Malware detection and prevention by monitoring and modifying a hardware pipeline

US 10,089,459 B2
Filed: 11/11/2015
Issued: 10/02/2018
Est. Priority Date: 10/03/2013
Status: Active Grant

First Claim

Patent Images

1. A method of monitoring queued hardware instructions to protect operations of a wireless device that includes a hardware pipeline, comprising:

accessing instructions currently queued in the hardware pipeline (“

queued instructions”

);

receiving a list of potentially malicious pathway instructions from a network server, the received list of potentially malicious pathway instructions including one or more likelihood values associated with one or more of the queued instructions;

determining, during pendency of the queued instructions in the hardware pipeline and based on the one or more likelihood values included in the received list of potentially malicious pathway instructions, a probability value that identifies a probability that executing the queued instructions will result in a malicious configuration;

determining at runtime whether the probability value exceeds a risk threshold value; and

preventing execution of the queued instructions in response to determining that the probability value exceeds the risk threshold value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The various aspects provide a method for recognizing and preventing malicious behavior on a mobile computing device before it occurs by monitoring and modifying instructions pending in the mobile computing device'"'"'s hardware pipeline (i.e., queued instructions). In the various aspects, a mobile computing device may preemptively determine whether executing a set of queued instructions will result in a malicious configuration given the mobile computing device'"'"'s current configuration. When the mobile computing device determines that executing the queued instructions will result in a malicious configuration, the mobile computing device may stop execution of the queued instructions or take other actions to preempt the malicious behavior before the queued instructions are executed.

54 Citations

28 Claims

1. A method of monitoring queued hardware instructions to protect operations of a wireless device that includes a hardware pipeline, comprising:
- accessing instructions currently queued in the hardware pipeline (“
  
  queued instructions”
  
  );
  
  receiving a list of potentially malicious pathway instructions from a network server, the received list of potentially malicious pathway instructions including one or more likelihood values associated with one or more of the queued instructions;
  
  determining, during pendency of the queued instructions in the hardware pipeline and based on the one or more likelihood values included in the received list of potentially malicious pathway instructions, a probability value that identifies a probability that executing the queued instructions will result in a malicious configuration;
  
  determining at runtime whether the probability value exceeds a risk threshold value; and
  
  preventing execution of the queued instructions in response to determining that the probability value exceeds the risk threshold value.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein preventing execution of the queued instructions comprises purging the queued instructions from the hardware pipeline.
  - 3. The method of claim 1, wherein preventing execution of the queued instructions comprises modifying the queued instructions.
  - 4. The method of claim 1, wherein receiving the list of potentially malicious pathway instructions from the network server comprises receiving a malicious and pathway configuration database from the network server, the malicious and pathway configuration database including the list of potentially malicious pathway instructions.
  - 5. The method of claim 4, further comprising:
    - determining a current configuration of the wireless device; and
      
      determining whether the current configuration of the wireless device could lead to the malicious configuration based on the malicious and pathway configuration database received from the network server.
  - 6. The method of claim 5, wherein operations of determining, during pendency of the queued instructions in the hardware pipeline and based on the one or more likelihood values included in the received list of potentially malicious pathway instructions, the probability value that identifies the probability that executing the queued instructions will result in the malicious configuration, determining at runtime whether the probability value exceeds the risk threshold value are performed, and preventing execution of the queued instructions are performed in response to determining that the current configuration of the wireless device could lead to the malicious configuration based on the malicious and pathway configuration database received from the network server.
  - 7. The method of claim 1, wherein accessing instructions currently queued in the hardware pipeline comprises:
    - slowing execution of the queued instructions; and
      
      accessing the queued instructions after slowing execution of the queued instructions.

