfers it to a higher ring so that any attempt by the operating system to access ring 0 will cause a CPU exception, and in order to increase efficiency the security system rewrites on the fly each such command in the operating system code which is running in the computer's RAM to access instead the current ring in which it is in, so that the next time that line of code is accessed in memory, the exception will not occur anymore until the next boot.
102. The system of claim 2 wherein if an application changes after being given certain permissions, the user is notified about and asked again for permissions or such changes are automatically prevented.
103. The system of claim 2 wherein the security system transfers only physical device drivers to a less privileged ring in order to be able to control direct access to physical devices.
104. The system of claim 2 wherein the operating system itself transfers physical device drivers to a less privileged ring in order to be able to control direct access to physical devices.
105. The system of claim 2 wherein at least one of the physical device drivers and the operating system are still in ring 0 but there is at least one more privileged area within ring 0 which can catch exceptions caused by at least one of device drivers in ring 0 and the operating system itself.
106. The system of claim 73 wherein the communication device is also capable of generating automatically various reports on outgoing and/or incoming data and the security system makes sure that no other applications can interfere with the device driver of the communication card and thus interfere with these reports.
107. The system of claim 92 wherein the communication device is also capable of generating automatically various reports on outgoing and/or incoming data and the security system makes sure that no other applications can interfere with the device driver of the communication card and thus interfere with these reports.
108. The system of claim 2 wherein at least one of the physical device drivers and the operating system are still in ring 0 but there is at least one more privileged area below ring 0 which can catch exceptions caused by at least one of device drivers in ring 0 and the operating system itself.
109. A security system for computers wherein at least one of the physical device drivers and the operating system are still in ring 0 but there is at least one more privileged area within ring 0 or below ring 0 which can catch exceptions caused by at least one of device drivers in ring 0 and the operating system itself
110. The system of claim 1 wherein at least one part of the security system becomes active even if the computer is booted from any of a floppy drive or CD or network drive, or any other source that is not the normal boot area.
111. A security system for computers wherein at least one part of the security system becomes active even if the computer is booted from any of a floppy drive or CD or network drive, or any other source that is not the normal boot area.
112. The system of claim 1 11 wherein said activation is done by at least one of the BIOS and the processor itself before the normal boot sequence begins.
113. The system of claim 111 wherein if the security system discovers that the BIOS has been compromised or corrupted, it can at least one of issue a warning and restore it from various preferably hidden backups.
114. The system of claim 113 wherein the security system can determine that the bios has been compromised or corrupted by at least one of: if it was changed without authorization according to a digital signature and if it starts to behave suspiciously.
115. The system of claim 111 wherein when changes need to be made in at least one of the security system itself and the BIOS, a physical key needs to be physically attached to any of the computer or any of its peripheral devices
116. The system of claim 1 wherein the Security System learns during the installation of new programs which files are related to them outside their directory tree.
117. The system of claim 1 wherein any attempts of programs, initiated by the programs, to exceed their natural environments are automatically blocked by the security system.
118. The system of claim 1 wherein the Security System is an integral part of the operating system.
119. The system of claim 76 wherein if an application launches another application, the newly launched application is limited to the VE of the launching application.
120. The system of claim 1 wherein if users download many files into a single download directory, the security system at least one of: uses context sensitive information, and detects if a downloaded program starts looking at files that were downloaded at different times or starts going over the entire directory or tries to modify other executables in that directory.
121. The system of claim 1 wherein in order to protect the segregation of processes in memory, the Security System asks the user to explicitly authorize programs that he wants to allow to access APIs that allow accessing the memory of other processes.
122. The system of claim 1 wherein in order to prevent device drivers from accessing devices other then those that they are intended to access, each device driver must have a definite type indicator and is allowed to access only devices of the indicated type.
123. The system of claim 122 wherein each device driver is also prevented from accessing other device drivers that can access other types of devices.
124. The system of claim 1 wherein the security system replaces at least some of the Operating System's dialogue boxes and other components that can request input from the user, so that the Security System has more control on what is happening in them.
125. The system of claim 76 wherein programs are allowed to send OS messages only to programs which are running within their own Virtual Environments
126. The system of claim 1 wherein the Security system replaces at least some of the OS functions that deal with the OS message system, and attaches to each message an identification that shows if the OS or another application is the source of the message, and the Security System allows certain messages to be initiated only by the OS.
127. A security system wherein the Security system replaces at least some of the OS functions that deal with the OS message system, and attaches to each message an identification that shows if the OS or another application is the source of the message, and the Security System allows certain messages to be initiated only by the OS.
128. The system of claim 78 wherein in order to prevent misleading textual questions the Security system uses also at least partial semantic analysis of what the user is really being asked, by at least one of: analyzing sentence structures or at least significant word combinations and/or using various rules and/or a statistical database of commonly used questions.
129. The system of claim 78 wherein in order to prevent misleading textual questions the Security system guards at least the top line title of the dialogue box, so the when it is an "open file" dialogue box, it will always say so clearly, and if it is a "save file" dialog box it will always say so clearly.
130. The system of claim 78 wherein a new protocol is introduced for dialogue boxes, in which only the security systems runs completely the dialogue box and the programs have to indicate in a more structured format, what they want exactly.
131. The system of claim 78 wherein the security system automatically blocks potentially highly dangerous activities or asks the user for explicit authorization, even if the user supposedly allowed this to an application through the dialog box.
132. The system of claim 1 wherein the security system knows automatically about at least some highly important user files and directories.
133. The system of claim 132 wherein said files are at least one of ".doc" files and source code files, and said directories are at least directories containing such files, at least if these files were created by the user.
134. The system of claim 132 wherein the security system can identify strategic files and/or directories by at least one of: using predefined rules; automatically marking programs as highly strategic according to the number and/or types of authorizations they have and/or by the fact that the user is using them interactively more than other programs or files or directories; and allowing the user explicitly to mark certain directories and/or certain file name extensions as highly protected.
135. The system of claim 132 wherein the user is explicitly warned by the security system about attempts of programs to access highly important user files or directories even if the user supposedly allowed the program to access them through the dialogue box--if the program is not normally associated with such files or directories.
136. The system of claim 76 wherein installed drivers can also be associated with Virtual Environments, and thus limited in the scope of their actions.
137. The system of claim 1 wherein the security system prevents running processes from at least one of: changing their code in memory and changing the disk file of their executable code.
138. The system of claim 1 wherein at least one of programs that can access the Internet, Browsers, important Operating system files, and other highly strategic programs, cannot be changed or cannot run EVEN if the user authorizes the change directly to the Security System, unless the update or patch carries a digital certificated that proves that it is indeed an authorized and unchanged official patch by the vendor who made the original program.
