Integrity assurance through early loading in the boot phase

US 10,339,316 B2
Filed: 07/28/2015
Issued: 07/02/2019
Est. Priority Date: 07/28/2015
Status: Active Grant

First Claim

Patent Images

1. A computing device comprising:

a processor;

memory; and

a plurality of components stored in the memory and operable by the processor during a boot phase of the computing device, wherein the boot phase is not a pre-boot phase, the components including;

a library component of a driver of an integrity manager associated with a kernel-mode component, the library component to be processed during the boot phase and before initialization of drivers by an operating system of the computing device and which, when processed, ensures that the driver of the integrity manager is a first of the drivers in an initialization order of the drivers utilized by the operating system;

the driver of the integrity manager which, when initialized, causes the computing device to launch the integrity manager; and

the integrity manager which, when launched;

determines that a driver of the kernel-mode component is not next in the initialization order after the driver of the integrity manager; and

alters the initialization order to place the driver of the kernel-mode component next in the initialization order to initialize the driver of the kernel-mode component before initializing remaining ones of the drivers.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques utilizing library and pre-boot components to ensure that a driver associated with a kernel-mode component is initialized before other drivers during a boot phase are described herein. The library component is processed during a boot phase; the pre-boot component, which may be an alternative to the library component, is processed during a pre-boot phase. By ensuring that the driver is the first driver initialized, the components enable the driver to launch the kernel-mode component before other drivers are initialized. The library component may also determine whether another driver is to be initialized before the kernel-mode component driver, may ensure that kernel-mode component driver is initialized first, and may alert the kernel-mode component. Also, the library component may retrieve information that is to be deleted by the operating system before initialization of drivers and may provide that information to the kernel-mode component.

Citations

28 Claims

1. A computing device comprising:
- a processor;
  
  memory; and
  
  a plurality of components stored in the memory and operable by the processor during a boot phase of the computing device, wherein the boot phase is not a pre-boot phase, the components including;
  
  a library component of a driver of an integrity manager associated with a kernel-mode component, the library component to be processed during the boot phase and before initialization of drivers by an operating system of the computing device and which, when processed, ensures that the driver of the integrity manager is a first of the drivers in an initialization order of the drivers utilized by the operating system;
  
  the driver of the integrity manager which, when initialized, causes the computing device to launch the integrity manager; and
  
  the integrity manager which, when launched;
  
  determines that a driver of the kernel-mode component is not next in the initialization order after the driver of the integrity manager; and
  
  alters the initialization order to place the driver of the kernel-mode component next in the initialization order to initialize the driver of the kernel-mode component before initializing remaining ones of the drivers.
- View Dependent Claims (2, 3, 4, 5, 6, 25, 26, 27, 28)
- - 2. The computing device of claim 1, wherein the library component is a dependent dynamic link library (DLL) of the driver of the integrity manager.
  - 3. The computing device of claim 1, wherein the library component is associated with a name which causes the library component to be processed before one or more other library components.
  - 4. The computing device of claim 1, wherein the library component decrypts the integrity manager or the kernel-mode component before the driver of the integrity manager is initialized.
  - 5. The computing device of claim 1, wherein the library component causes the driver of the integrity manager to be initialized before processing of one or more other library components.
  - 6. The computing device of claim 1, wherein the driver of the integrity manager includes at least an unloadable part which may be updated without a reboot of the computing device and a non-unloadable part which may not be updated without a reboot of the computing device.
  - 25. The computing device of claim 1, wherein the kernel-mode component, when launched, is configured to monitor activity on the computing device and provide security events associated with the activity to a remote security service.
  - 26. The computing device of claim 1, wherein the library component is configured to ensure that the driver of the integrity manager is the first of the drivers in the initialization order by altering the initialization order to place the driver of the integrity manager first in the initialization order.
  - 27. The computing device of claim 1, wherein the integrity manager, in response to altering the initialization order, is configured to alert the kernel-mode component that the initialization order was altered.
  - 28. The computing device of claim 27, wherein the kernel-mode component, in response to the alert from the integrity manager, is configured to generate a security event and send the security event to a remote security service.