8. A wireless device, comprising:
- a memory;
  
  a hardware pipeline coupled to the memory; and
  
  a processor coupled to the memory and the hardware pipeline, wherein the processor is configured with processor-executable instructions to;
  
  access instructions currently queued in the hardware pipeline (“
  
  queued instructions”
  
  );
  
  receive a list of potentially malicious pathway instructions from a network server, the received list of potentially malicious pathway instructions including one or more likelihood values associated with one or more of the queued instructions;
  
  determine, during pendency of the queued instructions in the hardware pipeline and based on the one or more likelihood values included in the received list of potentially malicious pathway instructions, a probability value that identifies a probability that executing the queued instructions will result in a malicious configuration;
  
  determine at runtime whether the probability value exceeds a risk threshold value; and
  
  prevent execution of the queued instructions in response to determining that the probability value exceeds the risk threshold value.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The wireless device of claim 8, wherein the processor is configured with processor-executable instructions to prevent execution of the queued instructions by purging the queued instructions from the hardware pipeline.
  - 10. The wireless device of claim 8, wherein the processor is configured with processor-executable instructions to prevent execution of the queued instructions by modifying the queued instructions.
  - 11. The wireless device of claim 8, wherein the processor is configured with processor-executable instructions to receive the list of potentially malicious pathway instructions from the network server by receiving a malicious and pathway configuration database from the network server, the malicious and pathway configuration database including the list of potentially malicious pathway instructions.
  - 12. The wireless device of claim 11, wherein the processor is further configured with processor-executable instructions to:
    - determine a current configuration of the wireless device; and
      
      determine whether the current configuration of the wireless device could lead to the malicious configuration based on the malicious and pathway configuration database received from the network server.
  - 13. The wireless device of claim 12, wherein the processor is configured with processor-executable instructions to determine, during pendency of the queued instructions in the hardware pipeline and based on the one or more likelihood values included in the received list of potentially malicious pathway instructions, the probability value that identifies the probability that executing the queued instructions will result in the malicious configuration, determine at runtime whether the probability value exceeds the risk threshold value are performed, and prevent execution of the queued instructions are performed in response to determining that the current configuration of the wireless device could lead to the malicious configuration based on the malicious and pathway configuration database received from the network server.
  - 14. The wireless device of claim 8, wherein the processor is further configured with processor-executable instructions to access instructions currently queued in the hardware pipeline by:
    - slowing execution of the queued instructions; and
      
      accessing the queued instructions after slowing execution of the queued instructions.

15. A wireless device, comprising:
- means for accessing instructions currently queued in a hardware pipeline (“
  
  queued instructions”
  
  );
  
  means for receiving a list of potentially malicious pathway instructions from a network server, the received list of potentially malicious pathway instructions including one or more likelihood values associated with one or more of the queued instructions;
  
  means for determining, during pendency of the queued instructions in the hardware pipeline and based on the one or more likelihood values included in the received list of potentially malicious pathway instructions, a probability value that identifies a probability that executing the queued instructions will result in a malicious configuration;
  
  means for determining at runtime whether the probability value exceeds a risk threshold value; and
  
  means for preventing execution of the queued instructions in response to determining that the probability value exceeds the risk threshold value.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The wireless device of claim 15, wherein means for preventing execution of the queued instructions comprises means for purging the queued instructions from the hardware pipeline.
  - 17. The wireless device of claim 15, wherein means for preventing execution of the queued instructions comprises means for modifying the queued instructions.
  - 18. The wireless device of claim 15, wherein means for receiving the list of potentially malicious pathway instructions from the network server comprises means for receiving a malicious and pathway configuration database from the network server, the malicious and pathway configuration database including the list of potentially malicious pathway instructions.
  - 19. The wireless device of claim 18, further comprising:
    - means for determining a current configuration of the wireless device; and
      
      means for determining whether the current configuration of the wireless device could lead to the malicious configuration based on the malicious and pathway configuration database received from the network server.
  - 20. The wireless device of claim 19, wherein determining, during pendency of the queued instructions in the hardware pipeline and based on the one or more likelihood values included in the received list of potentially malicious pathway instructions, the probability value that identifies the probability that executing the queued instructions will result in the malicious configuration, determining at runtime whether the probability value exceeds the risk threshold value are performed, and preventing execution of the queued instructions are performed in response to determining that the current configuration of the wireless device could lead to the malicious configuration based on the malicious and pathway configuration database received from the network server.
  - 21. The wireless device of claim 15, wherein means for accessing the queued instructions comprises:
    - means for slowing execution of the queued instructions; and
      
      means for accessing the queued instructions after slowing execution of the queued instructions.

