WO1999036848A1 - Secure exam method - Google Patents

Secure exam method Download PDF

Info

Publication number
WO1999036848A1
WO1999036848A1 PCT/US1999/000481 US9900481W WO9936848A1 WO 1999036848 A1 WO1999036848 A1 WO 1999036848A1 US 9900481 W US9900481 W US 9900481W WO 9936848 A1 WO9936848 A1 WO 9936848A1
Authority
WO
WIPO (PCT)
Prior art keywords
user input
instructions
computer
application
unauthorized
Prior art date
Application number
PCT/US1999/000481
Other languages
French (fr)
Inventor
William K. Storage
Adam M. Wasserman
Original Assignee
Examsoft Worldwide, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Examsoft Worldwide, Inc. filed Critical Examsoft Worldwide, Inc.
Priority to AU23140/99A priority Critical patent/AU2314099A/en
Publication of WO1999036848A1 publication Critical patent/WO1999036848A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2101Auditing as a secondary aspect

Definitions

  • the present invention relates generally to the field of computer security .and more particularly to computer software for restricting access to a computer's stored data and applications for the purpose of giving secure exams.
  • Portable and desktop computers equipped with word processing software have become the primary tool for preparing written material.
  • concerns about security have severely curtailed their use.
  • computer use in test taking environments have typically required the use of dedicated computers to ensure that unauthorized data or programs are not present. Needless to say, supplying a dedicated computer to each student desiring one when taking a test represents a significant if not insurmountable expense. Accordingly, what has been needed is a method to allow the use of a personal computer to prepare answers to an exam while preventing access to unauthorized programs and data that might be stored in the computer. This invention satisfies these and other needs.
  • the present invention comprises a method and system for preventing access to data and programs stored by a computer while allowing the computer to execute a desired application, comprising the steps of, and executable instructions for, closing unauthorized programs, filtering user commands to prevent unauthorized access to files stored on the computer, and allowing filtered user input to the desired application.
  • the filtered user input is periodically saved and updated.
  • the application for the closing and filtering steps resides on a floppy disk to enhance the security of the system, although alternative embodiments allow for execution independent of floppy disks. Native features of the computer's operating system are accessed to filter, and if necessary, modify, commands entered by the user to create a secure computing environment.
  • the only file that is active and accessible is the one created by the user in response to the desired application.
  • a number of additional security measures may be implemented, including encrypting files, recording system events and securely deleting files.
  • the invention is used to administer an examination.
  • FIG. 1 is a schematic representation of a computer system useful in the practice of the present invention.
  • FIG. 2 is a flowchart showing the primary steps in the methods of the present invention.
  • a typical computer system useful in the practice of this invention generally comprises a central processing unit (CPU) 10, having volatile and nonvolatile memory 12 as well as recordable storage such as a hard drive 14 and a floppy disk drive 16.
  • the user input devices include a keyboard 18 and a pointing device, such as a mouse 20.
  • Other input devices may also be used including a graphics tablet or a microphone in conjunction with voice recognition software.
  • the computer system also comprises a display 22 and, optionally, other output devices such as speakers, printers and the like.
  • CPU 10 may also be connected to a network (not shown).
  • the invention has been designed to eliminate academic dishonesty by taking control of an operating system through execution of a software program that locks out access to applications, macros, files, programmed key commands and networked files stored in computer-readable media.
  • any file, application or data, that could be used to gain an unfair advantage in taking an exam should be considered unauthorized and access to that file should be restricted.
  • computer-readable media refers to any storage device for computer-readable data, including non-volatile memory such as hard disk drives, floppy disk drives, ROM, writable or read-only CD-ROMs, DVD drives, tape drives, PC cards and the like and volatile memory such as RAM.
  • the materials secured by this invention may also be stored in computer-readable media available over a LAN or WAN, accessible via a modem, an Ethernet link, or any other network connection. Access to all of these sources of data and applications is completely restricted.
  • the exam answer is preferably recorded to a specially created exam file using the exam application's own easy to use word processor.
  • the present invention capitalizes on the fact that most modern operating systems prevent programs from directly interacting with peripherals such as the display, keyboard and mouse by providing interfaces for such services. Programs therefore communicate indirectly with the screen, keyboard, and mouse through these defined interfaces using information packages known as messages.
  • the invention filters these messages to prevent the user from accessing unauthorized data or programs.
  • the invention employs a compiled 16 or 32-bit executable file designed for the Microsoft Windows 3.x, Windows 9x or Windows NT (all of which are federally registered and recognized trademarks of Microsoft, Inc.) operating system that uses a number of supporting executable files in dynamic link libraries.
  • the system may also be adapted for use with other operating systems as necessary, as understood by one skilled in the art to which the present invention pertains.
  • the invention uses native services of the operating systems to achieve a message interception scheme referred to herein as cross-processing subclassing.
