Method and system for detecting a secure state of a computer system

US 7,526,654 B2
Filed: 10/16/2001
Issued: 04/28/2009
Est. Priority Date: 10/16/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method of detecting unauthorized executable code resident in a computer system, the method comprising:

receiving user authorization information;

authenticating the user authorization information to perform at least one of authorize and identify a user;

when the user is at least one of authorized or identified, requesting security data of the user;

hashing first data stored in data storage within the computer system using a selected hashing process to determine a computed hash value, wherein the first data includes data representing a current state of at least one application executing within the computer system;

retrieving a trusted hash value, wherein the trusted hash value was created using the selected hashing process applied to second data representing a secure state of the one or more applications executing in the computer system, wherein the second data includes a system memory location indicative of the at least one application executing within the computer system; and

comparing the computed hash value with the trusted hash value to determine whether there is unauthorized executable code in the computer system.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a method for detecting unauthorized applications in execution within a computer system, such as for instance one of a Trojan horse application and a virus, prior to providing security data from a trusted source. According to the instant invention, a security application computes a hash value in dependence upon predetermined data in system memory and compares said computed hash value to a trusted hash value that was obtained when the system was in a verified secure state. The data is provided from the trusted source to an application in execution on the computer system only if the computed hash value and the trusted hash value are indicative of a same trusted state.

85 Citations

View as Search Results

76 Claims

1. A method of detecting unauthorized executable code resident in a computer system, the method comprising:
- receiving user authorization information;
  
  authenticating the user authorization information to perform at least one of authorize and identify a user;
  
  when the user is at least one of authorized or identified, requesting security data of the user;
  
  hashing first data stored in data storage within the computer system using a selected hashing process to determine a computed hash value, wherein the first data includes data representing a current state of at least one application executing within the computer system;
  
  retrieving a trusted hash value, wherein the trusted hash value was created using the selected hashing process applied to second data representing a secure state of the one or more applications executing in the computer system, wherein the second data includes a system memory location indicative of the at least one application executing within the computer system; and
  
  comparing the computed hash value with the trusted hash value to determine whether there is unauthorized executable code in the computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 2. The method of claim 1, wherein the authorization data is at least a biometric information sample, and wherein the authenticating includes comparing the at least a biometric information sample to a previously stored biometric template.
  - 3. The method of claim 1, further comprising:
    - when the comparison is indicative of other than unauthorized executable code resident in a computer system, providing the requested security data relating to the user.
  - 4. The method of claim 1, further comprising:
    - receiving a request for security data from an application in execution in the computer system; and
      
      when the comparison is indicative of other than an unauthorized executable program resident in a computer system, providing security data to the application.
  - 5. The method of claim 1, wherein the trusted hash value and the computed hash value are determined by a same trusted security application executing locally on a processor of a same computer system at different times, the trusted hash value determined when the known state is a secure state.
  - 6. The method of claim 5, wherein the trusted hash value is digitally signed.
  - 7. The method of claim 6, further comprising verifying an authenticity of the digitally signed trusted hash value.
  - 8. The method of claim 7, further comprising:
    - receiving a request for security data from an application in execution in the computer system; and
      
      when the authenticity of the digitally signed trusted hash value is verified and the comparison is indicative of other than unauthorized executable code resident in a computer system, providing the requested security data to the application.
  - 9. The method of claim 8, wherein the application and the predetermined hashing process are both executed on a same processor of the computer system.
  - 10. The method of claim 7, further comprising:
    - when the computed hash value and the trusted hash value are other than indicative of a secure state, issuing a notification that unauthorized executable code is detected within the computer system.
  - 11. The method of claim 10, further comprising:
    - when the computed hash value and the trusted hash value are other than indicative of a secure state, preventing access to the computer system.
  - 12. The method of claim 6, further comprising:
    - transmitting the trusted hash value to a second other computer system in communication with the computer system and retrievably storing the computed hash value within the second other computer system.
  - 13. The method of claim 12, further comprising transmitting the computed hash value to the second other computer system for comparison with the trusted hash value by a processor of the second other computer system.
  - 14. The method of claim 12, wherein the computed hash value is determined in dependence upon the predetermined data existing in memory within the computer system and some time dependent data of the computer system.
  - 15. The method of claim 13, wherein the second other computer system includes a trusted source and wherein security data is stored for provision to applications in execution on systems that are known to be secure.
  - 16. The method of claim 1, wherein the second data includes DLL tables.
  - 17. The method of claim 1, wherein the predetermined data is hashed in an absolute memory location independent fashion.
  - 18. The method of claim 1, wherein if the computed hash value and the trusted hash value substantially match, there is no unauthorized executable code in the computer system.
  - 19. The method of claim 1, further comprising performing a user authorization process for verifying that a user is authorized.
  - 20. The method of claim 19, wherein the one or more applications executing in the computer system includes at least one untrusted application and at least one trusted application, and further comprising transmitting a password request from the at least one untrusted application to the at least one trusted application.
  - 21. The method of claim 20, wherein the transmitting a password request from the at least one untrusted application to the at least one trusted application is in response to a user'"'"'s attempt to access a data file associated with the at least one untrusted application.
  - 22. The method of claim 20, wherein the user authorization process comprises:
    - detecting the password request from the at least one untrusted application by the at least one trusted application;
      
