Method and system for detecting a secure state of a computer system
First Claim
1. A method of detecting unauthorized executable code resident in a computer system, the method comprising:
- receiving user authorization information;
authenticating the user authorization information to perform at least one of authorize and identify a user;
when the user is at least one of authorized or identified, requesting security data of the user;
hashing first data stored in data storage within the computer system using a selected hashing process to determine a computed hash value, wherein the first data includes data representing a current state of at least one application executing within the computer system;
retrieving a trusted hash value, wherein the trusted hash value was created using the selected hashing process applied to second data representing a secure state of the one or more applications executing in the computer system, wherein the second data includes a system memory location indicative of the at least one application executing within the computer system; and
comparing the computed hash value with the trusted hash value to determine whether there is unauthorized executable code in the computer system.
5 Assignments
0 Petitions
Accused Products
Abstract
Disclosed is a method for detecting unauthorized applications in execution within a computer system, such as for instance one of a Trojan horse application and a virus, prior to providing security data from a trusted source. According to the instant invention, a security application computes a hash value in dependence upon predetermined data in system memory and compares said computed hash value to a trusted hash value that was obtained when the system was in a verified secure state. The data is provided from the trusted source to an application in execution on the computer system only if the computed hash value and the trusted hash value are indicative of a same trusted state.
85 Citations
76 Claims
-
1. A method of detecting unauthorized executable code resident in a computer system, the method comprising:
-
receiving user authorization information; authenticating the user authorization information to perform at least one of authorize and identify a user; when the user is at least one of authorized or identified, requesting security data of the user; hashing first data stored in data storage within the computer system using a selected hashing process to determine a computed hash value, wherein the first data includes data representing a current state of at least one application executing within the computer system; retrieving a trusted hash value, wherein the trusted hash value was created using the selected hashing process applied to second data representing a secure state of the one or more applications executing in the computer system, wherein the second data includes a system memory location indicative of the at least one application executing within the computer system; and comparing the computed hash value with the trusted hash value to determine whether there is unauthorized executable code in the computer system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
-
-
52. A method of detecting unauthorized executable code resident in a computer system, the method comprising:
-
receiving user authorization information; authenticating the user authorization information to perform at least one of authorize and identify a user; when the user is at least one of authorized or identified, requesting security data of the user; providing a trusted security application executable on a processor of the computer system for determining a hash value using a selected hashing process applied to predetermined data existing in memory within the computer system, wherein the predetermined data includes system memory locations indicative of executable programs in operation; hashing the selected data existing in memory within the computer system using the predetermined process to determine a hash value; digitally signing the hash value to provide a trusted hash value; and retrievably storing the trusted hash value, wherein the predetermined data relates to programs in execution on the processor of the computer system when the computer system is in a secure state. - View Dependent Claims (53, 54, 55, 56)
-
-
57. A system for detecting unauthorized executable resident in a computer system, the system comprising a computer processor programmed to perform the method comprising:
-
receiving user authorization information; authenticating the user authorization information to perform at least one of authorize and identify a user; when the user is at least one of authorized or identified, requesting security data of the user; hashing first data stored in data storage within the computer system using a selected hashing process to determine a computed hash value, wherein the first data includes data representing a current state of at least one application executing within the computer system; retrieving a trusted hash value, wherein the trusted hash value was created using the selected hashing process applied to second data representing a secured state of the one or more applications executing in the computer system, wherein the second data includes data from at least a system memory location indicative of the at least one application executing within the computer system; and comparing the computed hash value with the trusted hash value to determine whether there is unauthorized executable code in the computer system.
-
-
58. A computer readable storage medium for detecting unauthorized executable code resident in a computer system, the computer readable storage medium having stored thereon instructions that, when executed, perform a method comprising:
-
receiving user authorization information; authenticating the user authorization information to perform at least one of authorize and identify a user; when the user is at least one of authorized or identified, requesting security data of the user; hashing first data stored in data storage within the computer system using a selected hashing process to determine a computed hash value, wherein the first data includes data representing a current state of at least one application executing within the computer system; retrieving a trusted hash value, wherein the trusted hash value was created using the selected hashing process applied to second data representing a secure state of the one or more applications executing in the computer system, wherein the second data includes a system memory location indicative of the at least one application executing within the computer system; and comparing the computed hash value with the trusted hash value to determine whether there is unauthorized executable code in the computer system. - View Dependent Claims (59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72)
-
-
73. A system for detecting unauthorized executable resident in a computer system, the system comprising:
-
means for receiving user authorization information; means for authenticating the user authorization information to perform at least one of authorize and identify a user; means for requesting security data of the user when the user is at least one of authorized or identified; means for hashing first data stored in data storage within the computer system using a selected hashing process to determine a computed hash value, wherein the first data includes data representing a current state of at least one application executing within the computer system; means for retrieving a trusted hash value, wherein the trusted hash value was created using the selected hashing process applied to second data representing a secure state of the one or more applications executing in the computer system, wherein the second data includes data from at least a system memory location indicative of the at least one application executing within the computer system; and means for comparing the computed hash value with the trusted hash value to determine whether there is unauthorized executable code in the computer system.