  • Subclassing is the process of intercepting operating system messages that are normally processed behind the scenes.
  • the Windows environment sends messages indicating that system events have occurred, such as keyboard input or mouse selection.
  • Windows also sends housekeeping messages to control the display of each window.
  • Subclassing intercepts each of these messages, allowing them to be modified or deleted before passing them on to their intended destination.
  • Windows achieves subclassing through the use of hooks to be monitored, intercepted, and discarded by a program.
  • a hook is a mechanism by which a function can intercept events such as messages, mouse actions, and keystrokes before they reach an application or even the main body of the operating system, which otherwise would direct these to the application currently in use.
  • This mechanism is provided as a "service" by the operating system. Hooks are provided by calling the appropriate set of functions residing in the operating system and by supplying filter functions to the operating system. Specifically, the operating system will automatically call the programmer supplied filter function when the hooked event occurs.
  • the filter function can act on events and, in some cases, modify or discard them. For example, a filter function might want to receive all keyboard or mouse events.
  • a filter function might want to receive all keyboard or mouse events.
  • the filter function For Windows to call a filter function, the filter function must be installed — that is, attached — to a Windows hook (for example, to a keyboard hook). Attaching one or more filter functions to a hook is known as setting a hook. If a hook has more than one filter function attached, Windows maint ns a chain of filter functions. The most recently installed function is at the beginning of the chain, and the least recently installed function is at the end.
  • the invention enlists these services to monitor messages concerned with keystrokes, the Windows clipboard, the creation of windows, the creation of other programmatic processes, and the visibility of windows.
  • the invention intercepts, discards, and preferably makes a record of all messages that could allow the user to start another program or access an unauthorized file in any way. Although this monitoring activity requires a significant portion of the systems resources, the vast majority of portable computers with 80386 or better processors can quickly execute it.
  • One having ordinary skill in the art can modify the invention as necessary to adapt it to other operating systems.
  • users install most of the program's files through an installation kit. Users run an automated installer program to place required files on their hard drives. Normally, installation will be done before exam day, but since the procedure takes only a few minutes, it may be performed immediately prior to an exam, if necessary. Any installation disks preferably contain supporting files only, not the actual application, so no security issue is raised by an early installation.
  • a demonstration version of the program may be included in the installation kit to allow the user to become familiarized with the program, and in particular, with the word processing features of the application. In preferred embodiments, the security features of the invention are not included in the demonstration version.
  • a sealed single-use exam disk is distributed to each user much the way an exam bluebook would.
  • floppy disks are widely used as a removable computer-readable media but as the demand for increased storage grows, other types of removable media may predominate, such as ZIP and JAZ disks available from IOMEGA, Inc. , the LS-120 Supper Floppy Disk, writable CD-ROMs and DVDs and the like.
  • the invention can be adapted to work with any removable computer-readable media.
  • the exam disk contains the security features of the invention as well as password and creation date verification data. In preferred embodiments, as discussed below, the exam application is temporarily copied to the user's hard disk to improve performance.
  • the starting and ending sub-applications of the present invention perform the necessary copying, execution and deletion of the exam application. In other embodiments, it may be desirable to execute the exam application from the floppy disk directly. In such embodiments, the starting and ending sub-applications are unnecessary.
  • Fig. 2 shows a flowchart that represents major steps of the invention.
  • the user inserts the exam floppy disk and launches the startup application at step 30.
  • the startup application prompts the user for personal data, and then records it to the floppy disk at step 32.
  • the startup application also preferably temporarily copies the exam application from the floppy to the user's hard drive to improve performance.
  • the exam application can be run from the floppy disk, but generally it is preferable to use the hard disk drive to decrease seek times and improve data transfer rates. This preferable embodiment may also be adapted to use with computer networks in a manner independent of removable media.
  • the startup program then launches the exam application and terminates itself .
  • the exam application creates an auxiliary information file on the user's hard drive and on the floppy disk to record a log of the application's execution. Then, the exam application verifies that the floppy disk is valid by password and creation date at step 34. If the floppy disk is not valid, the application notifies the user and terminates if necessary at step 36.
  • the exam application After determining the floppy disk is valid, the exam application implements the security features of the invention.
  • the exam application records the contents of the clipboard to the auxiliary information file on the hard disk and then deletes the clipboard at step 38.
  • the exam application identifies already running processes by sequentially obtaining a thread for each process and then a process ID for each thread.