      prompting the user to input authorization information; and
      
      comparing the input authorization information with information retrieved from the at least one trusted application, wherein if the input authorization information successfully compares with the information retrieved from the at least one trusted application, the user is an authorized user.
  - 23. The method of claim 22, wherein the hashing data, retrieving a trusted hash value and the comparing the computed hash value with the trusted hash value are carried out if the input authorization information successfully compares with the information retrieved from the at least one trusted application.
  - 24. The method of claim 22, wherein the input authorization information comprises at least biometric information, and wherein the comparing includes comparing the at least biometric information with a previously stored biometric template.
  - 25. The method of claim 22, wherein the at least one trusted application includes a user verification database, and wherein the input authorization information is compared with information retrieved from the user verification database.
  - 26. The method of claim 20, wherein the trusted hash value is digitally signed and further comprising:
    - decrypting the digitally-signed trusted hash value;
      
      comparing the decrypted trusted hash value with the computed hash value; and
      
      refusing the password request from the at least one untrusted application if the computed hash value and the decrypted trusted hash value do not substantially match.
  - 27. The method of claim 1, wherein the at least one trusted application includes a hash generator and wherein the hashing data is carried out in the hash generator.
  - 28. The method of claim 1, wherein the trusted hash value is encrypted.
  - 29. The method of claim 28, wherein the trusted hash value is digitally signed.
  - 30. The method of claim 29, further comprising:
    - decrypting the digitally-signed trusted hash value; and
      
      comparing the decrypted trusted hash value with the computed hash value wherein if the computed hash value and the decrypted trusted hash value substantially match, there is no unauthorized executable code in the computer system.
  - 31. The method of claim 28, further comprising:
    - decrypting the encrypted trusted hash value; and
      
      comparing the decrypted trusted hash value with the computed hash value, wherein if the computed hash value and the decrypted trusted hash value substantially match, there is no unauthorized executable code in the computer system.
  - 32. The method of claim 28, wherein the computer system includes a plurality of networked computers, and wherein the encrypted trusted hash value is stored in a secure one of said plurality of computers, the method further comprising:
    - receiving in the secure computer, the computed hash value transmitted from at least a first computer;
      
      decrypting the encrypted trusted hash value in the secure computer;
      
      wherein the comparing of the decrypted trusted hash value with the computed hash value occurs in the secure computer; and
      
      if the computed hash value and the trusted hash value substantially match—
      
      retrieving a password from a memory in the secure computer; and
      
      transmitting the retrieved password to the at least a first computer.
  - 33. The method of claim 32, wherein the one or more applications executing in the computer system includes at least one untrusted application executing on the at least a first computer and at least one trusted application executing on the at least a first computer, the method further comprising:
    - detecting a password request from the at least one untrusted application by the at least one trusted application;
      
      prompting the user to input authorization information;
      
      comparing the input authorization information with information retrieved from the at least one trusted application; and
      
      wherein if the input authorization information successfully compares with the information retrieved from the at least one trusted application, the user is an authorized user.
  - 34. The method of claim 32, wherein the trusted hash value is digitally signed, and further comprising:
    - decrypting the digitally-signed trusted hash value in the secure computer; and
      
      comparing the decrypted trusted hash value with the computed hash value in the secure computer, wherein if the computed hash value and the decrypted trusted hash value substantially match, there is no unauthorized executable code in the at least a first computer.
  - 35. The method of claim 34, further comprising:
    - refusing the password request from the at least one untrusted application if the computed hash value and the decrypted trusted hash value do not substantially match.
  - 36. The method of claim 32, further comprising:
    - determining that the at least a first computer is in a known state;
      
