USRE43987E1

Movatterモバイル変換

Info

Publication number: USRE43987E1
Application number: US13/015,186
Authority: US
Inventors: Allen F. Rozman; Alfonso J. Cioffi
Original assignee: Individual
Current assignee: ROZMAN MEGAN ELIZABETH; ROZMAN MELANIE ANN; ROZMAN MORGAN LEE
Priority date: 2004-08-07
Filing date: 2011-01-27
Publication date: 2013-02-05
Also published as: USRE43500E1; USRE43528E1; US20060031940A1; USRE43529E1; USRE43103E1; US7484247B2

Abstract

In a computer system, a first electronic data processor is communicatively coupled to a first memory space and a second memory space. A second electronic data processor is communicatively coupled the second memory space and to a network interface device. The second electronic data processor is capable of exchanging data across a network of one or more computers via the network interface device. A video processor is adapted to combine video data from the first and second electronic data processors and transmit the combined video data to a display terminal for displaying the combined video data in a windowed format. The computer system is configured such that a malware program downloaded from the network and executing on the second electronic data processor is incapable of initiating access to the first memory space.

Description

CROSS REFERENCE TO MULTIPLE REISSUE APPLICATIONS

This is a reissue continuation application of U.S. Reissue patent application Ser. No. 12/854,149 filed Aug. 10, 2010 (now, U.S. Pat. No. Re. 43,103), which is a reissue application of U.S. Pat. No. 7,484,247, entitled “System and Method for Protecting a Computer System from Malicious Software,” issued on Jan. 27, 2009. The following are related reissue applications: U.S. patent application Ser. No. 12/720,147 (now, U.S. Pat. No. Re. 43,528) from U.S. Pat. No. 7,484,247, filed on Mar. 9, 2010, U.S. patent application Ser. No. 12/720,207 (now, U.S. Pat. No. Re. 43,500) from U.S. Pat. No. 7,484,247, filed on Mar. 9, 2010, and U.S. patent application Ser. No. 12/941,067 (now, U.S. Pat. No. Re. 43,529) from U.S. Pat. No. 7,484,247, filed on Nov. 7, 2010. All of the above applications are incorporated herein by reference.

TECHNICAL FIELD

The present invention relates generally to computer hardware and software, and more particularly to a system and method for protecting a computer system from malicious software.

CROSS REFERENCE TO RELATED PATENTS AND APPLICATIONS

This application is related to the following U.S. patents and applications:


U.S. patent
or PUB
Application
Number	Title	Inventor(s)

5,826,013	Polymorphic virus detection module.	Nachenberg
5,978,917	Detection and elimination of macro	Chi
	viruses.
6,735,700	Fast virus scanning using session	Flint, et al
	stamping.
6,663,000	Validating components of a malware	Muttik, et al.
	scanner.
6,553,377	System and process for maintaining a	Eschelbeck,
	plurality of remote security applications	et al.
	using a modular framework in a
	distributed computing environment.
6,216,112	Method for software distribution and	Fuller, et al.
	compensation with replenishable
	advertisements.
4,890,098	Flexible window management on a	Dawes, et al.
	computer display.
5,555,364	Windowed computer display.	Goldstein
5,666,030	Multiple window generation in computer	Parson
	display.
5,995,103	Window grouping mechanism for	Ashe
	creating, manipulating and displaying
	windows and window groups on a display
	screen of a computer system.
5,502,808	Video graphics display system with	Goddard, et al.
	adapter for display management based
	upon plural memory sources.
5,280,579	Memory mapped interface between host	Nye
	computer and graphics system.
5,918,039	Method and apparatus for display of	Buswell, et al
	windowing application programs on a
	terminal.
6,480,198	Multi-function controller and method for a	Kang
	computer graphics display system.
6,167,522	Method and apparatus for providing	Lee, et al.
	security for servers executing application
	programs received via a network
6,199,181	Method and system for maintaining	Rechef, et al.
	restricted operating environments for
	application programs or operating
	systems.
6,275,938	Security enhancement for untrusted	Bond, et al.
	executable code.
6,321,337	Method and system for protecting	Reshef, et al.
	operations of trusted internal networks.
6,351,816	System and method for securing a	Mueller, et al.
	program's execution in a network
	environment.
6,546,554	Browser-independent and automatic	Schmidt, et al.
	apparatus and method for receiving,
	installing and launching applications from
	a browser on a client computer.
6,658,573	Protecting resources in a distributed	Bischof, et al
	computer system.
6,507,904	Executing isolated mode instructions in a	Ellison, et al.
	secure system running in privilege rings.
6,633,963	Controlling access to multiple memory	Ellison, et al.
	zones in an isolated execution
	environment.
6,678,825	Controlling access to multiple isolated	Ellison, et al.
	memories in an isolated execution
	environment.
5,751,979	Video hardware for protected,	McCrory
	multiprocessing systems.
6,581,162	Method for securely creating, storing and	Angelo, et al.
	using encryption keys in a computer
	system.
6,134,661	Computer network security device and	Topp
	method.
6,578,140	Personal computer having a master	Policard
	computer system and in internet computer
	system and monitoring a condition of said
	master and internet computer systems
PUB	E-mail software and method and system	Jacobs, Paul E.,
Application #	for distributing advertisements to client	et al.
20040054588	devices that have such e-mail software
	installed thereon.
PUB	System and method for comprehensive	Mayer, Yaron;
Application #	general generic protection for computers	et al.
20040034794	against malicious programs that may steal
	information and/or cause damages
PUB	System and method for providing security	Skrepetos,
Application #	to a remote computer over a network	Nicholas C.
20040006715	browser interface.
PUB	Virus protection in an internet	Samman, Ben
Application #	environment.
20030177397
PUB	System and method for protecting	Pham, Khai;
Application #	computer users from web sites hosting	et al.
20030097591	computer viruses.
PUB	Malware infection suppression.	Hinchliffe,
Application #		Alexander
20030023857		James; et al.
PUB	Access control for computers.	Riordan, James
Application #
20020066016
PUB	Detecting malicious alteration of stored	Wolff, Daniel
Application #	computer files.	Joseph; et al.
20020174349

The above-listed U.S. Patents and U.S. patent applications are incorporated by reference as if reproduced herein in their entirety.