  • a process is a logical grouping of a memory address space (memory area allocated by the operating system), a computer program, and its data. Normally, there is no interaction between programs in different processes, and they cannot read or write to memory space outside their process, without prior agreement by both programs, such as object linking and embedding (OLE).
  • Each process consists of one or more threads of execution. These threads are simply atomic units of code execution that can run simultaneously within a single process.
  • the exam application After controlling the running processes, the exam application then configures Windows for optimum security. Specifically, the exam application terminates or hides the Explorer windows in Win9x and NT systems, depending on type. The application also turns off screen savers, power management, the desktop wall paper, sets the desktop icons invisible and then updates the .INI files to reflect the changes. Next, the exam application disables the task bar in Win9x and NT versions. Finally, the exam application identifies itself to the operating system as an active screen saver to prevent the Ctl- Alt-Del keystroke combination in Win9x. After terminating non essential processes and securing the operating system configuration, the exam application sets the appropriate hooks and begins cross-process subclassing at step 44. Specific steps taken depend on the variety of Windows, but generally include: • Setting a hook for Ctl-Esc keys in Win 9x
  • the exam application can begin the examination by showing a word processor window at step 46.
  • the program can easily be adapted to other types of examination such as multiple choice or short answer by substituting the appropriate form for the word processing window.
  • the exam application monitors all the keystrokes and other user input as the examination proceeds at step 48.
  • the exam application records the details of all intercepted hooked messages, such as attempts to call unauthorized applications at step 50 or access unauthorized data. While a few attempts to call unauthorized applications or data may occur inadvertently, more frequent occurrences may indicate an attempt to subvert the security features of the exam application and will be reviewable by the exam grader.
  • Keystrokes and other user input that pass the filter function are passed on to the word processor at step 52.
  • the exam application periodically performs several monitoring functions. First, the examination application checks the visible windows to confirm that the only active windows are related to the examination. This offers a level of redundant protection over the filtering of the WM CREATE message.
  • the exam application also periodically saves the status of the exam and performs several updates at step 54, preferably once a minute.
  • the exam data and a backup are saved to disk, as well as test taking statistics such as the number of keystrokes and total number of characters added to the data file per monitoring interval at step 56. These statistics are added to the auxiliary information file and can be used to resolve questions about exam security. For example, delays between the periodic saves indicates that the exam application was not active.
  • the delay is longer than that required to restart the exam application with a proctor disk (discussed below), it may be an indication that the user was attempting to subvert the program. Also, the number of keystrokes can be compared to the total number of characters added. Large discrepancies may indicate that text was copied from another source. Yet other features such as a clock display and word count can also be periodically updated. Towards the end of the allotted time, a reminder, audible or visible, can alert the user.
  • the program saves a Rich Text Format (RTF), or otherwise suitably formatted document to the floppy disk in the computer's floppy disk drive and saves encrypted copies to both the floppy disk and the hard disk at step 58.
  • RTF Rich Text Format
  • a copy of the auxiliary information file is also saved to the floppy disk.
  • the user may be given the option to save an additional encrypted copy of the exam data for backup purposes.
  • the encrypted copy or copies on the hard drive provide a secure record of the exam.
  • each unencrypted file on the hard drive is securely deleted by overwriting several times the hard drive sectors where the data was stored at step 60.
  • the exam application launches the ending application, restores the computer's settings and then terminates itself at step 62.
  • the ending application securely deletes the temporary copy of the exam application from the hard disk and terminates itself. In some embodiments, it may be desirable to have the ending application shut down the computer.
  • the starting application prompts the user for personal information as in the normal sequence.
  • the floppy disk does not pass the password and creation date verification as it is allowed only one execution. Accordingly, the exam application terminates, requiring and preferably visually requesting a valid proctor disk. If the proctor determines that a restart is warranted, the proctor will supply a proctor floppy disk.
  • any computer-readable removable media may be used as a proctor disk. Verification of a valid proctor disk allows the exam application to restart and the user can replace the floppy disk and commence work from the last saved version.
  • the exam application may be desirable to replace the proctor disk with a hardware component that could plug into a parallel port, a serial port, a PC Card slot or the like.
  • the exam application identifies the appropriate hardware, it restarts the exam from the last saved version.
  • the exam application is tailored to the type of examination being given. In most applications, it will be desirable to provide word processing functions to facilitate responses to essay questions.
  • the word processing program is configured to operate similarly to popular commercial word processing programs.
  • the exam application can automatically add headers and footers having the users name or ID number, course instructor and other course information to aid identification.
  • the exam application can easily be modified to allow its use for multiple choice or short answer questions.

