Application randomization mechanism
First Claim
1. A method comprising:
- initializing, by a computing system comprising one or more processors, a plurality of virtual machines (VMs), wherein initializing the plurality of VMs comprises, for each respective VM of the plurality of VMs, initializing the respective VM, wherein initializing the respective VM comprises;
generating, by the computing system, a respective randomized instance of an operating system, the respective randomized instance of the operating system having a respective randomized system call numbering scheme for the respective VM that associates a plurality of system calls of the operating system with a respective randomized set of call numbers different from a publicly available set of call numbers associated with the system calls of the operating system;
generating, by the computing system, a respective randomized instance of a software program, the respective randomized instance of the software program configured to use the respective randomized system call numbering scheme for the respective VM to invoke one or more of the system calls of the operating system using a respective one or more of the respective randomized set of call numbers; and
installing, by the computing system, the respective randomized instance of the operating system and the respective randomized instance of the software program on the respective VM,wherein the randomized system call numbering schemes for the VMs are different in each of the randomized instances of the operating system;
deploying, by the computing system, the plurality of VMs;
determining, by the computing system, that a first software process running on a VM of the plurality of VMs has invoked a system call;
determining, by the computing system, whether the first software process invoked the system call using a call number in the randomized set of call numbers of the randomized system call numbering scheme for the VM; and
responsive to determining that the first software process invoked the system call not using any call number in the randomized set of call numbers of the randomized system call numbering scheme for the VM, performing, by the computing system, a cybersecurity defense action;
determining, by the computing system, that a second software process running on the VM has invoked the system call;
determining, by the computing system, whether the second software process invoked the system call using the call number in the randomized set of call numbers; and
responsive to determining that the second software process invoked the system call using the call number in the randomized call numbering scheme for the VM, executing, by the computer system, the system call corresponding to the call number without performing the cybersecurity defense action.
1 Assignment
0 Petitions
Accused Products
Abstract
An example method includes providing, by a computing system, first randomized configuration information, generating, by the computing system and based on the first randomized configuration information, a first unique instance of a software component, providing second randomized configuration information, wherein the second randomized configuration information is different from the first randomized configuration information, and generating, based on the second randomized configuration information, a second unique instance of the software component that is executable on the runtime computing system. The first and second unique instances of the software component comprise different instances of the same software component that each are configured to have uniquely different operating characteristics during execution on the runtime computing system, and the first and second unique instances of the software component are each further configured, during execution on the runtime computing system, to output false information to an external computing system.
46 Citations
5 Claims
-
1. A method comprising:
-
initializing, by a computing system comprising one or more processors, a plurality of virtual machines (VMs), wherein initializing the plurality of VMs comprises, for each respective VM of the plurality of VMs, initializing the respective VM, wherein initializing the respective VM comprises; generating, by the computing system, a respective randomized instance of an operating system, the respective randomized instance of the operating system having a respective randomized system call numbering scheme for the respective VM that associates a plurality of system calls of the operating system with a respective randomized set of call numbers different from a publicly available set of call numbers associated with the system calls of the operating system; generating, by the computing system, a respective randomized instance of a software program, the respective randomized instance of the software program configured to use the respective randomized system call numbering scheme for the respective VM to invoke one or more of the system calls of the operating system using a respective one or more of the respective randomized set of call numbers; and installing, by the computing system, the respective randomized instance of the operating system and the respective randomized instance of the software program on the respective VM, wherein the randomized system call numbering schemes for the VMs are different in each of the randomized instances of the operating system; deploying, by the computing system, the plurality of VMs; determining, by the computing system, that a first software process running on a VM of the plurality of VMs has invoked a system call; determining, by the computing system, whether the first software process invoked the system call using a call number in the randomized set of call numbers of the randomized system call numbering scheme for the VM; and responsive to determining that the first software process invoked the system call not using any call number in the randomized set of call numbers of the randomized system call numbering scheme for the VM, performing, by the computing system, a cybersecurity defense action; determining, by the computing system, that a second software process running on the VM has invoked the system call; determining, by the computing system, whether the second software process invoked the system call using the call number in the randomized set of call numbers; and responsive to determining that the second software process invoked the system call using the call number in the randomized call numbering scheme for the VM, executing, by the computer system, the system call corresponding to the call number without performing the cybersecurity defense action. - View Dependent Claims (2)
-
-
3. A computing system comprising:
-
a development computing system comprising a first set of one or more processors; and a runtime computing system comprising a second set of one or more processors, wherein the development computing system is configured to; initialize a plurality of virtual machines (VMs), wherein the development computing system is configured such that, as part of initializing the plurality of VMs, the development computing system, for each respective VM of the plurality of VMs, initializes the respective VM, wherein the development computing system is configured such that, as part of initializing the respective VM, the development computing system; generates a respective randomized instance of an operating system, the respective randomized instance of the operating system having a respective randomized system call numbering scheme for the respective VM that associates a plurality of system calls of the operating system with a respective randomized set of call numbers different from a publicly-available set of call numbers associated with the system calls of the operating system; generates a respective randomized instance of a software program, the respective randomized instance of the software program configured to use the respective randomized system call numbering scheme for the respective VM to invoke one or more of the system calls of the operating system using a respective one or more of the respective randomized set of call numbers; and installs the respective randomized instance of the operating system and the respective randomized instance of the software program on the VM, wherein the randomized system call numbering schemes for the VMs are different in each of the randomized instances of the operating system; deploy the plurality of VM on the runtime computing system; and wherein the runtime computing system is configured to; determine that a software process running on a VM of the plurality of VMs has invoked a system call; determine whether the software process invoked the system call using a call number in the randomized system call numbering scheme for the VM; responsive to determining that the software process invoked the system call not using any call number in the randomized set of call numbers of the randomized system call numbering scheme for the VM, perform a cybersecurity defense action; and responsive to determining that the software process invoked the system call using the call number in the randomized call numbering scheme for the VM, execute the system call corresponding to the call number without performing the cybersecurity defense action. - View Dependent Claims (4)
-
-
5. A non-transitory computer-readable storage medium having instructions stored thereon that, when executed, cause a computing system to:
-
initialize a plurality of virtual machines (VMs), wherein as part of causing the computing system to initialize the plurality of VMs, the instructions cause the computing system to, for each respective VM of the plurality of VMs, initialize the respective VM, wherein as part of causing the computing system to initialize the respective VM, the instructions cause the computing system to; generate a respective randomized instance of an operating system, the respective randomized instance of the operating system having a respective randomized system call numbering scheme for the respective VM that associates a plurality of system calls of the operating system with a respective randomized set of call numbers different from a publicly-available set of call numbers associated with the system calls of the operating system; generate a respective randomized instance of a software program, the respective randomized instance of the software program configured to use the respective randomized system call numbering scheme for the respective VM to invoke one or more of the system calls of the operating system using a respective one or more of the respective randomized set of call numbers; and install the respective randomized instance of the operating system and the respective randomized instance of the software program on the respective VM, wherein the randomized system call numbering schemes for the VMs are different in each of the randomized instances of the operating system; deploy the plurality of VMs; determine that a software process running on a VM of the plurality of VMs has invoked a system call; determine whether the software process invoked the system call using a call number in the randomized system call numbering scheme for the VM; responsive to determining that the software process invoked the system call not using any call number in the randomized set of call numbers of the randomized system call numbering scheme for the VM, perform a cybersecurity defense action; and responsive to determining that the software process invoked the system call using the call number in the randomized call numbering scheme for the VM, execute the system call corresponding to the call number without performing the cybersecurity defense action.
-
Specification