Program Security Inspection: Model and Implementation

Current approaches for malicious code defense are mostly signature-scanning and execution-monitoring. Limited by the undecidability of malicious codes, they can´t defend against unknown attacks effectively. This paper investigates an integrity measurement and access control combined program security inspection model. On initial system setup, it indexes all known and trusted programs by both the identifiers and the integrity signatures of them in a white list (WL). During system running time, it measures integrity signature of each program file to be loaded and verifies it with WL. By disallowing unknown or unexpectedly modified programs from running, the model guarantees that only trusted programs can be invoked. Not relying on signatures of malicious codes, it is not limited by their undecidability and therefore is able to combat both known and unknown attacks with no false results. The model is implemented in Windows 2000/XP with neither source code nor binary level modifications to the Windows OS is required by using the technology of kernel mode file system filter driver. To improve the usability of the implementation, an administrative utility is created to censor new programs which came after the initial system setup. Those from trusted origins and not altered after release are thought to be secure and are added to WL for them to work normally.