139. The system of claim 1 wherein the security system also prevents applications from accessing directly lower level functions that can access devices except by calling them through the normal kernel interface.
140. The system of claim 76 wherein unless explicitly given additional rights by the user all of the actions initiated by a program are automatically limited to the scope of its own VE.
141. The system of claim 76 wherein when a new program is being installed the user has the option of choosing a new VE for that program, or allowing it to become an update of an already existing VE, or allowing it to have free access to the entire computer.
142. The system of claim 140 wherein the user is able to correct mistakes, at least for a certain time, by undoing the installation of programs, at least when they are installed in a limited VE.
143. The system of claim 76 wherein if shared drives are allowed, only the user is allowed to access files on shared drives on other computers, or each program is allowed to see and access in each shared drive only the same VE that it has on its own computer.
144. The system of claim 140 wherein if the user allows a newly installing program to inherit or overwrite an existing VE, the security system first creates a virtual private environment copy of the modified directories, at least for a certain period, so that the user can still request to undo this if he made a mistake, at least for a certain period.
145. The system of claim 140 wherein the security system backs up all the changed files or directories at least for a certain time and/or keeps a rollback log of all changes that were made to the relevant files and directories or even of all changes anywhere in the disk, in order to enable the undo if the user needs it.
146. The system of claim 140 wherein even when the user allows a program to be installed without VE limitations, any changes in the entire hard disk after or during the installation, are completely undo-able at least for a certain time period.
147. The system of claim 1 wherein any changes that happen on at least one of the hard disk and other connected media are completely undo-able at least for a certain time period, by keeping a rollback log of all changes or of all significant changes.
148. The system of claim 140 wherein even if the user requested installation without VE limitation, the new program is first installed in a separate VE, and only after a certain time period or after the user authorizes it (and/or for example after the security system checks various parameters to see that things seem ok), the VE limitations are lifted or this VE is merged with the unlimited VE.
149. A security system in computers wherein the security system automatically blocks potentially highly dangerous activities or asks the user for explicit authorization.
150. The system of claim 149 wherein said potentially highly dangerous activities are at least 1 of: formatting a drive, mass deletion of files, changing hard disk partition information, changing boot area information, installing drivers in levels close to the kernel of the operating system, modifying executables that reside outside the natural environment of the offending executable programs, renaming them, renaming directories, and changing the linking of file types with applications that will be run when clicking on them.
151. The system of claim 149 wherein the security system can identify at least one of strategic files and strategic directories by at least one of: using predefined rules; automatically marking programs as highly strategic according to the number and/or types of authorizations they have and/or by the fact that the user is using them interactively more than other programs or files or directories; and allowing the user explicitly to mark certain directories and/or certain file name extensions as highly protected.
152. As security system wherein the communication with at least one of a keyboard and a mouse uses encryption in order to prevent falsifying user responses.
153. The security system of claim 152 wherein said encryption includes also a date & time stamp.
Description
BACKGROUND OF THE INVENTION
[0001] 1. Field of the Invention
[0002] The present invention relates to security in computers (including personal computers, servers, or other computerized gadgets, as explained in the definitions) and more specifically to a powerful comprehensive generic Security System and method for computers, based on automatic segregation between programs.
[0003] 2. Background
[0004] Malicious software attacks on personal computers and/or servers (especially through the Internet) are becoming more and more common and more and more dangerous. According to recent study by the American CSI research institute (The Computer Security Institute), during the last year alone approximately 50 percent of the largest American companies were attacked by at least one malicious Internet software, with an average damage of about 500,000 USD per attack.
[0005] As the attacks for example by the "I LOVE YOU" virus and its derivatives demonstrate, which affected almost instantly tens of millions of computers and caused estimated damages of more than 10 billion dollars--the conventional anti-virus programs and their methods are inadequate to handle such threats because they are dependent on past familiar code patterns of known malicious software instead of trying to prevent in advance all kinds of attacks in principle. Such attacks are enabled because of an almost infinite number of loopholes and vulnerabilities in operating systems, by the fact that far too many processes occur under the surface without the user's knowledge, and by badly-engineered applications. These loopholes and vulnerabilities include for example:
[0006] 1. The possibility of attempting to connect from the outside to the user's computer while the user is surfing on the net, without any warning to the user that such attempt is being made.
[0007] 2. The readiness of certain applications to execute Macro commands or scripts or applets or other executable attachments from incoming e-mail messages or web pages without any warning and without asking for the user's authorization, and without checking what these executables or scripts try to do (if allowed to run).
[0008] 3. The ability of applications to open a network connection to the outside without any warning or request of authorization from the user.
[0009] 4. The ability of applications to perform extremely dangerous operations such as for example deleting or sabotaging multiple files or making changes to sensitive system areas or formatting entire drives without warning the user and requesting authorization from the user.
[0010] 5. Lack of checks against string overflow or buffer overflow in some communication applications so that they can be crashed for example by large strings that contain malicious code that overwrite part of the original program's code and starts running instead of the original code.
[0011] Unless these vulnerabilities and loopholes are treated on the most thorough and basic level, and since the Internet keeps growing at an exponential rate and more and more businesses are becoming dependent on it--such attacks may increase in the near future to the point of almost unlimited damages to a very large percent of the computers that are connected to the Internet.
[0012] Other methods such as for example packet filtering are also limited in principle, since the rules of which packets to accept or not may contain for example subjective decisions based on trusting certain sites or certain applications. However, once security is breached for any reason, for example due to an error or intended deception, a hostile application may take over the computer or server or the entire network and create unlimited damages (directly or by opening the door to additional malicious applications), which until detected might be already too late to repair. For example, a self-resendable via e-mail macro-virus (such as for example "I LOVE YOU" and its derivatives and similar viruses) can arrive from your best and most trusted friends after their own computer has been compromised. Also, filtering for allowed types of protocols such as for example FTP versus SMTP and so on can be rendered useless by programs that encrypt or disguise a given protocol type to appear as another. Another major limitation of packet filtering is that it can't be relied upon to scan for stolen data in packets, since malicious applications can encrypt the data and/or disguise it to look like something else, so as to appear for example as a gif image.
[0013] Antiviruses and firewalls are also not effective against security holes for example in browsers or e-mail programs or in the operating system itself. According to an article in ZDnet from Jan. 24, 2001, security holes in critical applications are discovered so often that just keeping up with all the patches is impractical. Also, without proper generic protection for example against Trojan horses, which can identify any malicious program without prior knowledge about it, even VPNs (Virtual Private Networks) and other form of data encryption, including digital signatures, are not really safe because the info can be stolen before or below the encryption.
