The task of protecting against software bookmarks can be considered in three fundamentally different ways:
- to prevent the introduction of software bookmarks into a computer system;
- to identify the embedded software bookmark;
- delete an embedded program bookmark.
Considering these options, solving the problem of protecting against software bugs is similar to solving the problem of protecting computer systems from viruses. As in the case of fighting viruses, the problem is solved by means of monitoring the integrity of the system and application programs being launched, as well as the integrity of information stored in the computer system and critical events for the functioning of the system. However, these tools are effective only when they themselves are not influenced by software tabs, which can:
- impose the final results of control checks;
- to influence the process of reading information and launching programs that are controlled;
- change the algorithms for the functioning of controls.
At the same time, it is extremely important that the activation of controls is carried out before the start of the influence of the programmed bookmark or when the control was carried out only using control programs located in the ROM of the computer system.
Protection against the introduction of software bookmarks A
universal means of protection against the introduction of software bookmarks is to create an isolated computer. A computer is called isolated if the following conditions are met:
- it has a BIOS system that does not contain software tabs;
- the operating system has been checked for bookmarks;
- the invariability of the BIOS and the operating system for this session has been reliably established;
- no other programs were launched on the computer, except those that have already passed the check for the presence of bookmarks in them;
- the launch of tested programs in any other conditions is excluded. other than those listed above, i.e. outside an isolated computer.
A step control model can be used to determine the degree of computer isolation. It first checks to see if there are any changes in the BIOS. Then, if everything is in order, the boot sector of the disk and the operating system drivers are read, which, in turn, are also analyzed for unauthorized changes. Finally, the operating system launches the program call control driver, which ensures that only verified programs run on the computer.
An interesting method of dealing with the introduction of software bookmarks can be used in an information banking system, in which only document files circulate. In order to prevent the penetration of the software bookmark through the communication channels, this system does not accept any executable code. To recognize events like "EXECUTIVE CODE RECEIVED" and "DOCUMENT FILE RECEIVED", control over the presence of prohibited characters in the file is applied: the file is recognized as containing executable code if it contains characters that never appear in document files.
Identifying an embedded software bookmark
Identifying an embedded software bookmark consists in detecting signs of its presence in a computer system. These traits can be divided into the following two classes:
- high quality and visual;
- detectable by means of testing and diagnostics.
Qualitative and visual signs include sensations and observations of a computer system user, who notes certain deviations in its work (the composition and length of files change, old files disappear somewhere, and new ones appear instead, programs start to work slower, or finish their work too quickly, or stop starting altogether). Despite the fact that the judgment about the presence of signs of this class seems too subjective, nevertheless, they often indicate the presence of problems in the computer system and, in particular, the need for additional checks for the presence of software bugs. For example, users of the "Cryptocenter" encryption and digital signature package have begun to notice for some time now that digital signatures are placed on electronic documents too quickly. Study, carried out by the FAPSI specialists, showed the presence of a software bookmark, the work of which was based on the imposition of the file length. In another case, users of the encryption package and digital signature "Krypton" sounded the alarm, who were surprised to note that the encryption speed using the GOST 28147-89 cryptographic algorithm suddenly increased more than 30 times. And in the third case, the software bookmark detected its presence in the keyboard input program by the fact that the program affected by it stopped working normally. that the encryption speed according to the GOST 28147-89 cryptographic algorithm suddenly increased more than 30 times. And in the third case, the software bookmark detected its presence in the keyboard input program by the fact that the program affected by it stopped working normally. that the encryption speed according to the GOST 28147-89 cryptographic algorithm suddenly increased more than 30 times. And in the third case, the software bookmark detected its presence in the keyboard input program by the fact that the program affected by it stopped working normally.
Symptoms detected by testing and diagnostic tools are typical for both software bugs and computer viruses. For example, boot bookmarks are successfully detected by antivirus programs that signal the presence of a suspicious code in the boot sector of a disk. Disk Doctor, included in the popular Norton Utilities suite of utilities, does a good job of triggering static errors on disks. And tools for checking the integrity of data on a disk such as Adinf allow you to successfully identify changes made to files by program bookmarks. In addition, it is efficient to search for code fragments of program bookmarks by their characteristic sequences of zeros and ones (signatures), as well as to allow execution of only programs with known signatures.
Removing an embedded program bookmark
The exact method for removing an embedded software bookmark depends on how it is embedded in the computer system. If this is a software and hardware tab, then you should reprogram the computer's ROM. If it is a boot, driver, application, masked bookmark, or simulated bookmark, you can replace it with the appropriate boot record, driver, utility, application, or utility program from a trusted source. Finally, if this is an executable program module, then you can try to get its source code, remove existing bookmarks or suspicious fragments from it, and then compile it again.