Abstract

A method and computer program are provided for creating a secure computing environment by preventing access to unauthorized files during the execution of a desired application. User commands are filtered for instructions that would lead to unauthorized application access. This restricts access to all files except the file created by the desired application. This method works for portable, desktop, and networked computers. Preferably, at least the security features of the invention are distributed to the users through a single-use floppy disk, although any other suitable storage medium may be utilized. Additional security features include the use of encrypted files, a log of system events and the secure deletion of related files.

Description

SECURE EXAM METHOD
RELATED APPLICATIONS
This application depends for priority upon U.S. Provisional Patent Application Ser. No. 60/071 ,926, filed on January 20, 1998 and entitled COMPUTER HARD DRIVE LOCK OUT DEVICE FOR GIVING SECURE EXAMS.
FIELD OF THE INVENTION
The present invention relates generally to the field of computer security .and more particularly to computer software for restricting access to a computer's stored data and applications for the purpose of giving secure exams.
BACKGROUND OF THE INVENTION
Portable and desktop computers equipped with word processing software have become the primary tool for preparing written material. One area where the use of all types of computers has lagged, however, is in the field of test taking. Despite the desire of students to write essay exams with the aid of a computer, concerns about security have severely curtailed their use. In the prior art, computer use in test taking environments have typically required the use of dedicated computers to ensure that unauthorized data or programs are not present. Needless to say, supplying a dedicated computer to each student desiring one when taking a test represents a significant if not insurmountable expense. Accordingly, what has been needed is a method to allow the use of a personal computer to prepare answers to an exam while preventing access to unauthorized programs and data that might be stored in the computer. This invention satisfies these and other needs.
SUMMARY OF THE INVENTION
The present invention comprises a method and system for preventing access to data and programs stored by a computer while allowing the computer to execute a desired application, comprising the steps of, and executable instructions for, closing unauthorized programs, filtering user commands to prevent unauthorized access to files stored on the computer, and allowing filtered user input to the desired application. Normally, the filtered user input is periodically saved and updated. Preferably, the application for the closing and filtering steps resides on a floppy disk to enhance the security of the system, although alternative embodiments allow for execution independent of floppy disks. Native features of the computer's operating system are accessed to filter, and if necessary, modify, commands entered by the user to create a secure computing environment. Accordingly, the only file that is active and accessible is the one created by the user in response to the desired application. A number of additional security measures may be implemented, including encrypting files, recording system events and securely deleting files. In preferred embodiments, the invention is used to administer an examination.
BRIEF DESCRIPTION OF THE DRAWINGS
The aforementioned advantages of the present invention as well as additional advantages thereof will be more clearly understood hereinafter as a result of a detailed description of a preferred embodiment of the invention when taken in conjunction with the following drawings. FIG. 1 is a schematic representation of a computer system useful in the practice of the present invention.
FIG. 2 is a flowchart showing the primary steps in the methods of the present invention.
DETAILED DESCRD7TION OF THE DRAWINGS
As shown Fig. 1, a typical computer system useful in the practice of this invention generally comprises a central processing unit (CPU) 10, having volatile and nonvolatile memory 12 as well as recordable storage such as a hard drive 14 and a floppy disk drive 16. Conventionally, the user input devices include a keyboard 18 and a pointing device, such as a mouse 20. Other input devices may also be used including a graphics tablet or a microphone in conjunction with voice recognition software. The computer system also comprises a display 22 and, optionally, other output devices such as speakers, printers and the like. CPU 10 may also be connected to a network (not shown).
In preferred embodiments, the invention has been designed to eliminate academic dishonesty by taking control of an operating system through execution of a software program that locks out access to applications, macros, files, programmed key commands and networked files stored in computer-readable media. Generally, any file, application or data, that could be used to gain an unfair advantage in taking an exam should be considered unauthorized and access to that file should be restricted. As used herein, computer-readable media refers to any storage device for computer-readable data, including non-volatile memory such as hard disk drives, floppy disk drives, ROM, writable or read-only CD-ROMs, DVD drives, tape drives, PC cards and the like and volatile memory such as RAM. The materials secured by this invention may also be stored in computer-readable media available over a LAN or WAN, accessible via a modem, an Ethernet link, or any other network connection. Access to all of these sources of data and applications is completely restricted. The exam answer is preferably recorded to a specially created exam file using the exam application's own easy to use word processor.
The present invention capitalizes on the fact that most modern operating systems prevent programs from directly interacting with peripherals such as the display, keyboard and mouse by providing interfaces for such services. Programs therefore communicate indirectly with the screen, keyboard, and mouse through these defined interfaces using information packages known as messages. The invention filters these messages to prevent the user from accessing unauthorized data or programs. In a preferred embodiment, the invention employs a compiled 16 or 32-bit executable file designed for the Microsoft Windows 3.x, Windows 9x or Windows NT (all of which are federally registered and recognized trademarks of Microsoft, Inc.) operating system that uses a number of supporting executable files in dynamic link libraries. The system may also be adapted for use with other operating systems as necessary, as understood by one skilled in the art to which the present invention pertains. In these embodiments, the invention uses native services of the operating systems to achieve a message interception scheme referred to herein as cross-processing subclassing.
Subclassing is the process of intercepting operating system messages that are normally processed behind the scenes. The Windows environment sends messages indicating that system events have occurred, such as keyboard input or mouse selection. Windows also sends housekeeping messages to control the display of each window. Subclassing intercepts each of these messages, allowing them to be modified or deleted before passing them on to their intended destination. In part, Windows achieves subclassing through the use of hooks to be monitored, intercepted, and discarded by a program.