[0014] Even attempts to monitor in some ways a certain group of specifically marked executables or applications are limited by nature, because the security breaches can come from many other directions. For example, A Trojan horse may already be lurking in the system for a long time and then suddenly create tremendous damage before being detected, or enter the system any time new applications are installed from any source.
[0015] On the other hand, attempts for example to disallow completely any script within e-mail attachments to execute creates too many restrictions and doesn't separate between safe scripts that the user may want to run and scripts that actually try to perform malicious acts.
SUMMARY OF THE INVENTION
[0016] The present invention is a novel concept which tries to go deeply into the roots of the causes of above described problems and thus to eliminate completely the above-described problems by creating what is to the best of our knowledge a very powerful, comprehensive, general and generic Security System for computers. This System and method is adapted to protect computers (which may include for example personal computers, servers, and other devices or gadgets with one or more processor that can run programs, as explained below in the definitions) against all kinds of malicious programs that may steal information and/or cause damages including for example changes of data, deletion of data, interfering with function, and so on (such as for example Viruses, Vandals, Trojan horses, Worms, Macro viruses and Malicious e-mails). The system and method can be used in many operating systems, such as for example various platforms of Microsoft Windows, Linux, Macintosh, or other operating systems, eventhough the preferred embodiments use mainly the terminology of Windows, which is the most common and familiar operating system.
[0017] The most important principles and objects of this protection system preferably include:
[0018] 1. Preferably giving the user more information about processes that would normally occur without his knowledge, thus decreasing substantially the chance that malicious software will be able to mislead or deceive the user.
[0019] 2. Defining preferably comprehensive yet parsimonic sets of rules of appropriate behavior of software so that the system can identify and intercept immediately programs that may be performing or trying to perform suspicious and/or detrimental and/or potentially dangerous activities or not behaving as usual.
[0020] 3. Monitoring and intercepting and possibly logging all unauthorized and/or suspect activities in the computer and/or asking for authorization or guidance when required.
[0021] 4. The above-described principles preferably allow multiple safeguards against security threats, so that malicious applications will usually have to break multiple security rules in order to do such things as stealing data, damaging data or propagating themselves, and thus the chance for catching them is much larger.
[0022] 5. Even if the user allows a certain application to launch another application, the newly launched application or applications are preferably again subjected in turn to all the same monitoring and rules as any other application and/or for example to the limitations that apply to the launching application, so that the scanning for breach of security rules continues to apply at all stages.
[0023] 6. Since the possibility of encryption by malicious programs which try to steal and send data over communication channels makes it impossible to make sure by monitoring the information flow itself that data is not being stolen--therefore the system preferably relies mainly on allowing the user maximum control over which applications can access which data, which applications are authorized to access which communication channels, and preferably also how much data is actually being sent.
[0024] The above protection system is preferably comprised of the following main elements:
[0025] 1. A monitoring and capturing system, which preferably constantly monitors the security-sensitive elements of the computer system, and most importantly all the relevant peripheral device activities, and preferably especially those related to storage devices (and especially the Hard disk or hard disks) and communication devices (network cards, modem, etc.) and can detect and intercept immediately suspicious or dangerous behavior.
[0026] 2. The security rules and a database (or databases) for storing the default rules, which preferably contain at least one of: a set of pre-distribution preferably acquired rules that are good for most users of the selected operating system, acquired additional user-defined rules, and statistics of normal or reasonable behavior of programs, which is continuously learned during the operation of the system. This database area, preferably contains also all the authorizations and optionally (in some embodiments) also for example a log of all the questions that the Security System asked the user and his replies (kept at least for a certain period), and when needed, also a log of suspicious activities detected (kept at least for a certain period) and may contain also definable additional logs. The database is preferably encrypted and is considered a constantly monitored high-security protected and preferably backed-up area as defined below in the detailed description
[0027] 3. A user interface, which interacts with the user preferably in order to at least one of: learn acceptable behavior patterns, warn the user of perceived dangers when needed, and ask for the user's authorization when needed. Preferably it also allows the user to view statistics of behavior of important programs and/or groups of programs and especially programs that are allowed to access communication channels, especially in what is related to sending and receiving data over the communication lines, such as for example since the beginning of the current Internet session or for a certain time period. Preferably, this may also include information such as for example what protocols were used, etc. Preferably the user may also view or modify directly the database of authorizations or at least parts of it.
[0028] The Main Functions Performed by Security System:
[0029] The main logic behind the rules that define appropriate versus suspect behavior is preventing as much as possible all the elements and activities that are required by malicious programs in order to be able steal any data or do any damage or propagate themselves. The Security System preferably uses a set of heuristics and basic rules for defining suspicious or potentially dangerous activities that are automatically suitable for most users. By using the general default rules and adding to them for example statistical analysis of normal system and applications behavior and what is learned from the user's responses to authorization requests, the Security System quickly learns what is considered reasonable or well-behaved behavior of programs on the user's personal computer or server. Preferably, some of the learning is performed in advance for each operating system and is included in the distribution database, so that the system that is installed by the user has already learned various rules that are relevant by default to most users of that operating system. The security rules and functions performed by the Security System preferably include at least some of the following:
[0030] a. Constantly monitoring the security-sensitive elements of the computer system, preferably including all relevant peripheral device activities, and especially storage devices and communication devices, and preferably detecting and selectively intercepting any suspicious or dangerous behavior and acting upon it in accordance with the default and acquired sets of security rules.
[0031] b. Default segregation of programs into their natural environments, as defined below in the detailed description. This feature is very important.
[0032] c. Preferably warning the user and request for authorization for security-sensitive activities and especially any first-time attempts to access communication channels.
[0033] d. Preferably constant and stricter monitoring and protection of areas defined in the various rule sets as higher security areas on the storage media, as defined below in the detailed description.
[0034] e. Interception and more explicit warning of the user about potentially highly dangerous activities.
[0035] f. Preferably warning the user about significant statistical deviations from normal behaviors of applications and/or of the operating system and especially as relates to suddenly sending out large amounts of data.
[0036] g. Allowing the User to request automatic immediate interception and/or warning the user of any attempts of external programs from the network to connect to the user's computer through the communication channels.
[0037] h. Preferably allowing the User to request enforcing of general limitations on the communication ports allowed to be opened and optionally also limitations on types of protocols allowed.
[0038] i. Preferably monitoring and intercepting as much as possible all attempts of applications to gain direct port accesses to security sensitive devices and especially the storage media and the communication channels.
