SECURE EXAM METHOD
RELATED APPLICATIONS
This application depends for priority upon U.S. Provisional Patent Application Ser. No. 60/071 ,926, filed on January 20, 1998 and entitled COMPUTER HARD DRIVE LOCK OUT DEVICE FOR GIVING SECURE EXAMS.
FIELD OF THE INVENTION
The present invention relates generally to the field of computer security .and more particularly to computer software for restricting access to a computer's stored data and applications for the purpose of giving secure exams.
BACKGROUND OF THE INVENTION
Portable and desktop computers equipped with word processing software have become the primary tool for preparing written material. One area where the use of all types of computers has lagged, however, is in the field of test taking. Despite the desire of students to write essay exams with the aid of a computer, concerns about security have severely curtailed their use. In the prior art, computer use in test taking environments have typically required the use of dedicated computers to ensure that unauthorized data or programs are not present. Needless to say, supplying a dedicated computer to each student desiring one when taking a test represents a significant if not insurmountable expense.
Accordingly, what has been needed is a method to allow the use of a personal computer to prepare answers to an exam while preventing access to unauthorized programs and data that might be stored in the computer. This invention satisfies these and other needs.
SUMMARY OF THE INVENTION
The present invention comprises a method and system for preventing access to data and programs stored by a computer while allowing the computer to execute a desired application, comprising the steps of, and executable instructions for, closing unauthorized programs, filtering user commands to prevent unauthorized access to files stored on the computer, and allowing filtered user input to the desired application. Normally, the filtered user input is periodically saved and updated. Preferably, the application for the closing and filtering steps resides on a floppy disk to enhance the security of the system, although alternative embodiments allow for execution independent of floppy disks. Native features of the computer's operating system are accessed to filter, and if necessary, modify, commands entered by the user to create a secure computing environment. Accordingly, the only file that is active and accessible is the one created by the user in response to the desired application. A number of additional security measures may be implemented, including encrypting files, recording system events and securely deleting files. In preferred embodiments, the invention is used to administer an examination.
BRIEF DESCRIPTION OF THE DRAWINGS
The aforementioned advantages of the present invention as well as additional advantages thereof will be more clearly understood hereinafter as a result of a detailed description of a preferred embodiment of the invention when taken in conjunction with the following drawings.
FIG. 1 is a schematic representation of a computer system useful in the practice of the present invention.
FIG. 2 is a flowchart showing the primary steps in the methods of the present invention.
DETAILED DESCRD7TION OF THE DRAWINGS
As shown Fig. 1, a typical computer system useful in the practice of this invention generally comprises a central processing unit (CPU) 10, having volatile and nonvolatile memory 12 as well as recordable storage such as a hard drive 14 and a floppy disk drive 16. Conventionally, the user input devices include a keyboard 18 and a pointing device, such as a mouse 20. Other input devices may also be used including a graphics tablet or a microphone in conjunction with voice recognition software. The computer system also comprises a display 22 and, optionally, other output devices such as speakers, printers and the like. CPU 10 may also be connected to a network (not shown).
In preferred embodiments, the invention has been designed to eliminate academic dishonesty by taking control of an operating system through execution of a software program that locks out access to applications, macros, files, programmed key commands and networked files stored in computer-readable media. Generally, any file, application or data, that could be used to gain an unfair advantage in taking an exam should be considered unauthorized and access to that file should be restricted. As used herein, computer-readable media refers to any storage device for computer-readable data, including non-volatile memory such as hard disk drives, floppy disk drives, ROM, writable or read-only CD-ROMs, DVD drives, tape drives, PC cards and the like and volatile memory such as RAM. The materials
secured by this invention may also be stored in computer-readable media available over a LAN or WAN, accessible via a modem, an Ethernet link, or any other network connection. Access to all of these sources of data and applications is completely restricted. The exam answer is preferably recorded to a specially created exam file using the exam application's own easy to use word processor.
The present invention capitalizes on the fact that most modern operating systems prevent programs from directly interacting with peripherals such as the display, keyboard and mouse by providing interfaces for such services. Programs therefore communicate indirectly with the screen, keyboard, and mouse through these defined interfaces using information packages known as messages. The invention filters these messages to prevent the user from accessing unauthorized data or programs. In a preferred embodiment, the invention employs a compiled 16 or 32-bit executable file designed for the Microsoft Windows 3.x, Windows 9x or Windows NT (all of which are federally registered and recognized trademarks of Microsoft, Inc.) operating system that uses a number of supporting executable files in dynamic link libraries. The system may also be adapted for use with other operating systems as necessary, as understood by one skilled in the art to which the present invention pertains. In these embodiments, the invention uses native services of the operating systems to achieve a message interception scheme referred to herein as cross-processing subclassing.
Subclassing is the process of intercepting operating system messages that are normally processed behind the scenes. The Windows environment sends messages indicating that system events have occurred, such as keyboard input or mouse selection. Windows also sends housekeeping messages to control the display of each window. Subclassing intercepts each of these messages, allowing them to be modified or deleted before passing them on to their
intended destination. In part, Windows achieves subclassing through the use of hooks to be monitored, intercepted, and discarded by a program.