      hashing data representing the known state of the at least one application executing in the at least a first computer using the selected hashing process to create the trusted hash value; and
      
      encrypting the trusted hash value.
  - 37. The method of claim 36, further comprising:
    - transmitting the encrypted trusted hash value to the secure computer; and
      
      storing the encrypted trusted hash value in the secure computer.
  - 38. The method of claim 32, further comprising:
    - encrypting the computed hash value in the at least a first computer prior to transmission; and
      
      decrypting the computer hash value in the secure computer.
  - 39. The method of claim 32, wherein the retrieved password is encrypted, and further comprising:
    - decrypting the retrieved password in the at least a first computer.
  - 40. The method of claim 32, further comprising:
    - transmitting an incorrect password to the at least one untrusted application of the at least first computer if the computed hash value and the trusted hash value do not substantially match.
  - 41. The method of claim 32, further comprising:
    - transmitting a lock command to the at least one untrusted application of the at least first computer if the computed hash value and the trusted hash value do not substantially match.
  - 42. The method of claim 32, wherein if the computed hash value and the trusted hash value do not substantially match, there is unauthorized executable code in the at least a first computer, and further comprising:
    - prompting a user to verify that the unauthorized executable code is from a known source.
  - 43. The method of claim 32, wherein the known state is an initial state of an operating system within the computer system.
  - 44. The method of claim 1, wherein the data storage comprises at least a volatile memory.
  - 45. The method of claim 1, wherein the data storage comprises at least a disk drive.
  - 46. The method of claim 1, further comprising:
    - determining that the computer system is in a known state;
      
      hashing data representing the known state of the at least the one application executing in the computer system using the selected hashing process to create the trusted hash value; and
      
      encrypting the trusted hash value.
  - 47. The method of claim 46, further comprising:
    - retrievably storing the trusted hash value in the data storage.
  - 48. The method of claim 46, wherein the determining comprises:
    - performing a user authorization process to determine an authorized user; and
      
      receiving a command from the authorized user that the computer system is in a known state.
  - 49. The method of claim 46, wherein the trusted hash value is digitally signed.
  - 50. The method of claim 1, further comprising:
    - prompting a user to verify that the unauthorized executable code is from a known source if the computed hash value and the trusted hash value do not substantially match.
  - 51. The method of claim 1, wherein the known state is an initial state of an operating system within the computer system.

52. A method of detecting unauthorized executable code resident in a computer system, the method comprising:
- receiving user authorization information;
  
  authenticating the user authorization information to perform at least one of authorize and identify a user;
  
  when the user is at least one of authorized or identified, requesting security data of the user;
  
  providing a trusted security application executable on a processor of the computer system for determining a hash value using a selected hashing process applied to predetermined data existing in memory within the computer system, wherein the predetermined data includes system memory locations indicative of executable programs in operation;
  
  hashing the selected data existing in memory within the computer system using the predetermined process to determine a hash value;
  
  digitally signing the hash value to provide a trusted hash value; and
  
  retrievably storing the trusted hash value, wherein the predetermined data relates to programs in execution on the processor of the computer system when the computer system is in a secure state.
- View Dependent Claims (53, 54, 55, 56)
- - 53. The method of claim 52, further comprising:
    - comparing a computed hash value with the trusted hash value to detect changes to the predetermined data existing in memory within the computer system.
  - 54. The method of claim 53, further comprising verifying the authenticity of the digital signature of the trusted hash value.
  - 55. The method of claim 54, further comprising:
    - when the computed hash value and the trusted hash value are indicative of a same state of a computer system, providing security data from a trusted source to an application in execution on the system.
  - 56. The method of claim 55, further comprising:
    - when the computed hash value and the trusted hash value are other than indicative of a same state of the system, sending a notification.

57. A system for detecting unauthorized executable resident in a computer system, the system comprising a computer processor programmed to perform the method comprising:
- receiving user authorization information;
  
  authenticating the user authorization information to perform at least one of authorize and identify a user;
  
  when the user is at least one of authorized or identified, requesting security data of the user;
  
  hashing first data stored in data storage within the computer system using a selected hashing process to determine a computed hash value, wherein the first data includes data representing a current state of at least one application executing within the computer system;
  
  retrieving a trusted hash value, wherein the trusted hash value was created using the selected hashing process applied to second data representing a secured state of the one or more applications executing in the computer system, wherein the second data includes data from at least a system memory location indicative of the at least one application executing within the computer system; and
  
  comparing the computed hash value with the trusted hash value to determine whether there is unauthorized executable code in the computer system.