[0039] Therefore, the present invention offers the following main advantages over the prior art:
[0040] 1. It is adapted to generic detection and interception of all kinds and variations of viruses, Trojan horses, worms, E-mail macro viruses and other vandals even when these are completely new and not similar to other vandals encountered before. Therefore, it can also detect and intercept first strike attacks, instead of waiting for a cure after the damage has already been done to tens of millions of computers.
[0041] 2. It is not dependent on constant updates of virus knowledge bases, unlike normal anti virus systems.
[0042] 3. It is not dependent on inherently limited methods, such as for example packet filtering.
[0043] 4. It preferably offers multiple safeguards against various threats, so that a malicious program will typically have to break multiple security rules (for example, try to exceed its natural environments, try to access any of the communication devices without permission, try modify important system files, try to delete directories, try to modify other executables, etc.), and thus have a much higher chance for being caught. Also, preferably it gives the user more knowledge of what is happening in his system and therefore reduces significantly the chance of the user being mislead or deceived by malicious applications.
[0044] 5. It is more comprehensive than other solutions and may even at least is some embodiments catch and intercept backdoors that might exist in the operating system itself. Also, it is not dependent on marking a limited group of applications for being monitored, so that all applications are checked, no matter how they are introduced to the system, including if they were there even before the Security System was installed.
[0045] 6. It is parsimonic in nature, so that it preferably doesn't need specific knowledge about the exact nature of specific programs such as for example various browsers or e-mail programs, and therefore also no updates are needed when the user downloads for example new versions or kinds of Internet applications. However, preferably the security system may incorporate updates and/or other globally-acquired knowledge in order to improve itself.
[0046] 7. Malicious behaviors of programs can be detected and/or intercepted even if they don't display viral or worm-like behavior at all, for example if a screen saver starts to steal data and send it out over communication lines even if it does not show any attempts to spread itself or to modify system areas.
[0047] 8. Even systems protected by tight encryption policies, such as for example online banks, are not really safe without the Security System of the present invention, because malicious software, such as for example the Subseven Trojan, can render the encryption useless by sending outside information on everything that is going on in the system at various levels.
[0048] 9. As one of the consequences of the automatic segregation between programs, if a virus or other malicious program manages to infiltrate the system, it is by default limited to its own Virtual Environment (VE), as defined below in the detailed description, where it cannot cause any damage to the system or to other programs.
[0049] Clarification and Definitions
[0050] Throughout the patent when variations or various solutions are mentioned, it is also possible to use various combinations of these variations or of elements in them, and when combinations are used, it is also possible to use at least some elements in them separately or in other combinations. These variations are preferably in different embodiments. In other words: certain features of the invention, which are described in the context of separate embodiments, may also be provided in combination in a single embodiment. Conversely, various features of the invention, which are described in the context of a single embodiment, may also be provided separately or in any suitable sub-combination.
[0051] Many times for simplicity of understanding we use terms that are most commonly used within Microsoft Windows environment (which is the most common operating system for personal computers), so it should be kept in mind that in other operating systems such as for example Linux or Macintosh some of these might have different names, somewhat different implementations, etc., although the principles are similar.
[0052] As used throughout the present specifications and claims, the following words have the indicated meanings:
[0053] "Program", "executable" or "application" is any file or area in memory that contains executable commands, such as for example .exe or .com files, batch files, various Macro files, etc.
[0054] "Macro" is an executable written usually in a scripting language and executed by a complex application, such as for example Microsoft's Outlook or Word.
[0055] "DLL" is a dynamic link library. This term is common for example in all versions of the Windows operating system. In other operating systems it might have different names but the principle is similar. In general it is a term for a set of routines that can be called from executables, loaded and linked into them during run time.
[0056] "Device driver" or "Driver" is a software component that allows an operating system to communicate with one or more specific hardware devices attached to a computer, such as for example a hard disk controller, network card or display card. However, this can include also any software component running in the privileged mode--in the Kernel.
[0057] "OS" or "operating system" is software responsible for controlling the allocation and usage of computer hardware resources such as for example memory, CPU time, disk space, and peripheral hardware devices.
[0058] "IRQ" or "Interrupt request line" is a hardware line over which a hardware device, such as for example an input/output port, keyboard, or disk drive, can send interrupt requests to the central processing unit (CPU). Interrupt request lines are built into the computer's internal hardware and are assigned different levels of priority so that the CPU can determine the sources and relative importance of incoming service requests. IRQ is an Intel concept to rank Hardware and Software requests according to their importance.
[0059] "User" or "users" as used throughout the text are always meant interchangeably to be either user or users. The user or users can be for example the individual user of a computer or computers or a corporation or organization that uses the computers. Therefore, preferably various types of authorizations for example can be given either by the individual user of the computer or for example by the security administrator of the company, or any combination of these. For example some companies might want to give full authority on critical issues only to the system administrator, while others might want to let the employees or certain employees have much more direct control.
[0060] "User authorization" as used throughout the text can include also of course additional guidance and options.
[0061] "Database" or "Databases" as used throughout the text are always meant interchangeably to be either database or databases.
[0062] "Network" as used throughout the text is always interchangeable as either network or networks and represents a connection from a computer (as defined below) by any way to one or more computers or any other compatible communication device.
[0063] "File" is one or more areas on one or more disks and may have a definition in the FAT that may be represented as a name, directory, etc. and may have other parameters.
[0064] "Registry" is one or more files that may contain operating system and other program settings and mainly managed by the operating system.
[0065] "Computer" can refer to a personal computer or workstation or server, or any automated device or gadget with one or more processor or CPU, capable of more than simple arithmetic functions. This can include for example also cellular phones and portable computing devices such as for example a palm pilot. This can include also, for example, computers in cars, which may for example become very important as cars become more automated or even capable of automatic driving, since if hackers are able to damage them for example by Internet or satellite connection, it might even cause life-threatening malfunctions. Other examples can be computers in satellites (In which case, user authorization, when needed, preferably should be requested remotely by encrypted communication with user remote verification), sensitive computer systems in airplanes, etc. So, eventhough we give the examples usually from a PC and Windows perspective, similar principles can be applied also to palm devices, cellular phones, and other types of computerized devices. Also, "computer" or "computers" as used throughout the text are always meant interchangeably to be either computer or computers. Therefore, whenever the word "computer" or "computers" is used throughout the text of this patent, including the claims, it can mean any of the above defined devices.
[0066] "Server" is a computer on a network that is running software that provides data and services to clients over the network. The term server can also apply to a software process that similarly sends information to clients and that appears on the same computer as a client process, or even within the same application.