BACKGROUND

Although there are definite benefits to this open interconnection architecture, a lack of security against unwanted incursions into the computers main processing and non-volatile memory space has emerged as a significant problem. An aspect of some current computer architectures that has contributed to the security problem is that by default programs are typically allowed to interact with and/or alter other programs and data files, including critical operating system files, such as the windows registry, for example. Current open interconnection architectures have opened the door to a new class of unwanted malicious software generally known a malware. This malware is capable of infiltrating any computer system which is connected to a network of interconnected computer systems. Malware is comprised of, but not limited to, classes of software files known as viruses, worms, Trojan horses, browser hijackers, adware, spyware, pop-up windows, data miners, etc. Such malware attacks are capable of stealing data by sending user keystrokes or information stored on a user's computer back to a host, changing data or destroying data on personal computers and/or servers and/or other computerized devices, especially through the Internet. In the least, these items represent a nuisance that interferes with the smooth operation of the computer system, and in the extreme, can lead to the unauthorized disclosure of confidential information stored on the computer system, significant degradation of computer system performance, or the complete collapse of computer system function.

Malware has recently become much more sophisticated and much more difficult for users to deal with. Once resident on a computer system, many malware programs are designed to protect themselves from deletion. For example, some malware programs comprise a pair of programs running simultaneously, with each program monitoring the other for deletion. If one of the pair of programs is deleted, the other program installs a replacement within milliseconds. In another example, some malware will run as a Windows program with a .dlls extension, which Windows may not allow a user to delete while it is executing. Malware may also reset a user's browser home page, change browser settings, or hijack search requests and direct such requests to another page or search engine. Further, the malware is often designed to defeat the user's attempts to reset the browser settings to their original values. In another example, some malware programs secretly record user input commands (such as keystrokes), then send the information back to a host computer. This type of malware is capable of stealing important user information, such as passwords, credit account numbers, etc.

Many existing computers rely on a special set of instructions which define an operating system (O/S) in order to provide an interface for computer programs and computer components such as the computer's memory and central processing unit (CPU). Many current operating systems have a multi-tasking capability which allows multiple computer programs to run simultaneously, with each program not having to wait for termination of another in order to execute instructions. Multi-tasking O/S's allow programs to execute simultaneously by allowing programs to share resources with other programs. For example, an operating system running multiple programs executing at the same time allows the programs to share the computer's CPU time. Programs which run on the same system, even if not simultaneously with other programs, share space on the same nonvolatile memory storage medium. Programs which are executing simultaneously are presently able to place binaries and data in the same physical memory at the same time, limited to a certain degree by the O/S restrictions and policy, to the extent that these are properly implemented. Memory segments are shared by programs being serviced by the O/S, in the same manner. O/S resources, such as threads, process tables and memory segments, are shared by programs executing simultaneously as well.

While allowing programs to share resources has many benefits, there are resulting security related ramifications, particularly regarding malware programs. Security problems include allowing the malware program: to capitalize CPU time, leaving other programs with little or no CPU time; to read, forge, write, delete or otherwise corrupt files created by other programs; to read, forge, write, delete or otherwise corrupt executable files of other programs, including the O/S itself; and to read and write memory locations used by other programs to thus corrupt execution of those programs.

In the case of a computer connected to the Internet, the computer may run an O/S, with several user applications, together comprising a known and trusted set of programs, concurrently with an Internet browser, possibly requiring the execution of downloaded code, such as Java applets, or EXE/COM executables, with the latter programs possibly containing malware. Many security features and products are being built by software manufacturers and by O/S programmers to prevent malware infiltrations from taking place, and to ensure the correct level of isolation between programs. Among these are architectural solutions such as rings-of-protection in which different trust levels are assigned to memory portions and tasks, paging which includes mapping of logical memory into physical portions or pages, allowing different tasks to have different mapping, with the pages having different trust levels, and segmentation which involves mapping logical memory into logical portions or segments, each segment having its own trust level wherein each task may reference a different set of segments. Since the sharing capabilities using traditional operating systems are extensive, so are the security features. However, the more complex the security mechanism is, the more options a malware practitioner has to bypass the security and to hack or corrupt other programs or the O/S itself, sometimes using these very features that allow sharing and communication between programs to do so.

Further, regarding malware programs, for virtually every software security mechanism, a malware practitioner has found a way to subvert, or hack around, the security system, allowing a malware program to cause harm to other programs in the shared environment. This includes every operating system and even the Java language, which was designed to create a standard interface, or sandbox, for Internet downloadable programs or applets.

