Integrity assurance and rebootless updating during runtime

US 10,289,405 B2
Filed: 03/20/2014
Issued: 05/14/2019
Est. Priority Date: 03/20/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

registering, by an integrity manager associated with a kernel-mode component of a computing device, one or more hooks with an operating system of the computing device on behalf of the kernel-mode component;

receiving, by the integrity manager, a request associated with an update to the kernel-mode component of the computing device; and

without rebooting the computing device,initiating, by the integrity manager, unloading of at least one component of the kernel-mode component,following the unloading, logging, by the integrity manager, one or more events associated with the one or more hooks on the computing device,following the logging, initiating, by the integrity manager, loading of an updated version of that at least one component of the kernel-mode component, andfollowing the loading, delivering, by the integrity manager, the logged events to the updated kernel-mode component.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described herein for, without rebooting a computing device, unloading at least a component of a kernel-mode component of the computing device and loading an updated version of the component of the kernel-mode component. The techniques may be performed by an integrity manager associated with the kernel-mode component. The integrity manager may also determine integrity of the kernel-mode component by causing the kernel-mode component to perform an action associated with a known reaction, determining whether the known reaction occurred, and in response, performing a remediation action or notifying a remote security service. Further, the integrity manager may determine whether any computing device lists include representations of components or connections associated with the kernel-mode component. The integrity manager may then remove the representations from the lists or remove the representations from responses to requests for contents of the computing device lists.

107 Citations

22 Claims

1. A computer-implemented method comprising:
- registering, by an integrity manager associated with a kernel-mode component of a computing device, one or more hooks with an operating system of the computing device on behalf of the kernel-mode component;
  
  receiving, by the integrity manager, a request associated with an update to the kernel-mode component of the computing device; and
  
  without rebooting the computing device,initiating, by the integrity manager, unloading of at least one component of the kernel-mode component,following the unloading, logging, by the integrity manager, one or more events associated with the one or more hooks on the computing device,following the logging, initiating, by the integrity manager, loading of an updated version of that at least one component of the kernel-mode component, andfollowing the loading, delivering, by the integrity manager, the logged events to the updated kernel-mode component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - determining, by the integrity manager, that the integrity manager is to be updated; and
      
      rebooting, by the integrity manager, the computing device.
  - 3. The method of claim 1, wherein the registering of the one or more hooks or use of an operating system-provided veto mechanism enables the integrity manager to force registry reads to occur or network packets to be sent regardless of whether another component attempts to block the registry reads or network packets.
  - 4. The method of claim 1, further comprising:
    - receiving, by the integrity manager, a request to spawn a thread on behalf of the kernel-mode component; and
      
      providing, by the integrity manager, a result of the thread to the kernel-mode component.
  - 5. The method of claim 1, wherein the integrity manager may utilize an operating-system provided veto mechanism to force one or more actions.
  - 6. The method of claim 1, further comprising maintaining a state of a state manager of the kernel-mode component.
  - 7. The method of claim 6, wherein the state manager maintains handles, registry keys, memory allocations for the kernel-mode component, and other volatile data associated with the kernel-mode component.
  - 8. The method of claim 7, further comprising, following the loading, initializing the updated kernel-mode component with the state of the state manager.
  - 9. The method of claim 1, wherein the kernel-mode component transmits the request to the integrity manager after receiving the update.
  - 10. The method of claim 1, wherein initiating the unloading comprises requesting an operating system of the computing device to unload the at least one component of the kernel-mode component and initiating the loading comprises invoking an operating system load function to load the updated version of that at least one component of the kernel-mode component.
  - 11. The method of claim 1, further comprising determining that the loading has failed and, in response, initiating reloading of the unloaded version of that at least one component of the kernel-mode component.

12. A computing device comprising:
- a processor; and
  
  a memory communicatively coupled to the processor and storing a kernel-mode component and an integrity manager associated with the kernel-mode component,wherein the integrity manager is configured to be operated by the processor to perform operations including;
  
  registering one or more hooks with an operating system of the computing device on behalf of the kernel-mode component;
  
  receiving a request associated with an update to the kernel-mode component; and
  
  without rebooting the computing device,initiating unloading of at least one component of the kernel-mode component,following the unloading, logging one or more events associated with the one or more hooks on the computing device,following the logging, initiating loading of an updated version of that at least one component of the kernel-mode component, andfollowing the loading, delivering the logged events to the updated kernel-mode component.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computing device of claim 12, wherein the operations further include:
    - determining that the integrity manager is to be updated; and
      
      rebooting the computing device.
  - 14. The computing device of claim 12, wherein the operations further include:
    - receiving a request to spawn a thread on behalf of the kernel-mode component; and
      
      providing a result of the thread to the kernel-mode component.
  - 15. The computing device of claim 12, wherein the integrity manager may utilize an operating-system provided veto mechanism to force one or more actions.
  - 16. The computing device of claim 12, wherein the operations further include maintaining a state of a state manager of the kernel-mode component.
  - 17. The computing device of claim 16, wherein the operations further include, following the loading, initializing the updated kernel-mode component with the state of the state manager.

18. A non-transitory computer-readable medium having stored thereon an integrity manager associated with a kernel-mode component, wherein the integrity manager, when executed by a computing device, causes the computing device to perform operations comprising:
- registering one or more hooks with an operating system of the computing device on behalf of the kernel-mode component;
  
  receiving a request associated with an update to the kernel-mode component; and
  
  without rebooting the computing device,initiating unloading of at least one component of the kernel-mode component,following the unloading, logging one or more events associated with the one or more hooks on the computing device,following the logging, initiating loading of an updated version of that at least one component of the kernel-mode component, andfollowing the loading, delivering the logged events to the updated kernel-mode component.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The non-transitory computer-readable medium of claim 18, wherein the operations further include:
    - maintaining a state of a state manager of the kernel-mode component; and
      
      following the loading, initializing the updated kernel-mode component with the state of the state manager.
  - 20. The non-transitory computer-readable medium of claim 18, wherein the operations further include:
    - determining that the integrity manager is to be updated; and
      
      rebooting the computing device.
  - 21. The non-transitory computer-readable medium of claim 18, wherein the operations further include:
    - receiving a request to spawn a thread on behalf of the kernel-mode component; and
      
      providing a result of the thread to the kernel-mode component.
  - 22. The non-transitory computer-readable medium of claim 18, wherein the integrity manager may utilize an operating-system provided veto mechanism to force one or more actions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Original Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Inventors
Ionescu, Ion-Alexandru
Primary Examiner(s)
Pan, Hang

Application Number

US14/220,362
Publication Number

US 20150268947A1
Time in Patent Office

1,881 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/568   eliminating virus, restorin...

G06F 8/656   while running

H04L 67/34   involving the movement of s...

Integrity assurance and rebootless updating during runtime

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

107 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Integrity assurance and rebootless updating during runtime

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

107 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links