In the Windows operating system, a hook is a mechanism by which a function can intercept events such as messages, mouse actions, and keystrokes before they reach an application or even the main body of the operating system, which otherwise would direct these to the application currently in use. This mechanism is provided as a "service" by the operating system. Hooks are provided by calling the appropriate set of functions residing in the operating system and by supplying filter functions to the operating system. Specifically, the operating system will automatically call the programmer supplied filter function when the hooked event occurs.
The filter function can act on events and, in some cases, modify or discard them. For example, a filter function might want to receive all keyboard or mouse events. For Windows to call a filter function, the filter function must be installed — that is, attached — to a Windows hook (for example, to a keyboard hook). Attaching one or more filter functions to a hook is known as setting a hook. If a hook has more than one filter function attached, Windows maint ns a chain of filter functions. The most recently installed function is at the beginning of the chain, and the least recently installed function is at the end.
The invention enlists these services to monitor messages concerned with keystrokes, the Windows clipboard, the creation of windows, the creation of other programmatic processes, and the visibility of windows. The invention intercepts, discards, and preferably makes a record of all messages that could allow the user to start another program or access an unauthorized file in any way. Although this monitoring activity requires a significant portion of the systems resources, the vast majority of portable computers with 80386 or better processors can quickly execute it. One having ordinary skill in the art can modify the invention as necessary to adapt it to other operating systems.
In a preferred embodiment, users install most of the program's files through an installation kit. Users run an automated installer program to place required files on their hard drives. Normally, installation will be done before exam day, but since the procedure takes only a few minutes, it may be performed immediately prior to an exam, if necessary. Any installation disks preferably contain supporting files only, not the actual application, so no security issue is raised by an early installation. A demonstration version of the program may be included in the installation kit to allow the user to become familiarized with the program, and in particular, with the word processing features of the application. In preferred embodiments, the security features of the invention are not included in the demonstration version.
Immediately prior to the test, a sealed single-use exam disk is distributed to each user much the way an exam bluebook would. Currently, floppy disks are widely used as a removable computer-readable media but as the demand for increased storage grows, other types of removable media may predominate, such as ZIP and JAZ disks available from IOMEGA, Inc. , the LS-120 Supper Floppy Disk, writable CD-ROMs and DVDs and the like. The invention can be adapted to work with any removable computer-readable media. The exam disk contains the security features of the invention as well as password and creation date verification data. In preferred embodiments, as discussed below, the exam application is temporarily copied to the user's hard disk to improve performance. In these embodiments, the starting and ending sub-applications of the present invention perform the necessary copying, execution and deletion of the exam application. In other embodiments, it may be desirable to execute the exam application from the floppy disk directly. In such embodiments, the starting and ending sub-applications are unnecessary.
Fig. 2 shows a flowchart that represents major steps of the invention. First, the user inserts the exam floppy disk and launches the startup application at step 30. The startup application prompts the user for personal data, and then records it to the floppy disk at step 32. The startup application also preferably temporarily copies the exam application from the floppy to the user's hard drive to improve performance. The exam application can be run from the floppy disk, but generally it is preferable to use the hard disk drive to decrease seek times and improve data transfer rates. This preferable embodiment may also be adapted to use with computer networks in a manner independent of removable media. The startup program then launches the exam application and terminates itself . The exam application creates an auxiliary information file on the user's hard drive and on the floppy disk to record a log of the application's execution. Then, the exam application verifies that the floppy disk is valid by password and creation date at step 34. If the floppy disk is not valid, the application notifies the user and terminates if necessary at step 36.
After determining the floppy disk is valid, the exam application implements the security features of the invention. The exam application records the contents of the clipboard to the auxiliary information file on the hard disk and then deletes the clipboard at step 38. The exam application identifies already running processes by sequentially obtaining a thread for each process and then a process ID for each thread. A process is a logical grouping of a memory address space (memory area allocated by the operating system), a computer program, and its data. Normally, there is no interaction between programs in different processes, and they cannot read or write to memory space outside their process, without prior agreement by both programs, such as object linking and embedding (OLE). Each process consists of one or more threads of execution. These threads are simply atomic units of code execution that can run simultaneously within a single process.
While some processes are essential to the functioning of the operating system, many others are not and may pose a security concern. Essential processes are those that are necessary for the stable operation of the operating system and for the execution of the exam application. In general, all nonessential processes are considered unauthorized and are closed or otherwise hidden. The exam application sends a SC_CLOSE message to the window of each running process that is not essential to Windows functions or otherwise terminates those programs at step 40. If the exam application encounters processes that cannot be closed it either hides its windows or notifies the user of the conflict and quits at step 42. Similarly, some applications such as crash protection programs interfere with the subclassing functions of the exam application. If the exam application identifies such incompatible programs, it notifies the user and/or quits.