Major vulnerabilities of existing computer systems lies in the architectures of the computer system and of the operating system itself. A typical multi-tasking O/S environment includes an O/S kernel loaded in the computer random access memory (RAM) at start-up of the computer. The O/S kernel is a minimal set of instructions which loads and off-loads resources and resource vectors into RAM as called upon by individual programs executing on the computer. Sometimes, when two or more executing programs require the same resource, such as printer output, for example, the O/S kernel leaves the resource loaded in RAM until all programs have finished with that resource. Other resources, such as disk read and write, are left in RAM while the operating system is running because such resources are more often used than others. The inherent problem with existing architectures is that resources, such as RAM, or a hard disk, are shared by programs simultaneously, giving a malware program a conduit to access and corrupt other programs, or the O/S itself through the shared resource. Furthermore, as many application programs are of a general nature, many features are enabled by default or by the O/S, thus in many cases bypassing the O/S security mechanism. Such is the case when a device driver or daemon is run by the O/S in kernel mode, which enables it unrestricted access to many if not all the resources.

The most common state-of the-art solutions for preventing malware infiltration are software based, such as blockers, sweepers and firewalls, for example, and hardware based solutions such as router/firewalls. Examples of software designed to counter malware are Norton Systems Works, distributed by the Symantec Corporation, Ad-aware, distributed by the Lavasoft Corporation of Sweeden, Spy Sweeper, distributed by the Webroot Software Corporation, Spyware Guard, distributed by Javacool Software LLC, among others. Currently there are a plethora of freeware, shareware and purchased software programs designed to counter malware by a variety of means. Such anti-malware programs are limited because they can only detect known malware that has already been identified (usually after the malware has already attacked one or more computers).

Network firewalls are typically based on packet filtering, which is limited in principle, since the rules determining which packets to accept and which to reject may contain subjective decisions based on trusting known sites or known applications. However, once security is breached for any reason (for example, due to a software or hardware error, a new piece of malware unrecognized by the anti-malware program or firewall, or an intended deception), a malicious application may take over the computer or server or possibly the entire network and create unlimited damages (directly or indirectly by opening the door to additional malicious applications).

The methods in the prior art are typically comprised of embedded software countermeasures that detect and filter unwanted intrusions in real time, or scan the computer system either at the direction of a user or as a scheduled event. Two problems arise from these methods. In the first instance, a comprehensive scan, detect, and elimination of malware from desired incoming data streams could significantly slow or preclude the interactive nature of many applications such a gaming, messaging, and browsing. In the second instance, newly implemented software screens may be quickly circumvented by malware practitioners who are determined to pass their files through the screen. Newly discovered malware leads to the development of additional screens, which lead to more malware, etc., thus creating an escalating cycle of measure, countermeasure. The basic flaw is that all incoming executable data files must be resident on the computers main processor to perform their desired function. Once resident on that processor, access may be gained to non-volatile memory and other basic computer system elements. Malware exploits this key architectural flaw to infiltrate and compromise computer systems.

The majority of these applications rely upon a scanning engine which searches suspect files for the presence of predetermined malware signatures. These signatures are held in a database which must be constantly updated to reflect the most recently identified malware. Typically, users regularly download replacement databases, either over the Internet, from a received e-mail, or from a CDROM or floppy disc. Users are also expected to update their software engines every so often in order to take advantage of new virus detection techniques (e.g. which may be required when a new strain of malware is detected).

Many of the aforementioned applications are also not effective against security holes, for example, in browsers or e-mail programs, or in the operating system itself. Security holes in critical applications are discovered quite often, and just keeping up with all the patches is cumbersome. Also, without proper generic protection against, for example, Trojan horses, even VPNs (Virtual Private Networks) and other forms of data encryption, including digital signatures, are not totally safe because information can be stolen before or below the encryption layer. Even personal firewalls are typically limited, because once a program is allowed to access the Internet, there are often few limitations on what files may be accessed and transmitted back to a host.

A major problem faced by computer users connected to a network is that the network interface program (a browser, for example) is resident on the same processor as the O/S and other trusted programs, and shares space on a common memory storage medium. Even with security designed into the O/S, malware practitioners have demonstrated great skill in circumventing software security measures to create malware capable of corrupting critical files on the shared memory storage medium. When this happens, users are often faced with a lengthy process of restoring their computer systems to the correct configuration, and often important files are simply lost because no backup exists.

Therefore, what is needed in the art is a means of isolating the network interface program from the main computer system such that the network interface program does not share a common memory storage area with other trusted programs. The network interface program may be advantageously given access to a separate, protected memory area, while being unable to initiate access to the main computer's memory storage area. With the network interface program constrained in this way, malware programs are rendered unable to automatically corrupt critical system and user files located on the main memory storage area. If a malware infection occurs, a user would be able to completely clean the malware infection from the computer using a variety of methods. A user could simply delete all files contained in the protected memory area, and restore them from an image residing on the main memory area, for example.

Other discussions of malware, its effects on computer systems, techniques used by malware practitioners to install malware, and techniques for detection and removal, may be found in the published literature, and in some of the patents and applications previously incorporated by reference. Reference to malware may be found in a technical white paper entitled “Spyware, Adware, and Peer-to-Peer Networks: The Hidden Threat to Corporate Security.”, by Kevin Townsend, © Pest Patrol Inc. 2003. Pest Patrol is a Carlisle; Pa. based developer of software security tools. Another reference is a technical white paper entitled “Beyond Viruses: Why anti-virus software is no longer enough.” by David Stang, PhD, © Pest Patrol Inc. 2002. Yet another reference is “The Web: Threat or Menace?” from “Firewalls and Internet Security: Repelling the Wily Hacker”, Second Edition, Addison-Wesley. ISBN 0-201-63466-X, Copyright 2003. The foregoing references are incorporated by reference as if reproduced herein in their entirety.

SUMMARY OF THE INVENTION

Embodiments of the present invention achieve technical advantages as a system and method for protecting a computer system from malicious software attacks via a network connection.

It is an object of the present invention to provide a computer system capable of preventing malware programs from automatically corrupting critical user and system files.

