Funded by: Department of Defense
This project investigated methods for protecting systems from damage by malicious software. Two prototypes were developed under this project: the Execution Management Utility (Emu) and the FileMonster. The Emu securely locks down Windows NT systems to prevent unauthorized executables from running. Emu relies on execution control lists (ECLs) for each Windows client to identify authorized executables. Emu works by intercepting a key kernel process creation call. Upon receiving a signal from the system to create a new process, the Emu processes the request against the ECL for the client to determine if execution is allowed. If allowed, execution proceeds as normal. If the process is not allowed, then execution is halted. The Emu provides protection against unknown malicious code by allowing execution of only known, trusted executables. EMU will not provide protection against trusted processes that are exploited or otherwise misused, and against trusted interpreters running malicious interpreted code.
The FileMonster is a data-centric prototype tool for extending Windows discretionary access control to better protect important files from damage or snooping by all forms of malicious software. FileMonster provides two new file system permissions: confirm on read and confirm on write. These permissions indicate that when a program performs either a read or write operation on a protected file, the user must provide a confirmation before this operation can proceed. This eliminates the possibility that a malicious program can read or alter a protected file without first getting permission from the user. The confirm on read permission should be used on files whose contents are considered confidential. This will require a confirmation from a user if any program attempts to read data from the file. The confirm on write permission should be used on files whose valuable contents must not be damaged. This permission requires a confirmation when a program tries to write to or delete the file. These permission may also be combined. The FileMonster provides protection for data files against a wide range malicious code attacks. That is, FileMonster will provide protection against, malicious code that attempts to access, delete, or modify data files labeled for protection. FileMonster will not provide protection against trusted applications that behave maliciously.