After controlling the running processes, the exam application then configures Windows for optimum security. Specifically, the exam application terminates or hides the Explorer windows in Win9x and NT systems, depending on type. The application also turns off screen savers, power management, the desktop wall paper, sets the desktop icons invisible and then updates the .INI files to reflect the changes. Next, the exam application disables the task bar in Win9x and NT versions. Finally, the exam application identifies itself to the operating system as an active screen saver to prevent the Ctl- Alt-Del keystroke combination in Win9x. After terminating non essential processes and securing the operating system configuration, the exam application sets the appropriate hooks and begins cross-process subclassing at step 44. Specific steps taken depend on the variety of Windows, but generally include: Setting a hook for Ctl-Esc keys in Win 9x
Setting a hotkey message hook (WM_HOTKEY) to intercept but not block Ctl-Esc in Win NT
Setting a hook for the foreground window to reset it to the exam application in Win NT
Setting a hook for clipboard usage to block paste commands where source is not the exam application
Setting a hook and subclassing for window creation (the WM_CREATE message)
Having secured the computer's operating system, the exam application can begin the examination by showing a word processor window at step 46. The program can easily be adapted to other types of examination such as multiple choice or short answer by substituting the appropriate form for the word processing window.
The exam application monitors all the keystrokes and other user input as the examination proceeds at step 48. The exam application records the details of all intercepted hooked messages, such as attempts to call unauthorized applications at step 50 or access unauthorized data. While a few attempts to call unauthorized applications or data may occur inadvertently, more frequent occurrences may indicate an attempt to subvert the security features of the exam application and will be reviewable by the exam grader. Keystrokes and other user input that pass the filter function are passed on to the word processor at step 52.
The exam application periodically performs several monitoring functions. First, the examination application checks the visible windows to confirm that the only active windows are related to the examination. This offers a level of redundant protection over the filtering of the WM CREATE message. The exam application also periodically saves the status of the exam and performs several updates at step 54, preferably once a minute. The exam data and a backup are saved to disk, as well as test taking statistics such as the number of keystrokes and total number of characters added to the data file per monitoring interval at step 56. These statistics are added to the auxiliary information file and can be used to resolve questions about exam security. For example, delays between the periodic saves indicates that the exam application was not active. If the delay is longer than that required to restart the exam application with a proctor disk (discussed below), it may be an indication that the user was attempting to subvert the program. Also, the number of keystrokes can be compared to the total number of characters added. Large discrepancies may indicate that text was copied from another source. Yet other features such as a clock display and word count can also be periodically updated. Towards the end of the allotted time, a reminder, audible or visible, can alert the user.
At the conclusion of the exam, the program saves a Rich Text Format (RTF), or otherwise suitably formatted document to the floppy disk in the computer's floppy disk drive and saves encrypted copies to both the floppy disk and the hard disk at step 58. A copy of the auxiliary information file is also saved to the floppy disk. Further, the user may be given the option to save an additional encrypted copy of the exam data for backup purposes. In the event of a dispute regarding the contents of the floppy disk or if the floppy disk becomes erased or lost, the encrypted copy or copies on the hard drive provide a secure record of the exam. After the various files are saved to the floppy and hard disks, each unencrypted file on the hard drive is securely deleted by overwriting several times the hard drive sectors where the data was stored at step 60. Finally, the exam application launches the ending application, restores the computer's settings and then terminates itself at step 62. The ending application securely deletes the temporary copy of the exam application from the hard disk and terminates itself. In some embodiments, it may be desirable to have the ending application shut down the computer.
To accommodate system crashes or loss of power, attempts to restart the exam application must be approved by a proctor. After restart, the starting application prompts the user for personal information as in the normal sequence. However, the floppy disk does not pass the password and creation date verification as it is allowed only one execution. Accordingly, the exam application terminates, requiring and preferably visually requesting a valid proctor disk. If the proctor determines that a restart is warranted, the proctor will supply a proctor floppy disk. As with the exam disks, any computer-readable removable media may be used as a proctor disk. Verification of a valid proctor disk allows the exam application to restart and the user can replace the floppy disk and commence work from the last saved version. In other embodiments, it may be desirable to replace the proctor disk with a hardware component that could plug into a parallel port, a serial port, a PC Card slot or the like. Once the exam application identifies the appropriate hardware, it restarts the exam from the last saved version. As discussed above, the exam application is tailored to the type of examination being given. In most applications, it will be desirable to provide word processing functions to facilitate responses to essay questions. Preferably, the word processing program is configured to operate similarly to popular commercial word processing programs. The exam application can automatically add headers and footers having the users name or ID number, course instructor and other course information to aid identification. The exam application can easily be modified to allow its use for multiple choice or short answer questions.
While the present invention has been described with reference to certain preferred embodiments, those skilled in the art will recognize that various modifications and other embodiments may be provided. For example, it may be desirable to configure the exam application for use on computers other than the user's personal computer. An institution may have a computer lab with computers used for many purposes. It is still desirable to prevent access to unauthorized files during an examination, but the exam application can be resident on the computers. More broadly, the invention can be used for any application where it is desirable to prevent access to unauthorized files while allowing the execution of a desired program. These other embodiments are intended to fall within the scope of the present invention, and these variations upon and modifications to the embodiments described herein are provided for by the present invention which is limited only by the following claims.