It is another object of the present invention to confine any malware infection that may occur to a separate, protected part of the computer system.

It is another object of the present invention to provide a user with an easy and comprehensive method of removing the malware infection, even if the user's anti-malware software is incapable of detecting and/or removing the malware infection.

It is another object of the present invention to provide a user with an easy and comprehensive method of restoring critical system and user files that may have been corrupted by a malware infection.

It is another object of the present invention to provide a computer system configured such that attempts by malware to record and report data entry by the computer user via input devices such as keyboards, mouse clicks, microphones, or any other data input devices are effectively blocked.

It is another object of the present invention to provide a computer system capable of executing instructions in a first logical process, wherein the first logical process is capable of accessing data contained in a first memory space and a second memory space.

It is another object of the present invention to provide a computer system capable of executing instructions in a second logical process, wherein the second logical process is capable of accessing data contained in the second memory space, the second logical process being further capable of exchanging data across a network of one or more computers.

It is another object of the present invention to provide a computer system capable of displaying, in a windowed format on a display terminal, data from the first logical process and the second logical process, wherein a video processor is adapted to combine data from the first and second logical processes and transmit the combined data to the display terminal

It is another object of the present invention to provide a computer system configured such that a malware program downloaded from the network and executing as part of the second logical process is incapable of initiating access to the first memory space.

It is another object of the present invention to provide a computer system configured such that corrupted data files residing on the second memory space may be restored from an image residing on the first memory space.

It is another object of the present invention to provide a computer system configured such that data files residing on the second memory space may be automatically deleted when the second logical process is terminated.

It is another object of the present invention to provide a computer system configured such that the second electronic data processor and the video processor are co-located on a circuit card, the circuit card being communicatively coupled to the first electronic data processor.

These objects and other advantages are provided by a preferred embodiment of the present invention wherein a computer system comprising a first electronic data processor is communicatively coupled to a first memory space and to a second memory space, a second electronic data processor is communicatively coupled to the second memory space and to a network interface device, wherein the second electronic data processor is capable of exchanging data across a network of one or more computers via the network interface device, a video processor is adapted to combine video data from the first and second electronic data processors and transmit the combined video data to a display terminal for displaying the combined video data in a windowed format, wherein the computer system is configured such that a malware program downloaded from the network and executing on the second electronic data processor is incapable of initiating access to the first memory space.

TERM DESCRIPTION

Memory—This term is intended to broadly encompass any device capable of storing and/or incorporating computer readable code for instantiating the client device referred to immediately above. Thus, the term encompasses all types of recording medium, e.g., a CD-ROM, a disk drive (hard or soft), magnetic tape, and recording devices, e.g., memory devices including DRAM, SRAM, EEPROM, FRAM, and Flash memory. It should be noted that the term is intended to include any type of device which could be deemed persistent storage. To the extent that an Application Specific Integrated Circuit (ASIC) can be considered to incorporate instructions for instantiating a client device, an ASIC is also considered to be within the scope of the term “memory.”

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the present invention, and the advantages thereof, reference is now made to the following descriptions taken in conjunction with the accompanying drawings, in which:

FIG. 1 illustrates a preferred embodiment of an exemplary computer system according to the principles of the present invention;

FIG. 2 illustrates a preferred embodiment of an exemplary protected process flow according to the principles of the present invention;

FIG. 3 illustrates a preferred embodiment of an exemplary file download process according to the principles of the present invention;

FIG. 4 illustrates a preferred embodiment of an exemplary memory restoration process according to the principles of the present invention;

FIG. 5 illustrates a preferred embodiment of an exemplary automatic memory restoration and cleaning process according to the principles of the present invention;

FIG. 6 illustrates a preferred embodiment of an exemplary interactive network process flow according to the principles of the present invention;

FIG. 7 illustrates a preferred embodiment of an exemplary computer system according to the principles of the present invention;

FIG. 8 illustrates a preferred embodiment of an exemplary computer system according to the principles of the present invention;

FIG. 9 illustrates a preferred embodiment of an exemplary computer system according to the principles of the present invention;

FIG. 10 illustrates a preferred embodiment of an exemplary protected process flow according to the principles of the present invention.

DETAILED DESCRIPTION OF THE ILLUSTRATED EMBODIMENTS

The making and using of the presently preferred embodiments are discussed in detail below. It should be appreciated, however, that the present invention provides many applicable inventive concepts that can be embodied in a wide variety of specific contexts. The specific embodiments discussed are merely illustrative of specific ways to make and use the invention, and do not limit the scope of the invention.

A computer system, constructed in accordance with a preferred embodiment of the present invention, is illustrated inFIG. 1.Computer system100 may represent, for example, a personal computer (PC) system, a server, a portable computer, such as a notebook computer, or any data processing system, a personal digital assistant (PDA), a communication device such as a cell phone, or device that is capable of being connected to a network of one or more computers.System100 comprises a first processor120 (P1) communicatively coupled to a first memory and data storage area110 (M1).P1100 may comprise, for example, a microprocessor, such as a Pentium®4 processor, manufactured by the Intel Corporation, or a Power PC® processor, manufactured by the IBM Corporation. Other electronic data processors manufactured by other companies, including but not limited to electronic data processors realized in Application Specific Integrated Circuits (ASICs) or in Field Programmable Gate Arrays (FP-GAs), are within the spirit and scope of the present invention.