[0067] "Kernel" is the portion of the operating system that manages and controls access to hardware resources. It performs for example: thread scheduling and dispatching, interrupt and exception handling, and multiprocessor synchronization.
[0068] "DMA" is Direct Memory Access.
[0069] "Image Loading" as used throughout the text refers to an executable code that is being loaded for execution or unloaded/terminated.
[0070] "Hooked function" as used throughout the text refers to an executable filtering code placed between the calling code and called function and thus has the ability for example to monitor and/or intercept and/or redefine the function that is being hooked.
[0071] "API" stands for Application Programming Interface.
BRIEF DESCRIPTION OF THE DRAWINGS
[0072] FIG. 1 shows the preferable main elements of the Security System within a typical structure of an operating system in a computer, with some of the hooked peripheral device drivers, especially those related to storage devices and network devices, and preferable places and ways that the various parts of the Security System are coupled to and interact with the above typical structure.
[0073] FIG. 1b shows in more detail a preferable way of interaction between Security System parts with an emphasis on the user interface and a preferred process of permission granting.
[0074] FIG. 2 shows in more detail a flow diagram of a preferable way the monitoring and capturing system interacts, monitors, checks and authorizes file hooked functions of the computer's operating system that may be preformed by an application.
[0075] FIG. 3 shows in more detail a flow diagram of a preferable way the monitoring and capturing system interacts, monitors, checks and authorizes network hooked functions of the computer's operating system that may be preformed by an application.
[0076] FIG. 4 shows in more detail a flow diagram of a preferable way the monitoring and capturing system interacts, monitors, checks and authorizes registry hooked functions of the computer's operating system that may be preformed by an application.
[0077] FIG. 5 shows what preferably happens when executable files are being loaded for execution.
[0078] FIG. 6 shows in more detail a flow diagram of a preferable way the monitoring and capturing system interacts, monitors, checks and authorizes memory related functions of the computer's operating system that may be preformed by an application.
[0079] FIG. 7 shows in more detail a flow diagram of preferable main parts and methods of the Security System database, permission and analysis processes.
[0080] FIG. 8 shows in more detail preferable interfaces and operation of a possible variation of using additional hardware, which monitors hardware accesses on the computer's data bus and has a 2-way interface with the Security System's software.
[0081] FIG. 9 shows in more detail an overview of a preferable self-preservation method.
[0082] FIG. 10 shows in more detail a flow diagram of a preferable method of interception process.
[0083] FIG. 11 is a graphic illustration of a preferable way in which processes may be segregated and controlled.
[0084] FIG. 12 is a visual illustration of a more extreme implementation of keeping each program in a `Bubble` of virtual environment.
[0085] FIG. 13 is a visual illustration of a preferable configuration of connecting computers in an organization to Internet for example through the system administrator's computer.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
[0086] All of the descriptions in this and other sections are intended to be illustrative and not limiting.
[0087] Referring to FIG. 1, we show the preferred main elements of the Security System (100) within a typical structure of an operating system (101) in a computer (which can be for example a server, a personal computer, or other computerized gadgets or devices as explained in the definitions), with some of the hooked peripheral device drivers, especially those related to storage devices (110) and communication devices (111), and preferable places and ways that the various parts of the Security System (100) are coupled to and interact with the above typical structure. The entire system and method can be regarded also as a virtual machine that performs the described functions.
[0088] The Security System is preferably comprised of the following main elements:
[0089] a. A monitoring and capturing system (102), which constantly monitors the security-sensitive elements of the computer system, and preferably especially all the relevant peripheral device activities and preferably especially storage devices (110)(especially the Hard disk or hard disks) and communication devices (111) (network cards, modem, etc.) and can detect and intercept any suspicious and/or detrimental and/or potentially dangerous behaviors. This element of the Security System preferably installs at least some parts of itself as much as possible in the kernel of the operating system (104), and other parts preferably replace various OS files, such as for example certain drivers, device drivers, DLLs, etc. in order to hook various vital functions. The monitoring and intercepting system is defined in more detail in subsequent figures.
[0090] b. Security rules (740) and a database or databases (700) for storing preferably at least one of: default rules (74X-C), a set of pre-distribution preferably acquired rules (74X-B) that are good for most users of the selected operating system, the acquired additional user-defined rules (74X-A), and preferably also the statistics (751) of normal or reasonable behavior of programs, which is continuously learned during the operation of the system. Preferably this database (700) contains in addition to all the authorizations, also an optional log (770) of all the questions that the Security System asked the user and his replies (kept preferably at least for a certain period), and/or, when needed, preferably also a log (770) of suspicious activities detected (kept preferably at least for a certain period) and may contain also for example definable additional logs. The database (700) is preferably encrypted and is considered a constantly monitored high-security protected and preferably backed-up area as defined below. Therefore, all accesses to the database are supervised by the monitoring and capturing system as explained in more detail in FIG. 7.
[0091] c. A user interface (103), which interacts with the user preferably in order to at least one of: learn acceptable behavior patterns, warn the user of all perceived dangers and/or ask for user's authorization or guidance when required. Preferably it also allows the user to view for example statistics and/or behavior logs of any program or groups of programs in the computer that the user defines or programs that are considered strategically important such as for example programs that are allowed to access communication channels. For example one of the activities that is preferably being statistically checked and analyzed is the amount and the data that is being send or received, and preferably for example also the protocol that is being used, and/or other data. Preferably the user may also view or modify directly the database of authorizations, or at least parts of it. Preferably, the user may also choose the security software's tightness at a certain range of severity.
[0092] The Security System may also include (as another possible variation) an optional hardware element (800) shown in more detail in FIG. 8, which can alert the Security System's software to any events where access has been made to the security-sensitive ports (803) and/or memory (801) without an apparent corresponding event on the system level as monitored by said Security System's software. Another possible variation is to put a similar element for example, instead or in addition, in the modem or communication card itself, and/or for example in the motherboard or in the CPU itself, and/or for example on the hard disk interface.