In the Windows operating system, a hook is a mechanism by which a function can intercept events such as messages, mouse actions, and keystrokes before they reach an application or even the main body of the operating system, which otherwise would direct these to the application currently in use. This mechanism is provided as a "service" by the operating system. Hooks are provided by calling the appropriate set of functions residing in the operating system and by supplying filter functions to the operating system. Specifically, the operating system will automatically call the programmer supplied filter function when the hooked event occurs.
The filter function can act on events and, in some cases, modify or discard them. For example, a filter function might want to receive all keyboard or mouse events. For Windows to call a filter function, the filter function must be installed — that is, attached — to a Windows hook (for example, to a keyboard hook). Attaching one or more filter functions to a hook is known as setting a hook. If a hook has more than one filter function attached, Windows maint ns a chain of filter functions. The most recently installed function is at the beginning of the chain, and the least recently installed function is at the end.
The invention enlists these services to monitor messages concerned with keystrokes, the Windows clipboard, the creation of windows, the creation of other programmatic processes, and the visibility of windows. The invention intercepts, discards, and preferably makes a record of all messages that could allow the user to start another program or access an unauthorized file in any way. Although this monitoring activity requires a significant portion
of the systems resources, the vast majority of portable computers with 80386 or better processors can quickly execute it. One having ordinary skill in the art can modify the invention as necessary to adapt it to other operating systems.
In a preferred embodiment, users install most of the program's files through an installation kit. Users run an automated installer program to place required files on their hard drives. Normally, installation will be done before exam day, but since the procedure takes only a few minutes, it may be performed immediately prior to an exam, if necessary. Any installation disks preferably contain supporting files only, not the actual application, so no security issue is raised by an early installation. A demonstration version of the program may be included in the installation kit to allow the user to become familiarized with the program, and in particular, with the word processing features of the application. In preferred embodiments, the security features of the invention are not included in the demonstration version.
Immediately prior to the test, a sealed single-use exam disk is distributed to each user much the way an exam bluebook would. Currently, floppy disks are widely used as a removable computer-readable media but as the demand for increased storage grows, other types of removable media may predominate, such as ZIP and JAZ disks available from IOMEGA, Inc. , the LS-120 Supper Floppy Disk, writable CD-ROMs and DVDs and the like. The invention can be adapted to work with any removable computer-readable media. The exam disk contains the security features of the invention as well as password and creation date verification data. In preferred embodiments, as discussed below, the exam application is temporarily copied to the user's hard disk to improve performance. In these embodiments, the starting and ending sub-applications of the present invention perform the necessary copying,
execution and deletion of the exam application. In other embodiments, it may be desirable to execute the exam application from the floppy disk directly. In such embodiments, the starting and ending sub-applications are unnecessary.
Fig. 2 shows a flowchart that represents major steps of the invention. First, the user inserts the exam floppy disk and launches the startup application at step 30. The startup application prompts the user for personal data, and then records it to the floppy disk at step 32. The startup application also preferably temporarily copies the exam application from the floppy to the user's hard drive to improve performance. The exam application can be run from the floppy disk, but generally it is preferable to use the hard disk drive to decrease seek times and improve data transfer rates. This preferable embodiment may also be adapted to use with computer networks in a manner independent of removable media. The startup program then launches the exam application and terminates itself . The exam application creates an auxiliary information file on the user's hard drive and on the floppy disk to record a log of the application's execution. Then, the exam application verifies that the floppy disk is valid by password and creation date at step 34. If the floppy disk is not valid, the application notifies the user and terminates if necessary at step 36.
After determining the floppy disk is valid, the exam application implements the security features of the invention. The exam application records the contents of the clipboard to the auxiliary information file on the hard disk and then deletes the clipboard at step 38. The exam application identifies already running processes by sequentially obtaining a thread for each process and then a process ID for each thread. A process is a logical grouping of a memory address space (memory area allocated by the operating system), a computer program, and its data. Normally, there is no interaction between programs in different processes, and they
cannot read or write to memory space outside their process, without prior agreement by both programs, such as object linking and embedding (OLE). Each process consists of one or more threads of execution. These threads are simply atomic units of code execution that can run simultaneously within a single process.
While some processes are essential to the functioning of the operating system, many others are not and may pose a security concern. Essential processes are those that are necessary for the stable operation of the operating system and for the execution of the exam application. In general, all nonessential processes are considered unauthorized and are closed or otherwise hidden. The exam application sends a SC_CLOSE message to the window of each running process that is not essential to Windows functions or otherwise terminates those programs at step 40. If the exam application encounters processes that cannot be closed it either hides its windows or notifies the user of the conflict and quits at step 42. Similarly, some applications such as crash protection programs interfere with the subclassing functions of the exam application. If the exam application identifies such incompatible programs, it notifies the user and/or quits.
After controlling the running processes, the exam application then configures Windows for optimum security. Specifically, the exam application terminates or hides the Explorer windows in Win9x and NT systems, depending on type. The application also turns off screen savers, power management, the desktop wall paper, sets the desktop icons invisible and then updates the .INI files to reflect the changes. Next, the exam application disables the task bar in Win9x and NT versions. Finally, the exam application identifies itself to the operating system as an active screen saver to prevent the Ctl- Alt-Del keystroke combination in Win9x.