Claims

CLAIMSWhat is claimed is:
1. A method for preventing access to unauthorized files stored in computer- readable media, the method comprising the steps of: a) closing undesired processes running on the computer;
b) filtering user input to prevent access to unauthorized files; and
c) allowing filtered user input to a desired application.
2. The method of claim 1, further comprising the step of saving a file corresponding to the user input.
3. The method of claim 2, further comprising the step of providing a word processing module for the filtered user input.
4. The method of claim 1, wherein the step of filtering user input comprises intercepting messages corresponding to user input, determining whether the messages would lead to access of an unauthorized file and modifying those intercepted messages that would lead to access of an unauthorized file.
5. The method of claim 4, wherein the step of filtering further comprises cross- process subclassing.
6. The method of claim 5, wherein cross-process subclassing employs hooks.
7. A method for administering a secure examination on a computer, the method comprising the steps of: a) providing removable computer-readable media on which an exam application is stored; b) determining the validity of the removable media;
c) executing the exam application;
d) closing all nonessential processes running on the computer;
e) filtering user input to prevent access to unauthorized files;
f) recording the filtered user input to the exam application;
g) saving a copy of the filtered user input to the removable media.
8. The method of claim 7, further comprising the step of recording user input that, without filtering, would have accessed unauthorized files to an auxiliary information file.
9. The method of claim 8, further comprising the step of saving an encrypted copy of the auxiliary information file.
10. The method of claim 7, further comprising the step of requiring a subsequent execution of the exam application to be authorized by a proctor disk.
11. The method of claim 7, further comprising the step of periodically recording the number of keystrokes entered in a given time period.
12. A removable computer-readable storage device for preventing access to unauthorized files comprising:
a) instructions to close all undesired processes running on the computer;
b) instructions to filter user input to prevent access to unauthorized files; and c) instructions to allow filtered user input to a desired application.
13. The device of claim 12, further comprising instructions to save a file corresponding to the user input.
14. The device of claim 13, further comprising a word processing module for the filtered user input.
15. The device of claim 12, wherein instructions to filter user input comprise instructions to intercept messages corresponding to user input, determine whether the messages would lead to access of an unauthorized file, and modify those intercepted messages that would lead to access of an unauthorized file.
16. The device of claim 15, wherein the instructions to filter further comprise cross-process subclassing.
17. The device of claim 16, wherein cross-process subclassing employs hooks.
18. An executable computer program for administering a secure examination on a computer, the program provided at least in part on removable computer-readable media, the program comprising: a) instructions to determine the validity of the removable computer- readable media; b) instructions to execute the exam application; c) instructions to close all nonessential processes running on the computer; d) instructions to filter user input to prevent access to unauthorized files;
e) instructions to record the filtered user input to the exam application; f) instructions to save a copy of the filtered user input to the removable computer-readable media.
19. The program of claim 18, further comprising instructions to record user input that, without filtering, would have accessed unauthorized files to an auxiliary information file.
20. The program of claim 19, further comprising instructions to save an encrypted copy of the auxiliary information file.
21. The program of claim 18, further comprising instructions to subsequently execute the exam application in a manner authorized by a proctor disk.
22. The program of claim 18, further comprising instructions to periodically record the number of keystrokes entered in a given time period.
PCT/US1999/000481 1998-01-20 1999-01-08 Secure exam method WO1999036848A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU23140/99A AU2314099A (en) 1998-01-20 1999-01-08 Secure exam method

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US7192698P 1998-01-20 1998-01-20
US60/071,926 1998-01-20

Publications (1)

Publication Number Publication Date
WO1999036848A1 true WO1999036848A1 (en) 1999-07-22

Family

ID=22104484

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1999/000481 WO1999036848A1 (en) 1998-01-20 1999-01-08 Secure exam method

Country Status (2)