[0093] Further referring to FIG. 1, preferably the main rules and functions performed by the Security System include at least most of the following:
[0094] 1. Preferably programs are automatically segregated into their natural environments, so that by default, preferably each program (software application) is allowed to access (for example read, write, execute, create, delete, etc.) files only within its natural environment (which is mainly the directory in which it is installed, its sub-directories, and, preferably for reading only, non-strategic shared files). This way, even applications that are run within other applications, such as for example Java or Active-X within browsers, still have to conform to the security rules together with the browser itself. (Another possible variation is that the user may also ask in advance to protect and monitor only certain directories (or groups of directories), but by default all directories are monitored). If the program is attempting to be installed in the root of any drive, preferably the user interface part (103) of the Security System warns the user about it, and if he allows it, then the natural environment of such programs is limited only to the root of that drive and does not include its sub-directories, otherwise the segregation to branches would be meaningless in this cases. (In the more extreme embodiments explained in the reference to FIG. 11, another possible variation is that the program is given the illusion that it installed itself on the root of a drive, but in fact it is in a limited Virtual Environment, and thus in a lower directory). Similarly, the Security System preferably constantly monitors, intercepts, and warns the user of any attempts by programs to access the storage devices (110) through direct I/O, since that could render meaningless the segregation rules. (This can be accomplished for example by putting the Security System in ring 0--Using Intel architecture terms). This can be viewed either as a segregation of programs or of processes, however it is more preferable to implement it according to program files, since for example two or more copies in memory of Netscape will still typically have the same privileges and definitions. On the other hand, if different threads are run by some programs, for example Java or Javascript by Netscape or for example active-X by MSIE, another possible variation is that they can be treated separately as processes, or they can be identified separately anyway for example by the file from which the DLL originates, etc. But even if for example the active-x or Java are run by functions within the browser which are indistinguishable from other internal parts of the browser, according to the above definitions the scope of damage they can do is automatically limited by the limited access the browser itself has outside its normal environment, as explained above. Another way to explain it, which also shows the problematic nature of the prior-of-the-art situation, is to compare the computer to a hotel. Allowing a program to do whatever it likes to other programs or to their data files or to critical files of the operating system is as absurd as letting a guest in a hotel bother any other guests as he pleases, enter their rooms, steal their property or copy it or destroy it, destroy their rooms, etc., or for example have free access to the hotel's safe or electronic switchboard or elevator control room, or phone. The present concept is like limiting each guest by default to his room and limiting by default his access to the Hotel's strategic resources, so that only by explicit permission each guest can get additional privileges. In order to make the segregation more effective, preferably the user is encouraged to place each newly installed software in a separate directory. However, since many users download new files into some common download directory for convenience reasons, there is a possibility that a malicious software will attack (for example delete or corrupt) other files in this download directory when the user tries to install it, or for example read other downloaded files in that directory to find what their default installation directory is and for example also which software is used to open them, and then for example pretend to be related to other programs in the download directory and thus get itself installed in the directories where they were installed. In order to prevent this preferably the security system can use for example context sensitive information, such as for example the time each newly downloaded software was added, so that unreasonable or suspicious behavior can be easily detected if a downloaded program for example starts looking at files that were downloaded at different times, even though they are in the same directory, or starts for example going over the entire directory and/or tries for example to modify other executables in that directory. As explained, of course various combinations of the above and other variations can also be used.
[0095] 2. By default, preferably no program is allowed without permission to access and especially to modify or replace sensitive areas or files (as defined below) or device drivers in the storage media (and preferably, to the extent possible, also in the computer's RAM (112)), which are regarded by the Security System as High security areas, such as for example critical operating-system files, registries, INI files, important DLL (Dynamic Link Libraries) files, communication-related files (such as for example Winsock, etc.), the boot sector, the FAT, autoexec or configuration files, the initialization areas of the operating system, the Windows Startup directory, the BIOS, user defined high security files or directories, system files that contain lists of URLs from which drivers can be automatically downloaded without asking the user, all the executable and data files and databases related to the Security System itself, or anything else that may prevent the Security System from continuing functioning properly or initializing properly after the next boot. Similarly, the Security System preferably constantly monitors attempts by various programs to access for example the area of the hard disk used by the operating system for the swap files and/or other cached areas on the disk, since that could also allow various security breaches, such as for example replacing critical DLLs with malicious DLLs while they are cached on the disk during virtual memory swapping. In addition to this, the system may preferably to the extent possible also protect (600) some RAM (112) areas if they are not adequately protected by the computer's operating system (101). For example, there might be a vulnerability that enables applications to access a shared memory area called "System internal object name space" and change the names of DLLs, thus replacing them with references to malicious DLLs. In addition to this, the Security System preferably makes sure (600) that it will not be thrown out of the RAM by other applications that might try to neutralize it, for example by checking all the time that it is not thrown out of the DDB (Device Descriptor Block) by other applications and putting itself all the time in the first place there, and/or for example by the methods described in FIG. 9 about self-preservation. Preferably, unless it is sufficiently done by the operating system itself, to the extent possible, the Security system also prevents programs from accessing also in memory the code or data of other programs or their drivers or DLLs, etc. (for example unless given explicit permission to do so). This can be done for example by a method that when each application is running, all the pages of other applications are marked as missing, so if the application tries to access their data or code in memory it causes a CPU exception and then the Security System handles it and disallows the access unless the missing page is really a page that belongs to that application. Since in Windows there are for example a number of API (Application Programming Interface) functions that allow programs to behave like debuggers, thus enabling them to access and/or alter the memory of other programs that are currently running, preferably the Security System asks the user to explicitly authorize programs that he wants to allow such privileges. Another possible variation is that if programs that have not been given special access rights try to access such APIs, they are automatically prevented from that, or even cannot see such APIs. Also, preferably APIs that allow file-handle copying between processes are automatically disabled, or they are allowed to be used only between programs that are running with the same Virtual Environment.
[0096] 3. In addition to this, as much as possible, preferably most of the high security areas described above in clause 2 are monitored regularly for signs of suspicious changes preferably by means of a hidden fingerprint for each such file which will cease fitting the file if an unauthorized change has occurred, and preferably there are also additional hidden encrypted and regularly refreshed backups of important areas that can be used to restore them in case of damages to them.