58. A computer readable storage medium for detecting unauthorized executable code resident in a computer system, the computer readable storage medium having stored thereon instructions that, when executed, perform a method comprising:
- receiving user authorization information;
  
  authenticating the user authorization information to perform at least one of authorize and identify a user;
  
  when the user is at least one of authorized or identified, requesting security data of the user;
  
  hashing first data stored in data storage within the computer system using a selected hashing process to determine a computed hash value, wherein the first data includes data representing a current state of at least one application executing within the computer system;
  
  retrieving a trusted hash value, wherein the trusted hash value was created using the selected hashing process applied to second data representing a secure state of the one or more applications executing in the computer system, wherein the second data includes a system memory location indicative of the at least one application executing within the computer system; and
  
  comparing the computed hash value with the trusted hash value to determine whether there is unauthorized executable code in the computer system.
- View Dependent Claims (59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72)
- - 59. The computer readable storage medium of claim 58, wherein the authorization data is at least a biometric information sample, and wherein the authenticating includes comparing the at least a biometric information sample to a previously stored biometric template.
  - 60. The computer readable storage medium of claim 58, further comprising computer executable instructions for, when the comparison is indicative of other than unauthorized executable code resident in a computer system, providing the requested security data relating to the user.
  - 61. The computer readable storage medium of claim 58, further comprising computer executable instructions for receiving a request for security data from an application in execution in the computer system, and when the comparison is indicative of other than an unauthorized executable program resident in a computer system, providing security data to the application.
  - 62. The computer readable storage medium of claim 58, wherein the trusted hash value and the computed hash value are determined by a same trusted security application executing locally on a processor of a same computer system at different times, the trusted hash value determined when the known state is a secure state.
  - 63. The computer readable storage medium of claim 62, wherein the trusted hash value is digitally signed.
  - 64. The computer readable storage medium of claim 63, wherein the hashing data includes verifying an authenticity of the digitally signed trusted hash value.
  - 65. The computer readable storage medium of claim 64, further comprising computer executable instructions for when the computed hash value and the trusted hash value are other than indicative of a secure state, issuing a notification that unauthorized executable code is detected within the computer system.
  - 66. The computer readable storage medium of claim 65, further comprising computer executable instructions for, when the computed hash value and the trusted hash value are other than indicative of a secure state, preventing access to the computer system.
  - 67. The computer readable storage medium of claim 63, further comprising computer executable instructions for transmitting the trusted hash value to a second other computer system in communication with the computer system and retrievably storing the computed hash value within the second other computer system.
  - 68. The computer readable storage medium of claim 67, further comprising transmitting the computed hash value to the second other computer system for comparison with the trusted hash value by a processor of the second other computer system.
  - 69. The computer readable storage medium of claim 68, wherein the computed hash value is determined in dependence upon the predetermined data existing in memory within the computer system and some time dependent data of the computer system.
  - 70. The computer readable storage medium of claim 69, wherein the second other computer system includes a trusted source and wherein security data is stored for provision to applications in execution on systems that are known to be secure.
  - 71. The computer readable storage medium of claim 58, further comprising computer executable instructions for receiving a request for security data from an application in execution in the computer system, and, when the authenticity of the digitally signed trusted hash value is verified and the comparison is indicative of other than unauthorized executable code resident in a computer system, providing the requested security data to the application.
  - 72. The computer readable storage medium of claim 71, wherein the application and the predetermined hashing process are both executed on a same processor of the computer system.

73. A system for detecting unauthorized executable resident in a computer system, the system comprising:
- means for receiving user authorization information;
  
  means for authenticating the user authorization information to perform at least one of authorize and identify a user;
  
  means for requesting security data of the user when the user is at least one of authorized or identified;
  
  means for hashing first data stored in data storage within the computer system using a selected hashing process to determine a computed hash value, wherein the first data includes data representing a current state of at least one application executing within the computer system;
  
  means for retrieving a trusted hash value, wherein the trusted hash value was created using the selected hashing process applied to second data representing a secure state of the one or more applications executing in the computer system, wherein the second data includes data from at least a system memory location indicative of the at least one application executing within the computer system; and
  
  means for comparing the computed hash value with the trusted hash value to determine whether there is unauthorized executable code in the computer system.