Country Link
AU (1) AU2314099A (en)
WO (1) WO1999036848A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001077794A2 (en) * 2000-04-06 2001-10-18 Granite Technologies, Inc. System and method for real time monitoring and control of a computer machine environment and configuration profile
US7069586B1 (en) * 2000-04-03 2006-06-27 Software Secure, Inc. Securely executing an application on a computer system
US7721341B2 (en) * 2000-11-22 2010-05-18 Microsoft Corporation Method and system for allowing code to be securely initialized in a computer
EP2483781A4 (en) * 2009-10-01 2017-09-27 Kryterion, Inc. Maintaining a secure computing device in a test taking environment
US9953175B2 (en) 2010-08-16 2018-04-24 Extegrity, Inc. Systems and methods for detecting substitution of high-value electronic documents
US9984582B2 (en) 2010-08-04 2018-05-29 Kryterion, Inc. Peered proctoring
US10225336B2 (en) 2010-08-04 2019-03-05 Kryterion, Inc. Optimized data stream upload
US10672286B2 (en) 2010-03-14 2020-06-02 Kryterion, Inc. Cloud based test environment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5293422A (en) * 1992-09-23 1994-03-08 Dynatek, Inc. Usage control system for computer software
WO1995010095A2 (en) * 1993-09-30 1995-04-13 Educational Testing Service A centralized system and method for administering computer based tests

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5293422A (en) * 1992-09-23 1994-03-08 Dynatek, Inc. Usage control system for computer software
WO1995010095A2 (en) * 1993-09-30 1995-04-13 Educational Testing Service A centralized system and method for administering computer based tests

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7069586B1 (en) * 2000-04-03 2006-06-27 Software Secure, Inc. Securely executing an application on a computer system
US7165269B2 (en) * 2000-04-03 2007-01-16 Software Secure, Inc. Securely executing an application on a computer system
US8321928B2 (en) * 2000-04-03 2012-11-27 Software Secure, Inc. Securely executing an application on a computer system
US8595823B2 (en) 2000-04-03 2013-11-26 Software Secure, Inc. Securely executing an application on a computer system
WO2001077794A2 (en) * 2000-04-06 2001-10-18 Granite Technologies, Inc. System and method for real time monitoring and control of a computer machine environment and configuration profile
WO2001077794A3 (en) * 2000-04-06 2002-10-17 Granite Technologies Inc System and method for real time monitoring and control of a computer machine environment and configuration profile
US7721341B2 (en) * 2000-11-22 2010-05-18 Microsoft Corporation Method and system for allowing code to be securely initialized in a computer
EP2483781A4 (en) * 2009-10-01 2017-09-27 Kryterion, Inc. Maintaining a secure computing device in a test taking environment
US10672286B2 (en) 2010-03-14 2020-06-02 Kryterion, Inc. Cloud based test environment
US9984582B2 (en) 2010-08-04 2018-05-29 Kryterion, Inc. Peered proctoring
US10225336B2 (en) 2010-08-04 2019-03-05 Kryterion, Inc. Optimized data stream upload
US9953175B2 (en) 2010-08-16 2018-04-24 Extegrity, Inc. Systems and methods for detecting substitution of high-value electronic documents

Also Published As

Publication number Publication date
AU2314099A (en) 1999-08-02

Similar Documents

Publication Publication Date Title
CN1795439B (en) Security system and method for computer operating systems
EP1022655B1 (en) Computer with bootable secure program
EP1434135B1 (en) Method for backing up and recovering data in the hard disk of a computer
JP4865177B2 (en) Behavior of trust status on computing platforms
US5809230A (en) System and method for controlling access to personal computer system resources
JP3204725B2 (en) Computer
EP0432333B1 (en) Computer system security device
US20030159056A1 (en) Method and system for securing enablement access to a data security device
US6823463B1 (en) Method for providing security to a computer on a computer network
US20020169998A1 (en) Computer with special-purpose subsystems
US20070028292A1 (en) Bus bridge security system and method for computers
CA2444685A1 (en) System and method for improving the efficiency, comfort, and/or reliability in operating systems, such as for example windows
CA2490695A1 (en) Security system and method for computers
US6907524B1 (en) Extensible firmware interface virus scan
JPH07191776A (en) Personal computer system for realization of secrecy protection
WO1999036848A1 (en) Secure exam method
JP3766429B2 (en) Detachable device
JPH10143443A (en) Computer system and hard disk password control method for the same
JP6949338B2 (en) Electronic data management equipment, electronic data management system, programs and recording media for that purpose
US20060069907A1 (en) Method for installing and reinstalling an operating system
KR100928338B1 (en) A computer system based on the network switching and the network switching method by the computer system
JPH11272452A (en) Cd-rom activation system
Haney Guide to Securing Microsoft Windows 2000 Group Policy: Security Configuration Toolset
KR20090075450A (en) Apparatus and method for controlling memory

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GE GH GM HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

NENP Non-entry into the national phase

Ref country code: KR

122 Ep: pct application non-entry in european phase