-
-
74. A method of detecting unauthorized executable code resident in a computer system, the method comprising:
-
hashing first data stored in data storage within the computer system using a selected hashing process to determine a computed hash value, wherein the first data includes data representing a current state of at least one application executing within the computer system; retrieving a trusted hash value, wherein the trusted hash value was created using the selected hashing process applied to second data representing a secure state of the one or more applications executing in the computer system, wherein the second data includes a system memory location indicative of the at least one application executing within the computer system; comparing the computed hash value with the trusted hash value to determine whether there is unauthorized executable code in the computer system; and performing a user authorization process for verifying that a user is authorized, wherein the one or more applications executing in the computer system includes at least one untrusted application and at least one trusted application, and wherein the method further comprises transmitting a password request from the at least one untrusted application to the at least one trusted application, and wherein the trusted hash value is digitally signed, and the method further comprises— decrypting the digitally-signed trusted hash value; comparing the decrypted trusted hash value with the computed hash value; and refusing the password request from the at least one untrusted application if the computed hash value and the decrypted trusted hash value do not substantially match.
-
-
75. A method of detecting unauthorized executable code resident in a computer system, the method comprising:
-
hashing first data stored in data storage within the computer system using a selected hashing process to determine a computed hash value, wherein the first data includes data representing a current state of at least one application executing within the computer system; retrieving a trusted hash value, wherein the trusted hash value was created using the selected hashing process applied to second data representing a secure state of the one or more applications executing in the computer system, wherein the second data includes a system memory location indicative of the at least one application executing within the computer system, and further wherein the trusted hash value is encrypted; comparing the computed hash value with the trusted hash value to determine whether there is unauthorized executable code in the computer system, wherein the computer system includes a plurality of networked computers, and wherein the encrypted trusted hash value is stored in a secure computer of said plurality of computers, the method further comprising— receiving in the secure computer, the computed hash value transmitted from at least a first computer; and decrypting the encrypted trusted hash value in the secure computer, wherein comparing the computed hash value with the decrypted trusted hash value occurs in the secure computer; if the computed hash value and the trusted hash value substantially match— retrieving a password from a memory in the secure computer; and transmitting the retrieved password to the at least a first computer; and if the computed hash value and the trusted hash value do not substantially match— transmitting an incorrect password and/or a lock command to the at least one untrusted application of the at least first computer.
-
-
76. A method of detecting unauthorized executable code resident in a computer system, the method comprising:
-
hashing first data stored in data storage within the computer system using a selected hashing process to determine a computed hash value, wherein the first data includes data representing a current state of at least one application executing within the computer system; retrieving a trusted hash value, wherein the trusted hash value was created using the selected hashing process applied to second data representing a secure state of the one or more applications executing in the computer system, wherein the second data includes a system memory location indicative of the at least one application executing within the computer system, and further wherein the trusted hash value is encrypted; comparing the computed hash value with the trusted hash value to determine whether there is unauthorized executable code in the computer system, wherein the computer system includes a plurality of networked computers, and wherein the encrypted trusted hash value is stored in a secure one of said plurality of computers, and the method further comprises— receiving in the secure computer, the computed hash value transmitted from at least a first computer; decrypting the encrypted trusted hash value in the secure computer, wherein comparing the computed hash value with the decrypted trusted hash value occurs in the secure computer; if the computed hash value and the trusted hash value substantially match— retrieving a password from a memory in the secure computer; and transmitting the retrieved password to the at least first computer; and if the computed hash value and the trusted hash value do not substantially match— prompting a user to verify that any unauthorized executable code in the at least first computer is from a known source.
-
Specification