A generic anti-spyware solution by access control list at kernel level Sherman S.M. Chow * , Lucas C.K. Hui, S.M. Yiu, K.P. Chow, Richard W.C. Lui Department of Computer Science and Information Systems, The University of Hong Kong, Pokfulam Road, Pokfulam, Hong Kong Received 8 November 2003; received in revised form 30 April 2004; accepted 20 May 2004 Available online 15 July 2004 Abstract Spyware refers to programs that steal the user information stored in the userÕs computer and transmit this information via the Internettoadesignatedhomeserverwithouttheuserbeingawareofthistransmission.Existinganti-spywaresolutionsarenotgen- ericandflexible.Thesesolutionseithercheckfortheexistenceof known spywareortrytoblockthetransmissionoftheprivateinfor- mationatthepacketlevel.Inthispaper,weproposeamoregenericandflexibleanti-spywaresolutionbyutilizinganaccesscontrol listinkernelmodeoftheoperatingsystem.Themajordifferencebetweenourapproachandtheexistingapproachesisthatinsteadof askingaguardtolookforthetheft(spyware)orcontroltheexitofthecomputer(andhencegivingthespywareenoughtimetohide theinformationtobetransmitted),weputaguardbesidesthetreasure(theprivateinformation)andcarefullycontroltheaccesstoit in the kernel mode. We also show the details of an implementation that realizes our proposed solution. Ó 2004 Elsevier Inc. All rights reserved. 1. Introduction 1.1. Background Spyware refers to programs that steal the user infor- mation stored in the userÕs computer and transmit this informationviatheInternettoadesignatedhomeserver withouttheuserbeingawareofthistransmission.These malware compromise every Internet userÕs privacy by collectingdetaileduserprofilesthatcanbeusedforcom- mercial or any other purposes. The stolen information includes the userÕs e-mail address, geographic location, web-surfing habits, etc. Users may not be aware that there is a lot of private information stored in their computers, or they cannot see the value of information from the point of view of marketing companies. For example, a userÕs name and affiliation may enable a company to globally and un- iquely identify the user and ‘‘offer’’ tailored marketing planfortheuser.Web-surfingbehaviorandrecentlyac- cessed files also reveal the userÕs interests and provide a good source of valuable marketing information. For example, a user who accesses LaTeX files very often is either a publisher or a researcher with high probability. 1.2. Working mechanism The working mechanism of common spyware is rathersimple.Theytrytofindouttheirinterestedinfor- mationfromyourfilesintheharddiskandsystemÕsset- tings (e.g. Microsoft WindowsÕs registry), according to the predefined list of locations. More ‘‘intelligent’’ spy- warecandosobygettinginstructionsfromacentralser- ver depending on the system information collected (e.g. version of operating systems). After they have collected enough information, they will transfer the stolen data back to the home server. 1.3. Spreading media The popularity of the Internet speeds up the wide- spreadofspyware.Nowadays,manyInternetcompanies 0164-1212/$ - see front matter Ó 2004 Elsevier Inc. All rights reserved. doi:10.1016/j.jss.2004.05.027 * Corresponding author. Tel.: +852 28578263; fax: +852 29155702. E-mail addresses: smchow@csis.hku.hk (S.S.M. Chow), hui@ csis.hku.hk (L.C.K. Hui), smyiu@csis.hku.hk (S.M. Yiu), chow@ csis.hku.hk (K.P. Chow), wclui@csis.hku.hk (R.W.C. Lui). www.elsevier.com/locate/jss The Journal of Systems and Software 75 (2005) 227–234