[0097] 4. Preferably any program that tries to access (such as for example send, receive, listen, connect etc.) communication channels (111), including IP address, port and protocol (for example win-sockets and network shared device drivers (300)) needs to get permission from the user (unless it has already been given this privilege). Based on this monitoring, the user is preferably warned and is asked for authorization when needed, inbound or outbound, including any attempts from programs or hackers from the network (120) to connect to the user's computer, and the Security System may also trace-route such attempts on the net (120) in order to find the source of the attack Preferably on personal computes attempts to communicate from the outside are automatically blocked and logged without bothering the user. Preferably, when the Security System checks or asks for permissions, such as when it asks the user for example if to allow a certain application to access communication channels, it shows additional relevant data apart from the application's name, such as, for example, the full path of where the executable is installed, its size, its date, and/or details such as for example CRC, memory segments, or other identifiers, in order to reduce the chance that some hostile application might for example install itself under some directory and name itself netscape.exe and thus be given inadvertently by the user access to the web. This means also that for example if an application changes after being given certain permissions, the user will be asked again about it and preferably warned explicitly about the change. Similarly, preferably, if another application with the same or similar name is already listed in the Security System's Database, the security system preferably warns the user about this, in order to further avoid confusion. If the user is for example an organization and the organization wants for example to allow the system administrator to control which applications have access to the web, then for example each time an employee working with a certain computer allows a certain application to access the web, then preferably this can be permitted only if it fits the definitions allowed by the administrator, preferably using various identification marks to make sure that it is indeed an allowed application and not some other executable with the same name. This can be accomplished in a number of possible ways: For example the administrator can define allowed applications with their identification marks and broadcast this once in a while to all the computers in the organizations, and the Security system will allow access to communication channels only to applications that comply with these definitions (preferably these definitions are password-protected and also reside in an area regarded as a high-security area). Another possible variation is that various requests for authorizations (preferably including various identification marks of the applications) are broadcast by the security system directly to the administrator without even asking the employee and preferably remain blocked until authorization can be given by him. Another possible variation is for example that new authorizations given to applications by the employee (or at least authorizations on important issues) are broadcast by the security system also to the administrator, and allowed only if he OKs them. Another possible variation is for example that, at least for certain authorizations, the user has to call the administrator, and only he can authorize them for example with a password. Another possible variation is for example that applications that are allowed to access the web and/or other communication channels reside only in one (or more) computers in the network and the other computers can access them for example only by limited access through local-area network. Various combinations of these and other solutions are also possible. Also, preferably the Security System allows the user to define general limitations on the communication channels (111) allowed to be opened and and/or for example also limitations on types of protocols allowed, which is especially useful in cases where the computer is being used as a server, since in such cases the computer will run most of the time unattended by the user, or for example if the user wants to block automatically all incoming communication attempts and just log them. Additionally, due to the nature of E-mail Macro-viruses, as added security measures, the system preferably constantly monitors the communication channels for outgoing E-mail messages and asks the user for confirmation any time that one or more e-mail messages are being sent out by any program (even authorized programs) or at least and especially when multiple E-mails are being sent out consecutively. Preferably, the Security System also learns by this process various characteristics of the way the user is normally sending e-mail messages, so that whenever sudden unusual characteristics are apparent, preferably a special interception and warning can be issued. For example when sending e-mail normally through a program like outlook express, the relevant MAPI functions may be called differently and/or other processes may happen differently than for example when sending e-mail from a Visual Basic Script executed by outlook express. In addition to this, since programs that are allowed to access the communication lines (and especially browsers and e-mail programs) are usually a crucial link in Internet related attacks, preferably such programs are always monitored more thoroughly by the Security System, and therefore regarding such programs preferably the user may not tell the Security System to stop asking about various behaviors. Examples of said communication channels in terms of hardware can be the modem, Ethernet card(s), or even the USB (Universal Serial Bus), which can also be used for example for ADSL connection, or any other device that exists or might exist in the future which might be used for communicating data in and out of the computer. This comprehensive covering of all possible communication channels is extremely important, since otherwise the whole security system might be rendered useless. Examples of said communication channels in terms of software can be any of the system functions that can access any of the said hardware devices that can be used for communication, including for example TAPI functions, which can use the modem for sending Faxes, since, otherwise, a malicious application might for example turn off the internal loudspeaker of the modem and dial out and send out stolen data as a Fax. This applies also for example to any access to wireless channels, such as for example Bluetooth or infra-red, since this also can be used for sending data to the computer or stealing data from it. As explained, of course various combinations of the above and other variations can also be used.
[0098] 5. Preferably, the monitoring & capturing system (102) conducts constant statistical analysis of various events in the computer in order to learn about normal behavior and identify significant deviations from the normal behavior (such as for example sending out significantly more data than usual, accessing more files than usual, etc.). Preferably, especially the programs that have been authorized for use of the communication channels (111) are constantly statistically analyzed and monitored for suspicious deviations from their normal statistical patterns of behavior, so that if such a program for example suddenly starts to access significantly more files than usual or scan large areas of the disk (even if it has been allowed by the user to access areas outside its natural environment) or starts to send out unusual amounts of data, it is preferably immediately intercepted and the user warned and asked for authorization. This is important also in cases that programs start to act strange due to their being changed while already loaded in memory, for example because of some hardware failure or because they were crashed by string overflow (for example accidentally or by malicious buffer overflow takeover), etc. Preferably the security system can also support more than one user working on the same computer with separate statistical information, preferably by keeping separate user profiles. Another possible variation, preferably in addition to this, is that the security system preferably also checks at least for highly important processes in RAM memory (such as for example in Server applications or applications that have been given privileges, such as for example permission to access communication channels and/or to exceed their natural environments), preferably in short intervals, that its code has not changed in RAM memory (which can happen for example in cases of buffer overflow or in cases of hostile takeover in memory by another process). This can be done for example by checking its COFF format when it is being loaded into memory, in order to know where the code segments are and not be confused by changes in the data segments, and then preferably marking the code with a highly sensitive checksum. Another possible variation is for example making sure at least in important applications that their code is always only in hardware-protected read-only memory segments. This can be done for example by changing their COFF mapping to ensure proper alignment of code into separate pages tagged as read-only, so that any attempts to change them will cause CPU exception.
[0099] 6. Preferably the Security System monitors as much as possible all attempts of software applications to gain direct port accesses to security sensitive devices (such as for example the modem and network cards (111), hard disk controller, etc.), or to bypass for example the win-socket drivers, since such access could bypass the operating system. Windows NT for example allows only drivers that are installed in ring 0
to access such ports directly, so ordinary applications are automatically prevented from doing this, but some other versions of windows do not enforce this limitation. Therefore, preferably the Security System tries to enforce this as much as possible even on systems were it is not enforced.
[0100] 7. During its own installation, the Security System preferably performs various checks if various crucial system files are suspicious of being infected already, and in that case might for example recommend to the user to reinstall the operating system before trying to install again the security software.