The first memory anddata storage area110 may comprise both volatile and nonvolatile memory devices, such as DRAMs and hard drives, respectively. Any memory structure and/or device capable of being communicatively coupled to P1 may be advantageously used in the present invention. M1 may be used to store, for example, critical operating system files, user data and applications, interim results of calculations, etc. The many uses of computer memory are well understood by those skilled in the art, and will not be discussed further here. One may refer to several of the aforementioned patents and applications incorporated by reference, in addition to other references, for a discussion of existing computer architectures and uses of computer memory. Also part ofsystem100 isuser interface150, which may comprise, for example, a keyboard, mouse or other pointing device, microphone, pen pad, etc. Any device or method capable of inputting commands and/or data from auser160 tocomputer system100 may be used to advantage. Avideo processor170 is used to format information for display and transmit the display information to avideo display device180, which is viewed byuser160.Video processor170 typically includes an associated video memory area, which may be dedicated to the video processor, or shared with other resources. It is understood in the art that thevideo processor170 may be part ofprocessor P1120, in that it may be integrated onto the microprocessor chip.Video processor170 may also comprise a processor IC located on a video graphics card, which is communicatively coupled to a computer motherboard. Additionally,video processor170 may comprise circuitry located on the computer motherboard. Further still, functions ofvideo processor170 may be split between the processor, motherboard, or separate video graphics card.

It is often desirable to connectcomputer system100 to a network of one ormore computer devices195, such as the Internet, a LAN, WAN, VPN, etc. This connection may be accomplished vianetwork interface device190, which may comprise, for example, a telephone modem, a cable modem, a DSL line, a router, gateway, hub, etc. Any device capable of interfacing with thenetwork195 may be used, via a wired connection, a wireless connection, or an optical connection, for example.Network interface device190 may connect to network195 through one or more additional network interface devices (not shown). For example,network interface device190 may comprise a gateway or router, connected to a cable modem, with the cable modem connected tonetwork195. Of course, other configurations are within the spirit and scope of the present teachings.

In accordance with a preferred embodiment of the present invention,network195 is isolated from thefirst processor120 andmemory110 by a second processor140 (P2).Second processor140 may comprise any electronic data processor, such as the devices previously described as applicable tofirst processor120. Communicatively coupled toP2140 is second memory and data storage area130 (M2), which may comprise any memory device or devices, such as the devices previously described as applicable tofirst memory110.

The architecture ofcomputer system100 is designed to be capable of protectingmemory110 from malware initiated intrusions, and preventing malware from initiating unwanted processes onfirst processor120. This is accomplished by usingsecond processor140 to isolate110 and120 fromnetwork195. In a preferred embodiment,P2140 is communicatively coupled to memorystorage area M2130, and may be configured such thatP2140 is incapable of initiating access to memorystorage area M1110. For example,P2140 may be capable of accessing memorystorage area M1110 with the strict permission ofuser160, either through a real time interaction or via stored configuration or commands. Such a configuration may be desirable in a multi-core or multi processor system, whereuser160 may wish to useP2140 in either a protected mode or an unprotected mode, depending on the application. However,user160 is capable of denyingP2140 the capability of initiating access to memorystorage area M1110 without the user's permission.P1120 is communicatively coupled to bothmemory areas M1110 andM2130, thereby enablingP1120 to access data downloaded from thenetwork195. In the presently described embodiment, any malware that has intruded the130-140 system is thus confined to the130-140 system, and may be configured to be incapable of automatically corrupting data contained onM1110, or of automatically initiating an unwanted process onP1120.

This and other features of the present teachings may be illustrated with reference to the example process flow200 ofFIG. 2.Computer user160 wishes to connect to network195 via for example, a browser program such as Internet Explorer or Netscape Navigator. Of course, other methods of connecting to network195 may be used.User160 inputs commands to open a protected process (e.g. a browser program in this example) atstep210. At

step

220, 1^st

processor

120 instructs 2^nd

processor

140 to initiate the protected process and open one or more process windows.Second processor140, in conjunction withmemory130, then interacts with thenetwork195 vianetwork interface device190, receiving and transmitting the data necessary to execute the desired protected process, such as browsing the internet or communication via e-mail.Second processor140 andmemory130 act as a separate computer system, interacting withnetwork195 while isolatingnetwork195 from thefirst processor120 andmemory110.Memory130 may store critical application and system files required bysecond processor140 to execute the desired tasks.Memory130 also stores data necessary to carry out the desired protected process. In the example ofFIG. 2,first processor120 receives user interface data fromuser160, and passes user interface data tosecond processor140 when the protected process window is selected or active, illustrated atstep230. User interface data, such as keystrokes for example, may be advantageously encrypted byP1120 before passing the data toP2140, withnetwork interface device190 possibly decrypting the data prior to transmitting the data to network195. Encrypting, for example keystroke data, may disrupt the efforts of spyware programs designed to store user keystrokes for later transmission to a host computer.Second processor140 generates video data for the protected process window(s) and passes the video data tovideo processor170, for eventual display onvideo display180, shown atstep240.Video processor170 then interleaves the video data from all processes being executed byfirst processor120 andsecond processor140, atstep250. While there are many applicable methods for displaying video data from multiple sources, one such method was described in U.S. Pat. No. 5,751,979, entitled “Video hardware for protected, multiprocessing systems”, previously incorporated by reference.

In accordance with a preferred embodiment of the present invention, if any malware is downloaded fromnetwork195, it is stored inmemory130, and/or run as a process onsecond processor140. In the configuration ofcomputer system100, any downloaded malware is rendered incapable of self initiating access tomemory110 orfirst processor120, becausesecond processor140 is rendered incapable of initiating access to110 and120 without a direct or stored command fromuser160. Any malware infection is thus confined. If a malware attack corrupts files and/or disrupts the operation of the130-140 system, the user may easily shut down the corrupted process and restore the corrupted files from a protected image stored onmemory110, for example.