After terminating non essential processes and securing the operating system configuration, the exam application sets the appropriate hooks and begins cross-process subclassing at step 44. Specific steps taken depend on the variety of Windows, but generally include: • Setting a hook for Ctl-Esc keys in Win 9x
• Setting a hotkey message hook (WM_HOTKEY) to intercept but not block Ctl-Esc in Win NT
• Setting a hook for the foreground window to reset it to the exam application in Win NT
• Setting a hook for clipboard usage to block paste commands where source is not the exam application
• Setting a hook and subclassing for window creation (the WM_CREATE message)
Having secured the computer's operating system, the exam application can begin the examination by showing a word processor window at step 46. The program can easily be adapted to other types of examination such as multiple choice or short answer by substituting the appropriate form for the word processing window.
The exam application monitors all the keystrokes and other user input as the examination proceeds at step 48. The exam application records the details of all intercepted hooked messages, such as attempts to call unauthorized applications at step 50 or access unauthorized data. While a few attempts to call unauthorized applications or data may occur inadvertently, more frequent occurrences may indicate an attempt to subvert the security
features of the exam application and will be reviewable by the exam grader. Keystrokes and other user input that pass the filter function are passed on to the word processor at step 52.
The exam application periodically performs several monitoring functions. First, the examination application checks the visible windows to confirm that the only active windows are related to the examination. This offers a level of redundant protection over the filtering of the WM CREATE message. The exam application also periodically saves the status of the exam and performs several updates at step 54, preferably once a minute. The exam data and a backup are saved to disk, as well as test taking statistics such as the number of keystrokes and total number of characters added to the data file per monitoring interval at step 56. These statistics are added to the auxiliary information file and can be used to resolve questions about exam security. For example, delays between the periodic saves indicates that the exam application was not active. If the delay is longer than that required to restart the exam application with a proctor disk (discussed below), it may be an indication that the user was attempting to subvert the program. Also, the number of keystrokes can be compared to the total number of characters added. Large discrepancies may indicate that text was copied from another source. Yet other features such as a clock display and word count can also be periodically updated. Towards the end of the allotted time, a reminder, audible or visible, can alert the user.
At the conclusion of the exam, the program saves a Rich Text Format (RTF), or otherwise suitably formatted document to the floppy disk in the computer's floppy disk drive and saves encrypted copies to both the floppy disk and the hard disk at step 58. A copy of the auxiliary information file is also saved to the floppy disk. Further, the user may be given the option to save an additional encrypted copy of the exam data for backup purposes. In the
event of a dispute regarding the contents of the floppy disk or if the floppy disk becomes erased or lost, the encrypted copy or copies on the hard drive provide a secure record of the exam. After the various files are saved to the floppy and hard disks, each unencrypted file on the hard drive is securely deleted by overwriting several times the hard drive sectors where the data was stored at step 60. Finally, the exam application launches the ending application, restores the computer's settings and then terminates itself at step 62. The ending application securely deletes the temporary copy of the exam application from the hard disk and terminates itself. In some embodiments, it may be desirable to have the ending application shut down the computer.
To accommodate system crashes or loss of power, attempts to restart the exam application must be approved by a proctor. After restart, the starting application prompts the user for personal information as in the normal sequence. However, the floppy disk does not pass the password and creation date verification as it is allowed only one execution. Accordingly, the exam application terminates, requiring and preferably visually requesting a valid proctor disk. If the proctor determines that a restart is warranted, the proctor will supply a proctor floppy disk. As with the exam disks, any computer-readable removable media may be used as a proctor disk. Verification of a valid proctor disk allows the exam application to restart and the user can replace the floppy disk and commence work from the last saved version. In other embodiments, it may be desirable to replace the proctor disk with a hardware component that could plug into a parallel port, a serial port, a PC Card slot or the like. Once the exam application identifies the appropriate hardware, it restarts the exam from the last saved version.
As discussed above, the exam application is tailored to the type of examination being given. In most applications, it will be desirable to provide word processing functions to facilitate responses to essay questions. Preferably, the word processing program is configured to operate similarly to popular commercial word processing programs. The exam application can automatically add headers and footers having the users name or ID number, course instructor and other course information to aid identification. The exam application can easily be modified to allow its use for multiple choice or short answer questions.
While the present invention has been described with reference to certain preferred embodiments, those skilled in the art will recognize that various modifications and other embodiments may be provided. For example, it may be desirable to configure the exam application for use on computers other than the user's personal computer. An institution may have a computer lab with computers used for many purposes. It is still desirable to prevent access to unauthorized files during an examination, but the exam application can be resident on the computers. More broadly, the invention can be used for any application where it is desirable to prevent access to unauthorized files while allowing the execution of a desired program. These other embodiments are intended to fall within the scope of the present invention, and these variations upon and modifications to the embodiments described herein are provided for by the present invention which is limited only by the following claims.