[0101] 8. In order to solve the security problems created by the existence of writeable shared directories such as for example the windows temp area, the Security System preferably implements also a new concept: Virtual Shared Directories. This way, each time an executable tries to access such a shared directory, it will be preferably given the illusion that it has accessed it, but in reality, each such executable will be preferably redirected to a separate private sub-directory which only it can access. Similarly, when executables are accessing for example shared keys in the registry, the Security System preferably implements also a Virtual Shared-Keys system such as for example registered components, etc., so that again, preferably the executables are given the illusion that they have accessed the shared keys, but preferably they are in practice being redirected each to its individual private file of relevant registry keys. Preferably this is implemented also for example when a program needs to install certain files, such as for example DLLs in system directories. Preferably the virtual shared directory is implemented for example by giving the program a logical view of the shared directory or for example only some of the files in it, so that if the program is allowed to see them it preferably sees the original copy (to reduce unnecessary duplication unless needed), but if it changes any of those files, they will in reality be copied into files in the program's individual private area and changed only there (This can be regarded as an extended implementation of the "Copy-on-write" principle). This, in combination with the other rules/functions, and especially rule no. 1 (about the automatic segregation), can also be described in other words as a system of multiple automatic sandboxes, or a system in which each program is limited to its own virtual computer or virtual environment. Another possible variation is to use similar virtual sharing also on other shared resources of the computer. As explained, of course various combinations of the above and other variations can also be used.
[0102] 9. To the extent possible, the Security System preferably also tries to push the operating system or at least parts of it (such as for example the installed physical device drivers and/or the device drivers of the operating system's inner core and/or any other elements that can allow to gain a similar of control or protection and/or additional parts), to the extent possible, from processor ring 0 (privileged) preferably to ring 1 (less privileged), preferably with the aid of an additional component that converts all the needed functions to run in ring 1 instead of ring 0. However it is more preferable to push also the operating system itself or as many parts of it as possible to a higher numbered ring since this allows closing also backdoors or vulnerabilities in the operating system itself. Preferably, the security system runs below the operating system and intercepts the operating system the moment it is being loaded into memory and transfers it preferably to ring 1. Any attempt by the operating system to access ring 0 will now cause a CPU exception, and, in order to increase efficiency, one possible variation is that the security system preferably rewrites on the fly each such command in the operating system code which is running in the computer's RAM to access instead the current ring in which it is in (such as for example ring 1), so that the next time that line of code is accessed in memory, the exception will not occur anymore (until the next boot). Another possible variation is for example to change at least some of the system files on the disk. This is an additional way to block any hidden doors that might exist in the operating system. And of course it allows easier control over the access to system resources. Although these rings are concepts in Intel processors, similar rings or concepts might be used also in other processors. Another possible variation is that the operating system itself moves for example all the installed physical device drivers for example to ring 1, so that any attempt to access directly any physical devices, such as for example the communications card or the hard disk card, will create a CPU exception and then the operating system decides what to allow or not. But that means adding various features of the Security System to the operating system itself or for example making the security system an integral part the operating system. Another possible variation is that the physical device drivers and/or the operating system or parts of it are for example still in ring 0 but there is a special more privileged area (or areas) within ring 0 or for example below ring 0 (for example ring -1) which can preferably catch all the exceptions caused by the device drivers in ring 0 and/or by the operating system and is preferably immune to attempts by other drivers or by the operating system to neutralize it or take its place. This can be accomplished for example by adding such a special privileged sub-area within ring 0 and/or below ring 0 by a change in the CPU itself. This has the advantage that it can be easily accomplished without having to deal with the complexity of pushing the operation system to a higher ring. The feature of adding additional control below the operating system by defining a special sub-area within ring 0 or an additional ring below ring 0, can be used also independently of other features of this invention, and various elements may be added to this control. Another possible variation is that preferably in addition, in order to prevent device drivers from accessing devices other then those that they are intended to access, preferably each device driver must have a definite type indicator (such as for example disk driver, screen driver, Network card driver, Mouse driver, etc.), and when a new device driver is installed preferably the user is asked specifically if he allows the program to install such a driver. And when a driver runs and/or during its installation preferably the security system and/or the operating system and/or for example a hardware element (for example in the CPU itself) preferably checks that is does not access other physical devices that don't belong to the type it is allowed to access, so that for example a screen driver cannot access directly hardware ports of the disk or of the network card or of the input devices, etc. However, if the drivers are for example in ring 1 and the security system in ring 0, there is no need for special hardware support, since any attempt of the drivers to access direct hardware ports will cause an exception and then the security system can check if the driver should be allowed to access the device it is trying to access. However, if a device driver is limited to a certain type of devices, preferably it is also prevented from accessing directly other drivers that can access other types of devices, otherwise this can bypass the limitations. Another possible variation is that at least some device drivers are associated only with the programs that installed them or with their Virtual Environments, so that for example if a malicious program installs a new keyboard driver that changes for example "yes" to "no" and vice versa or for example steals keystrokes into a log file for later sending it to the Internet, the only program that can use this driver and thus be affected by it is the program that installed it (or for example other programs that are within its own Virtual Environment). So if there is for example a device driver for an input device, such as for example the mouse or the keyboard, (and/or for example an output device, such as for example the printer or the screen) which is associated only with a certain program, preferably when it is swapped out during multi-tasking, preferably if there are any hardware buffers associated with it, they are preferably also copied and cleared, so that no trace of it can affect other programs. Another possible variation is that the security system or at least part or parts of it (for example any of the parts that are below ring 0) become active even if the computer is booted for example from a floppy drive or CD or network drive or any other source that is not the normal boot area. In other words, the security system or part of it is automatically activated for example by the BIOS or by the processor itself before the normal boot sequence begins. Preferably it is by the processor itself (For example if at least a small part of security system or a special pointer to it is stored for example in a special ROM area in the CPU itself), so that even changing the BIOS's EPROM will not prevent it from becoming active. Another possible variation is that if the security system discovers for example that the BIOS has been compromised or corrupted (for example if it was changed without authorization according to a digital signature or starts to behave suspiciously), preferably the security system can issue a warning and/or restore it from various preferably hidden backups. Another possible variation is that when changes need to be made in the security system itself--for example updates or bug fixes--preferably the user is prompted very explicitly to confirm it and/or for example some physical key needs to be physically attached to the computer or to any of its peripheral devices (such as for example the keyboard or the mouse) during the update in order to allow this to happen. Another possible variation is to require for example such a key for making changes to the BIOS. Similarly, another possible variation is that the security system is also hardware-protected, so that it cannot be removed by any software means. This can be accomplished for example if it or at least a part of it is stored on a ROM device, and for example the CPU itself will issue a warning and/or restore it from various preferably hidden and preferably protected backups and/or stop executing any other programs until the Security system is restored. These features of safety even during foreign boots and/or if the security system was compromised by any other means, can be used also independently of any other features of this invention. Of course, various combinations of the above and other variations are also possible. Another possible variation is to enforce the automatic file segregation