22. A non-transitory processor-readable storage medium having stored thereon processor-executable instructions configured to cause a processor in a wireless device to perform operations comprising:
- accessing instructions currently queued in a hardware pipeline (“
  
  queued instructions”
  
  );
  
  receiving a list of potentially malicious pathway instructions from a network server, the received list of potentially malicious pathway instructions including one or more likelihood values associated with one or more of the queued instructions;
  
  determining, during pendency of the queued instructions in the hardware pipeline and based on the one or more likelihood values included in the received list of potentially malicious pathway instructions, a probability value that identifies a probability that executing the queued instructions will result in a malicious configuration;
  
  determining at runtime whether the probability value exceeds a risk threshold value; and
  
  preventing execution of the queued instructions in response to determining that the probability value exceeds the risk threshold value.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The non-transitory processor-readable storage medium of claim 22, wherein the stored processor-executable instructions are configured to cause the processor to perform operations such that preventing execution of the queued instructions comprises purging the queued instructions from the hardware pipeline.
  - 24. The non-transitory processor-readable storage medium of claim 22, wherein the stored processor-executable instructions are configured to cause the processor to perform operations such that preventing execution of the queued instructions comprises modifying the queued instructions.
  - 25. The non-transitory processor-readable storage medium of claim 22, wherein the stored processor-executable instructions are configured to cause the processor to perform operations such that receiving the list of potentially malicious pathway instructions from the network server comprises receiving a malicious and pathway configuration database from the network server, the malicious and pathway configuration database including the list of potentially malicious pathway instructions.
  - 26. The non-transitory processor-readable storage medium of claim 25, wherein the stored processor-executable instructions are configured to cause the processor to perform operations further comprising:
    - determining a current configuration of the wireless device; and
      
      determining whether the current configuration of the wireless device could lead to the malicious configuration based on the malicious and pathway configuration database received from the network server.
  - 27. The non-transitory processor-readable storage medium of claim 26, wherein the stored processor-executable instructions are configured to cause the processor to perform operations such that the operations of determining, during pendency of the queued instructions in the hardware pipeline and based on the one or more likelihood values included in the received list of potentially malicious pathway instructions, the probability value that identifies the probability that executing the queued instructions will result in the malicious configuration, determining at runtime whether the probability value exceeds the risk threshold value are performed, and preventing execution of the queued instructions are performed in response to determining that the current configuration of the wireless device could lead to the malicious configuration based on the malicious and pathway configuration database received from the network server.
  - 28. The non-transitory processor-readable storage medium of claim 22, wherein the stored processor-executable instructions are configured to cause the processor to perform operations such that accessing the queued instructions comprises:
    - slowing execution of the queued instructions; and
      
      accessing the queued instructions after slowing execution of the queued instructions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Sridhara, Vinay, Patne, Satyajit Prabhakar, Gupta, Rajarshi
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Chao, Michael W

Application Number

US14/938,212
Publication Number

US 20160063243A1
Time in Patent Office

1,056 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/3612   by runtime analysis perform...

G06F 21/125   by manipulating the program...

G06F 21/52   during program execution, e...

G06F 21/54   by adding security routines...

G06F 21/55   Detecting local intrusion o...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 9/30145   Instruction analysis, e.g. ...

G06F 9/3861   Recovery, e.g. branch miss-...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04W 12/082   using revocation of authori...

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

Malware detection and prevention by monitoring and modifying a hardware pipeline

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

54 Citations

28 Claims

Specification

Use Cases

Quick Links

Others

Malware detection and prevention by monitoring and modifying a hardware pipeline

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

28 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others