7. A computer-implemented method comprising:
- during a boot phase of a computing device, before initialization of drivers by an operating system of the computing device, ensuring that a driver of an integrity manager associated with a kernel-mode component is a first of the drivers in an initialization order of the drivers;
  
  initializing the driver of the integrity manager in order to launch the integrity manager;
  
  determining, by the integrity manager, whether a driver of the kernel-mode component is next in the initialization order after the driver of the integrity manager; and
  
  in response to determining that the driver of the kernel-mode component is not next in the initialization order,altering the initialization order to place the driver of the kernel-mode component as a next driver of the drivers to be initialized by the operating system after the driver of the integrity manager, andalerting the kernel-mode component that the initialization order was altered.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The method of claim 7, further comprising, during a runtime prior to the boot phase, updating, by the kernel-mode component, the initialization order of the drivers to place the driver of the kernel-mode component as the first driver to be initialized by the operating system.
  - 9. The method of claim 8, wherein, after the updating and prior to the boot phase, a security exploit alters the initialization order such that at least one driver of remaining ones of the drivers is to be initialized before the driver of the kernel-mode component.
  - 10. The method of claim 8, further comprising, during the runtime, intercepting, by the kernel-mode component, a request to place a particular driver of remaining ones of the drivers as the first driver in the initialization order, and, in response, placing the particular driver after the driver of the kernel-mode component in the initialization order.
  - 11. The method of claim 7, wherein the alerting is performed at a runtime subsequent to the boot phase, and the kernel-mode component generates a security event responsive to being alerted.
  - 12. The method of claim 7, wherein the determining, the altering, and the alerting are performed by the integrity manager.
  - 13. The method of claim 12, wherein the ensuring that the driver of the integrity manager is the first of the drivers in the initialization order comprises altering, by a library component associated with the driver of the integrity manager, the initialization order to place the driver of the integrity manager first in the initialization order.

14. A computer-implemented method comprising:
- during a boot phase of a computing device, wherein the boot phase is not a pre-boot phase, retrieving, by a dependent dynamic link library (DLL) associated with a kernel-mode component, information that is to be deleted by an operating system of the computing device before initialization of drivers by the operating system; and
  
  providing, by the dependent DLL, the information to the kernel-mode component.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The method of claim 14, wherein the information is boot information associated with a boot loader of the computing device.
  - 16. The method of claim 15, wherein the retrieving comprises retrieving the boot information from a loader parameter block of the boot loader.
  - 17. The method of claim 15, wherein the boot information includes at least one of a list of the drivers, an initialization order of the drivers, basic input/output system (BIOS) information, a memory layout, trusted platform module (TPM) information, or a random number generator seed.
  - 18. The method of claim 14, wherein the information includes a list of boot drivers loaded by a boot loader of the computing device.
  - 19. The method of claim 18, wherein the providing comprises providing the list of boot drivers and A) copies of boot drivers or B) boot driver information to the kernel-mode component.
  - 20. The method of claim 14, wherein the dependent DLL is a dependent DLL of an integrity manager associated with the kernel-mode component, and the providing comprises providing the information to the integrity manager, which in turn provides the information to the kernel-mode component.
  - 21. The method of claim 20, wherein the dependent DLL includes a buffer to store the information prior to initialization of the integrity manager.

22. A computer storage device having stored thereon a plurality of components operable by a processor of a computing device during a pre-boot phase of the computing device, the components comprising:
- a pre-boot environment to process a pre-boot component associated with a kernel-mode component;
  
  the pre-boot component which, when processed, ensures that a driver of an integrity manager associated with the kernel-mode component is a first driver in an initialization order of drivers utilized by an operating system during a boot phase;
  
  the driver of the integrity manager which, when initialized, causes the computing device to launch the integrity manager;
  
  the integrity manager which, when launched;
  
  determines that a driver of the kernel-mode component is not next in the initialization order after the driver of the integrity manager; and
  
  alters the initialization order to place the driver of the kernel-mode component next in the initialization order to initialize the driver of the kernel-mode component before initializing other drivers that are to be initialized by the operating system; and
  
  the kernel-mode component which, when launched, is configured to monitor activity on the computing device and provide security events associated with the activity to a remote security service.
- View Dependent Claims (23, 24)
- - 23. The computer storage device of claim 22, wherein the pre-boot environment is associated with an interface which enables configuration of the pre-boot environment with the pre-boot component.
  - 24. The computer storage device of claim 23, wherein the interface is associated with a security mechanism to prevent configuration of the pre-boot environment with a security exploit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Original Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Inventors
Ionescu, Ion-Alexandru
Primary Examiner(s)
Tabor, Amare F

Application Number

US14/810,840
Publication Number

US 20170061127A1
Time in Patent Office

1,435 Days
Field of Search

726 23, 726 22- 24, 713189
US Class Current
CPC Class Codes

G06F 21/575 Secure boot

Integrity assurance through early loading in the boot phase

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Integrity assurance through early loading in the boot phase

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links