Browse Prior Art Database

Method for Protecting Operating System Extensions for Subversion

IP.com Disclosure Number: IPCOM000105937D
Original Publication Date: 1993-Sep-01
Included in the Prior Art Database: 2005-Mar-20
Document File: 2 page(s) / 74K

Publishing Venue

IBM

Related People

Chess, DM: AUTHOR

Abstract

Disclosed is a method for programming an operating-system extension in such a way that an attacking program cannot bypass the extension by "tunneling" (using a CPU trace facility to determine the address of the next lower-level service call point beneath the extension), or by similar means.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 52% of the total text.

Method for Protecting Operating System Extensions for Subversion

      Disclosed is a method for programming an operating-system
extension in such a way that an attacking program cannot bypass the
extension by "tunneling" (using a CPU trace facility to determine the
address of the next lower-level service call point beneath the
extension), or by similar means.

      Some computer operating systems provide services to application
programs through redirectable pointers, variously referred to as
"call gates," "interrupt vectors," "system hooks," and so on.  In
many such systems, it is possible to modify the services provided by
the operating system by writing code which, when executed:

o   arranges to remain resident somewhere in storage more or less
    permanently (often until the next time storage is cleared by a
    system reset),

o   obtains and records the current value of the redirectable pointer
    used to request a particular operating system service or
    services,
o   changes the value of that pointer to point to code within the
    program itself, thereby gaining control whenever another program
    requests operating services via the pointer that has been
    changed, and
o   services future requests itself, or passes them on (possibly
    modified) to the underlying operating system, using the pointer
    value recorded above.

      Because some such operating system extensions are used to
implement functions such as security, access-control, and
computer-virus prevention, they will sometimes be subject to
"attacks," in the form of programs that attempt to bypass the
extension and make requests of the underlying operating system
directly.  One class of attack involves the use of a "single-step"
mode, "trap flag" or "instruction trace" in the central processing
unit, which allows the attacking program to gain control during the
execution of the operating system extension.  Disclosed is a method
for defeating most attacks in this class.

      The method consists of a block of code in the operating system
extension's request-servicing routine (typically at or near the
beginning, but in any case before a call to the underlying call
point) which ensures, by whatever means, that the CPU is not
currently in "single-step" mode....