In accordance with a preferred embodiment of the present invention, the operating system controlling the110-120 system may be different from an operating system controlling the protected130-140 system. Conversely, a common operating system may control both the110-120 system and the protected130-140 system.

Auser160 may find it desirable to transfer files from the protected130-140 system to the110-120 system.User160 may find it necessary, for example, to transfer an attachment from an e-mail message stored onmemory130 to the110-120 system for further processing, modification, etc. In this case, thecomputer system100 may go through a process whereby a file or other data is transferred from the130-140 system to the110-120 system, exemplified by theprocess300 illustrated inFIG. 3.

In accordance with a preferred embodiment of the present invention, atstep310,user160 selects one or more data files to download fromnetwork195. The desired data is downloaded to the130-140 system atstep320. Theuser160 then directscomputer system100 to move the desired file(s) from the130-140 system to the110-120 system atstep330.P1120 may then perform a malware scan on the desired files, either in real time as the data is being transferred, or while the data still resides in M2130 (step340). Alternatively,P2140 may perform the malware scan. Atstep350, processor P2140 (or P1120) determines if malware has been detected in the desired file(s), and thusP1120 makes a decision. If no malware is detected, the file(s) are moved or copied ontoM2110 atstep360. If malware is detected, the data file(s) are quarantined onM2130, and the data file(s), if transferred toM1100, are erased or quarantined. Once malware is detected, theuser160 may be alerted of the detection (step370). Either as a result of user input or stored configuration commands, the infected file(s) are deleted, cleaned, or quarantined onM2130, atstep380.

Theuser160 would of course understand the dangers inherent in transferring downloaded files from the130-140 system to the110-120 system. For example, the user's anti-malware software may not be up to date, or may simply be unable to detect certain types of malware. Also, the malware itself may be so new that the user's anti-malware definitions have not been updated as yet. Therefore the user may wish to keep the files on the130-140 system for some period of time. Consequently, it may be desirable to have resident on the130-140 system a variety of application software such as readers, thereby allowing the user to examine the files without risking transferring the files to the110-120 system. These reader programs, such as Adobe Acrobat Reader, by the Adobe Systems Corporation, or Visio reader, by the Microsoft Corporation, are typically subset application programs of the full featured application programs, and may thus require far less memory space than the full application. Additionally, software companies often distribute the reader programs for free (or a nominal fee), thereby providing advertising for the full featured application in the hopes that it will be eventually purchased by the user. This reader application may be opened and executed on the130-140 system in a manner similar to the process described inFIG. 2. Of course, auser160 may also load a full application into the130-140 system, enabling processing and modification of a downloaded file fully in the protected space, without risking a transfer of the file to the110-120 system.

In the event the130-140 system becomes infected with malware, theuser160 may wish to clean the130-140 system. This cleaning may be accomplished by running an anti-malware application on the130-140 system. However, if the infection is too severe for the anti-malware software to clean, or if the malware is undetectable by the user's anti-malware software, the user may wish to restore critical system files (or other user data files) for the130-140 system from a protected image stored onM1100, for example. It is of course understood that the critical system file image may be restored from another device, such as a removable drive or a CD, for example. The user may however consider it more convenient to restore the critical system files from an image onM1100.

In accordance with a preferred embodiment of the present invention, an exemplary process for restoringM2130 fromM1110 is illustrated byprocess400 inFIG. 4. Atstep410, malware is detected or suspected to be infecting the130-140 system. The user instructsP1120 to reload critical system files ontoM2130 from a protected image onM1110, atstep420. Depending on the severity of the infection,P1120 may scan all or part of the data contained onM2130 for malware, and may scan all processes currently running onP2140. The scan may be initiated by direct instructions from the user, or by stored configuration commands, for example (step430).P1120 may delete all or part of the data contained on M2.P1120 may also resetP2140 and/or delete the contents of any RAM communicatively coupled to P2140 (step440). Once the130-140 system has been adequately cleaned, clean critical system files are loaded ontoM2130 from any of the sources previously mentioned, preferably an image stored on M1110 (step450). The130-140 may now be rebooted and/or reinitialized from the clean critical system files. In an extreme case where the malware resists deletion by the operating system, the user may elect to do a low level format on theM1110 memory in order to ensure that the malware infection has been cleaned.

In accordance with a preferred embodiment of the present invention, auser160 may consider it advantageous for the130-140 system to be automatically reinitialized from clean critical system files when a protected process window is opened. In this way, the new protected process is much less likely to be affected by an infection from a previous protected process session. Of course, a user may have a plurality of protected processes open and running during a protected process session. It may only be necessary to automatically reinitialize from clean critical system files when the first protected process is opened during a session. Subsequent protected processes may not require automatic re-initialization from clean critical system files. An exemplary automatic re-initialization from clean critical system files is illustrated by

steps

510,520 and530 inFIG. 5a. Additionally, processes running onP2140 may be automatically scanned and compared with an allowed process list, particularly as a protected process is started up. If any process is detected which is not on the allowed list, the user may be alerted that a possible malware infection has occurred. A user may then choose to scan or clean the system, or inspect the unknown process to determine if the process will be allowed to continue to execute. A user may also update the list of allowed processes from time to time as new, legitimate processes are added, for example, by a browser software update.

