A Malicious Code Immune Model Based on Program Encryption

Signature scanning and access control have been the major approaches for malicious code defenses in the past decades. The former can´t defend against unknown attacks effectively and the latter may be circumvented if its implementation lacks high security assurance. In this paper, a methodology for malicious code immune is proposed at first. The key idea of it is encrypting program files to make their formats be unrecognizable by unintended entities, by this way to prevent un-trusted programs from running and to protect trusted programs from being infected by computer virus. Based on the methodology, a malicious code immune model is then proposed. It defines three security rules to make sure only trusted programs can be loaded and run by operating system. The model doesn´t rely on an additional white list. It can be implemented as internal logic of the system call which creates processes. Therefore, circumvention of it is much more difficult than that of access control models. A prototype of the model for Windows XP is also illustrated. It uses the technologies of kernel mode file system filter driver and on-the-fly decryption, requiring neither binary level nor source code level modifications to the Windows OS.