74. A method of detecting unauthorized executable code resident in a computer system, the method comprising:
- hashing first data stored in data storage within the computer system using a selected hashing process to determine a computed hash value, wherein the first data includes data representing a current state of at least one application executing within the computer system;
  
  retrieving a trusted hash value, wherein the trusted hash value was created using the selected hashing process applied to second data representing a secure state of the one or more applications executing in the computer system, wherein the second data includes a system memory location indicative of the at least one application executing within the computer system;
  
  comparing the computed hash value with the trusted hash value to determine whether there is unauthorized executable code in the computer system; and
  
  performing a user authorization process for verifying that a user is authorized,wherein the one or more applications executing in the computer system includes at least one untrusted application and at least one trusted application, and wherein the method further comprises transmitting a password request from the at least one untrusted application to the at least one trusted application, andwherein the trusted hash value is digitally signed, and the method further comprises—
  
  decrypting the digitally-signed trusted hash value;
  
  comparing the decrypted trusted hash value with the computed hash value; and
  
  refusing the password request from the at least one untrusted application if the computed hash value and the decrypted trusted hash value do not substantially match.

75. A method of detecting unauthorized executable code resident in a computer system, the method comprising:
- hashing first data stored in data storage within the computer system using a selected hashing process to determine a computed hash value, wherein the first data includes data representing a current state of at least one application executing within the computer system;
  
  retrieving a trusted hash value, wherein the trusted hash value was created using the selected hashing process applied to second data representing a secure state of the one or more applications executing in the computer system, wherein the second data includes a system memory location indicative of the at least one application executing within the computer system, and further wherein the trusted hash value is encrypted;
  
  comparing the computed hash value with the trusted hash value to determine whether there is unauthorized executable code in the computer system,wherein the computer system includes a plurality of networked computers, and wherein the encrypted trusted hash value is stored in a secure computer of said plurality of computers, the method further comprising—
  
  receiving in the secure computer, the computed hash value transmitted from at least a first computer; and
  
  decrypting the encrypted trusted hash value in the secure computer,wherein comparing the computed hash value with the decrypted trusted hash value occurs in the secure computer;
  
  if the computed hash value and the trusted hash value substantially match—
  
  retrieving a password from a memory in the secure computer; and
  
  transmitting the retrieved password to the at least a first computer; and
  
  if the computed hash value and the trusted hash value do not substantially match—
  
  transmitting an incorrect password and/or a lock command to the at least one untrusted application of the at least first computer.

76. A method of detecting unauthorized executable code resident in a computer system, the method comprising:
- hashing first data stored in data storage within the computer system using a selected hashing process to determine a computed hash value, wherein the first data includes data representing a current state of at least one application executing within the computer system;
  
  retrieving a trusted hash value, wherein the trusted hash value was created using the selected hashing process applied to second data representing a secure state of the one or more applications executing in the computer system, wherein the second data includes a system memory location indicative of the at least one application executing within the computer system, and further wherein the trusted hash value is encrypted;
  
  comparing the computed hash value with the trusted hash value to determine whether there is unauthorized executable code in the computer system,wherein the computer system includes a plurality of networked computers, and wherein the encrypted trusted hash value is stored in a secure one of said plurality of computers, and the method further comprises—
  
  receiving in the secure computer, the computed hash value transmitted from at least a first computer;
  
  decrypting the encrypted trusted hash value in the secure computer,wherein comparing the computed hash value with the decrypted trusted hash value occurs in the secure computer;
  
  if the computed hash value and the trusted hash value substantially match—
  
  retrieving a password from a memory in the secure computer; and
  
  transmitting the retrieved password to the at least first computer; and
  
  if the computed hash value and the trusted hash value do not substantially match—
  
  prompting a user to verify that any unauthorized executable code in the at least first computer is from a known source.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Assa Abloy AB
Original Assignee
Activcard Ireland, Limited
Inventors
Charbonneau, Marc
Primary Examiner(s)
Parthasarathy; Pramila

Application Number

US09/977,203
Publication Number

US 20030074567A1
Time in Patent Office

2,751 Days
Field of Search

713/186, 713/165, 713/167, 713/176
US Class Current

713/188
CPC Class Codes

G06F 21/565 by checking file integrity

G06F 21/57 Certifying or maintaining t...

Method and system for detecting a secure state of a computer system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

85 Citations

76 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting a secure state of a computer system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

76 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links