In accordance with a preferred embodiment of the present invention, auser160 may consider it advantageous for the130-140 system to be automatically cleaned when a protected process window is closed. In this way, any detected or undetected malware infections are much less likely to affect a future protected process session. It may only be necessary to automatically clean the130-140 system when the last protected process is closed during a session. An exemplary automatic cleaning process is illustrated by

steps

540,550,560,570 and580 inFIG. 5b. Thememory M2130 andprocessor P2140 may be automatically scanned for malware infections as the protected process session closes. Infected files may be deleted or quarantined automatically. Additionally, there may be a variety of files that a user may wish to have automatically cleaned or deleted upon closing a protected process session. For example, temporary internet files, cookies, browser plug-ins, etc., may be deleted or scanned for malware automatically. A user may also wish to have websites that contributed to a malware infection noted, and may wish to place the offending websites in a block list, such that the offending websites cannot be accessed in the future without the user specifically authorizing access. As part of the malware scan, the malware scanner may automatically log the offending website(s), and block future access. Also, theP2140 processor and any associated non-volatile memory may be reset and/or erased as the protected process session is closed. The exemplary automatic cleaning process illustrated inFIG. 5b may therefore reduce the risk of a malware infection being carried over to a future protected process session.

Interactive network processes such as interactive gaming have become very popular in recent years. In current interactive gaming processes, a user may log onto a game host located onnetwork195, or connect to other computers whose users wish to participate in the game. Computer games, such as Quake 3. Arena, by Id Software Incorporated, or Call of Duty, by Activision Incorporated, are just two examples of the plethora of games available that may be played interactively over a network. The user's computer system typically provides the bulk of the processing power and video graphics generation required to display the often fast moving and richly detailed three dimensional game environments. Information about the current and new state of the game is exchanged between various users' computer systems, often in real time. With this type of process, a relatively modest amount of data is required to be exchanged between users, or a user and the host, with the bulk of the processing, data manipulation, and graphics generation being handled by the user's local machine. However, this open network connection may become a conduit for malware practitioners to exploit, allowing malware to be downloaded onto a user's computer during a gaming session, often without the user being aware of the malware transfer. It would be advantageous, therefore, for a computer system to be much less susceptible to malware attacks during gaming sessions.

By using exemplary process600 (or an equivalent),computer system100 is capable of actively deciding what data to download and use, and what data to discard or scan for malware. The game status data is buffered prior to loading it onto the110-120 system. The110-120 system may be advantageously configured to only accept game status information in the proper format, thereby minimizing the chance that a malware practitioner could deceptively load malware onto the110-120 system.

Additionally,computer system100 could be configured such that system130-140 is powerful enough to process the interactive network process without exchanging information with the110-120 system. Such a configuration may be more secure, as a conduit between the110-120 system and the130-140 system may not be necessarily opened. The130-140 system may contain all the necessary files to facilitate the interactive network process. Higher end computers, workstations, and servers often contain dual (or more) processors, such as the Mac G5, manufactured by the Apple Computer Corporation, or a single physical processor with a multiple processor core. Often, the processors in these multi-processor machines are of equal or comparable processing power. In such a configuration, one processor may be dedicated to performing functions equivalent to those described forP1120, with a second processor performing the functions equivalent to those described forP2140. Acomputer system100 employing multiple processors may be advantageously configured such that one of the processors is dedicated to protected processes only when a network process is active. When a user is not accessing a network, the multiple processors in a computer system may be dedicated to other processes, such as performing complex calculations or simulations, or running complex non-network interactive gaming processes, for example. Alternatively, thecomputer system100 may be configured such that the110-120 system simply transfers required files to thevideo processor170 or the130-140 system at the appropriate time to facilitate the interactive network process. The110-120 system could be commanded to retrieve and transfer the files at the command of the video processor, or at the command of the130-140 system, or a combination of both.

In accordance with embodiments of the present invention,computer system100 may be configured in a variety of ways, while still remaining within the spirit and scope of the present teachings. One such exemplary embodiment is illustrated inFIG. 7.Subsystem700 ofcomputer system100 comprises avideo processor770, asecond processor740, and a second memorydata storage area730. The demarcation line illustrated bysubsystem700 may be either physical or logical. For example,subsystem700 may comprise an add-on card, such as a high end video card, or a video/network card. If configured in this exemplary manner, a user could upgrade an existing computer system to take advantage of the teachings of the present invention.Subsystem700 may be plugged into the main motherboard of an existing computer, for example. The motherboard connector may be already communicatively coupled to the110-120 system, thereby facilitating the system upgrade. Thenetwork interface device190 may be connected directly tosubsystem700, ornetwork interface device190 could be integrated as part ofsubsystem700. Memorydata storage area730 may comprise any of the volatile and/or non-volatile memory types previously described, or any combination thereof, or any suitable memory storage medium, for example. Alternatively,subsystem700 may be located on the motherboard, as opposed to an add-on card. Further still, portions ofsubsystem700, such asvideo processor770, and/orsecond processor740, for example, may be integrated together withP1120. It is understood that functions described herein may be configured in a wide variety of ways, without departing from the spirit and scope of the present teachings.

In accordance with a preferred embodiment of the present invention, an alternate configuration forcomputer system100 is illustrated inFIG. 8.Subsystem800 ofcomputer system100 comprises avideo processor870, asecond processor840, and a second memorydata storage area830. The demarcation line illustrated bysubsystem800 may be either physical or logical. For example,subsystem800 may comprise an add-on card, such as a high end video card, or a video/network card. If configured in this exemplary manner, a user could upgrade an existing computer system to take advantage of features of the present invention. In the exemplary embodiment ofFIG. 8,second processor840 andvideo processor870 are integrated together, perhaps on a common integrated circuit. Such a configuration may help to reduce the cost ofsubsystem800, and/or improve the performance. Additionally, a circuit designer may find it advantageous to integrate840 and870 together to facilitate communication between the functions. It is understood that such an integration of functions may create a device in which an external user may find it difficult to distinguish where the function of870 ends and the function of840 begins, and vice versa. Such a device, however, would remain within the spirit and scope of the present teachings.