- to prevent the introduction of software bookmarks into a computer system;
- to identify the embedded software bookmark;
- delete an embedded program bookmark.
Considering these options, solving the problem of protecting against software bugs is similar to solving the problem of protecting computer systems from viruses. As in the case of fighting viruses, the problem is solved by means of monitoring the integrity of the system and application programs being launched, as well as the integrity of information stored in the computer system and critical events for the functioning of the system. However, these tools are effective only when they themselves are not influenced by software tabs, which can:
- impose the final results of control checks;
- to influence the process of reading information and launching programs that are controlled;
- change the algorithms for the functioning of controls.
At the same time, it is extremely important that the activation of controls is carried out before the start of the influence of the programmed bookmark or when the control was carried out only using control programs located in the ROM of the computer system.
Protection against the introduction of software bookmarks A
universal means of protection against the introduction of software bookmarks is to create an isolated computer. A computer is called isolated if the following conditions are met:
- it has a BIOS system that does not contain software tabs;
- the operating system has been checked for bookmarks;
- the invariability of the BIOS and the operating system for this session has been reliably established;
- no other programs were launched on the computer, except those that have already passed the check for the presence of bookmarks in them;
- the launch of tested programs in any other conditions is excluded. other than those listed above, i.e. outside an isolated computer.
A step control model can be used to determine the degree of computer isolation. It first checks to see if there are any changes in the BIOS. Then, if everything is in order, the boot sector of the disk and the operating system drivers are read, which, in turn, are also analyzed for unauthorized changes. Finally, the operating system launches the program call control driver, which ensures that only verified programs run on the computer.
An interesting method of dealing with the introduction of software bookmarks can be used in an information banking system, in which only document files circulate. In order to prevent the penetration of the software bookmark through the communication channels, this system does not accept any executable code. To recognize events like "EXECUTIVE CODE RECEIVED" and "DOCUMENT FILE RECEIVED", control over the presence of prohibited characters in the file is applied: the file is recognized as containing executable code if it contains characters that never appear in document files.
Identifying an embedded software bookmark
Identifying an embedded software bookmark consists in detecting signs of its presence in a computer system. These traits can be divided into the following two classes:
- high quality and visual;
- detectable by means of testing and diagnostics.
Qualitative and visual signs include sensations and observations of a computer system user, who notes certain deviations in its work (the composition and length of files change, old files disappear somewhere, and new ones appear instead, programs start to work slower, or finish their work too quickly, or stop starting altogether). Despite the fact that the judgment about the presence of signs of this class seems too subjective, nevertheless, they often indicate the presence of problems in the computer system and, in particular, the need for additional checks for the presence of software bugs. For example, users of the "Cryptocenter" encryption and digital signature package have begun to notice for some time now that digital signatures are placed on electronic documents too quickly. Study, carried out by the FAPSI specialists, showed the presence of a software bookmark, the work of which was based on the imposition of the file length. In another case, users of the encryption package and digital signature "Krypton" sounded the alarm, who were surprised to note that the encryption speed using the GOST 28147-89 cryptographic algorithm suddenly increased more than 30 times. And in the third case, the software bookmark detected its presence in the keyboard input program by the fact that the program affected by it stopped working normally. that the encryption speed according to the GOST 28147-89 cryptographic algorithm suddenly increased more than 30 times. And in the third case, the software bookmark detected its presence in the keyboard input program by the fact that the program affected by it stopped working normally. that the encryption speed according to the GOST 28147-89 cryptographic algorithm suddenly increased more than 30 times. And in the third case, the software bookmark detected its presence in the keyboard input program by the fact that the program affected by it stopped working normally.
Symptoms detected by testing and diagnostic tools are typical for both software bugs and computer viruses. For example, boot bookmarks are successfully detected by antivirus programs that signal the presence of a suspicious code in the boot sector of a disk. Disk Doctor, included in the popular Norton Utilities suite of utilities, does a good job of triggering static errors on disks. And tools for checking the integrity of data on a disk such as Adinf allow you to successfully identify changes made to files by program bookmarks. In addition, it is efficient to search for code fragments of program bookmarks by their characteristic sequences of zeros and ones (signatures), as well as to allow execution of only programs with known signatures.
Removing an embedded program bookmark
The exact method for removing an embedded software bookmark depends on how it is embedded in the computer system. If this is a software and hardware tab, then you should reprogram the computer's ROM. If it is a boot, driver, application, masked bookmark, or simulated bookmark, you can replace it with the appropriate boot record, driver, utility, application, or utility program from a trusted source. Finally, if this is an executable program module, then you can try to get its source code, remove existing bookmarks or suspicious fragments from it, and then compile it again.