In accordance with a preferred embodiment of the present invention, an alternate configuration forcomputer system100 is illustrated inFIG. 9.Computer system100 comprises avideo processor970,processor960, and a memorydata storage area950.Processor960 may further comprise multiple processor cores, illustrated by 1^st

processor

920 and 2^nd

processor

940. It is understood thatprocessor960 may contain more than 2 processor cores. Microprocessors manufactured with multiple processor cores are becoming common in the industry, and such multi-core processors may be particularly advantageous when used in accordance with the present teachings. Memorydata storage area950 may further comprise 1^stmemory

data storage area

910 and 2^ndmemorydata storage area930.

Memory areas

910 and930 may comprise, for example, different partitions on a single hard drive, and/or different address ranges in a RAM bank.

Referring again toFIG. 9, the functions carried out by

processors

920 and940 may comprise separate, secure logical processes executing on the same physical processor. For example, a first logical process may comprise executing instructions necessary to carry out the functions of an operating system, or the first logical process may comprise executing instructions necessary to carry out the functions of a first computer program, including but not limited to a word processor. A second logical process may comprise executing instructions necessary to carry out the functions of a web browser program, or may comprise executing instructions necessary to carry out the functions of an instant messenger program, for example. Acomputer system100 constructed in accordance with the principles of the present invention would be capable of disallowing a secure logical process, such as the second logical process described above, access to certain memory spaces, and/or disallowing a secure logical process from initiating access to another logical process. For example, the functions carried out by P2140 (FIG. 1) may comprise a secure logical process, which may be configured to be unable to automatically initiate access to eitherM1110 or another logical process performing the functions ofP1120. Additionally,

memory areas

910 and930 may comprise separate, isolated memory zones within a common physical memory space, such as separate partitions within the same hard drive, for example.

Some malware programs are designed to secretly record user input commands (such as keystrokes, for example), then send the information back to a host computer. This type of malware is capable of stealing important user information, such as passwords, bank account numbers, social security numbers, driver's license numbers, credit account numbers, etc. Theft of such personal information could result in the theft of actual assets (money or securities, etc.) or perhaps used for identity theft, among other malicious intents. Clearly, a computer system capable of ensuring the protection of such sensitive information would be desirable.

In accordance with an embodiment of the present invention, a computer system is configured such that attempts by malware to record and report data entry by the computer user via input devices such as keyboards, mouse clicks, microphones, or any other data input devices are effectively blocked. Encryption of user input data, such as keystrokes, is an effective means of protecting such data from theft by malware. Specific techniques used for data encryption and decryption are well known in the art, and need not be discussed further here. There are many examples in the art that may be examined to better understand various encryption/decryption techniques and the use of encryption/decryption in computer systems. Among these are U.S. Pat. No. 6,581,162 entitled “Method for securely creating, storing and using encryption keys in a computer system.” issued to Angelo, et al., and U.S. Pat. No. 6,134,661 entitled “Computer network security device and method.” Issued to Topp. The aforementioned patents have been previously incorporated by reference.

In accordance with the present teachings, a method of operating a computer system involving data encryption is described. Instep1010, a user opens a protected process where some level of data encryption is desired, for example, the encryption of sensitive user interface data or user files. Other data may be encrypted as desired. Atstep1020,processor P1120 instructsprocessor P2140 to initiate a protected process and open a process window.P1120 encrypts the sensitive data and passes the user interface data toP2140 when aP2140 window is selected or active (step1030).P2140 generates video data for theP2140 process window(s) and passes the video data to video processor170 (step1040).Video processor170 decrypts the sensitive data and interleaves the video data from all P1 and P2 processes (step1050).P2140 passes the encrypted sensitive data to network interface device190 (step1060).Network interface device190 decrypts the sensitive data and passes the decrypted sensitive data to network195. Of course, other methods of operating a computer system in which data is encrypted prior to being passed toP2140, and decrypted after leaving the control ofP2140, are within the spirit and scope of the present teachings.

In accordance with a preferred embodiment of the present invention, data desired to be protected is encrypted prior to sending the data toprocessor P2140, which may be running one or more malware processes.Processor P2140 does not have visibility to the decryption keys, and is therefore unable to decrypt the data. Data may be decrypted bynetwork interface device190 prior to forwarding the data on tonetwork195. Conversely, encrypted data may be sent directly over the network for decryption by another computer system, including, for example, an internet banking host computer. Decryption keys may be passed betweenP1120 andnetwork interface device190 via acommunication link191.Video processor170 may decrypt the data prior to displaying the data onvideo display180, with decryption keys possibly passed betweenP1120 andvideo processor170 via acommunication link171. Conversely, data may be passed directly tovideo processor170 via acommunication link151.

Auser160 may wish to encrypt just a portion of the data destined for the network, such as passwords, credit card numbers, etc. Conversely, a user may wish to encrypt large blocks of data, such as e-mails or large application files containing sensitive text and/or graphics. Instructions may be passed to networkinterface device190 directing190 to decrypt one or more specific data blocks prior to sending the data blocks tonetwork195. Conversely, instructions may be passed to networkinterface device190 directing190 to pass one or more specific data blocks to network195 without decryption.

While this invention has been described with reference to illustrative embodiments, this description is not intended to be construed in a limiting sense. Various modifications and combinations of the illustrative embodiments, as well as other embodiments of the invention, will be apparent to persons skilled in the art upon reference to the description. It is therefore intended that the appended claims encompass any such modifications or embodiments.