Application randomization mechanism

US 10,412,114 B1
Filed: 05/25/2017
Issued: 09/10/2019
Est. Priority Date: 12/17/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

initializing, by a computing system comprising one or more processors, a virtual machine (VM), wherein initializing the VM comprises;

generating, by the computing system, a randomized instance of an operating system, the randomized instance of the operating system having a randomized calling convention for a system call of an operating system, wherein;

the randomized calling convention for the system call is a first scheme for how the system call receives parameters from a caller of the system call and how the system call returns a result, if any,a publicly available calling convention for the system call is a second scheme for how the system call receives parameters from the caller of the system call and how the system call returns the result, if any, andthe randomized calling convention for the system call is different from a publicly available calling convention for the system call;

generating, by the computing system, a randomized instance of a software program, the randomized instance of the software program configured to use the randomized calling convention for the system call when invoking the system call; and

installing, by the computing system, the randomized instance of the operating system and the randomized instance of the software program on the VM;

deploying, by the computing system, the VM;

determining, by the computing system, that a first software process running on the VM has invoked the system call;

determining, by the computing system, which one of the following applies;

(i) the first software process invoked the system call using the randomized calling convention for the system call, or (ii) the first software process invoked the system call not using the randomized calling convention for the system call;

responsive to determining that the first software process invoked the system call not using the randomized calling convention for the system call, performing, by the computing system, a cybersecurity defense action;

determining, by the computing system, that a second software process running on the VM has invoked the system call;

determining, by the computing system, which one of the following applies;

(i) the second software process invoked the system call using the randomized calling convention for the system call, or (ii) the second software process invoked the system call not using the randomized calling convention for the system call; and

responsive to determining that the second software process invoked the system call using the randomized calling convention for the system call, performing, by the computer system, the system call without performing the cybersecurity defense action.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An example method includes providing, by a computing system, first randomized configuration information, generating, by the computing system and based on the first randomized configuration information, a first unique instance of a software component, providing second randomized configuration information, wherein the second randomized configuration information is different from the first randomized configuration information, and generating, based on the second randomized configuration information, a second unique instance of the software component that is executable on the runtime computing system. The first and second unique instances of the software component comprise different instances of the same software component that each are configured to have uniquely different operating characteristics during execution on the runtime computing system, and the first and second unique instances of the software component are each further configured, during execution on the runtime computing system, to output false information to an external computing system.

Citations

18 Claims

1. A method comprising:
- initializing, by a computing system comprising one or more processors, a virtual machine (VM), wherein initializing the VM comprises;
  
  generating, by the computing system, a randomized instance of an operating system, the randomized instance of the operating system having a randomized calling convention for a system call of an operating system, wherein;
  
  the randomized calling convention for the system call is a first scheme for how the system call receives parameters from a caller of the system call and how the system call returns a result, if any,a publicly available calling convention for the system call is a second scheme for how the system call receives parameters from the caller of the system call and how the system call returns the result, if any, andthe randomized calling convention for the system call is different from a publicly available calling convention for the system call;
  
  generating, by the computing system, a randomized instance of a software program, the randomized instance of the software program configured to use the randomized calling convention for the system call when invoking the system call; and
  
  installing, by the computing system, the randomized instance of the operating system and the randomized instance of the software program on the VM;
  
  deploying, by the computing system, the VM;
  
  determining, by the computing system, that a first software process running on the VM has invoked the system call;
  
  determining, by the computing system, which one of the following applies;
  
  (i) the first software process invoked the system call using the randomized calling convention for the system call, or (ii) the first software process invoked the system call not using the randomized calling convention for the system call;
  
  responsive to determining that the first software process invoked the system call not using the randomized calling convention for the system call, performing, by the computing system, a cybersecurity defense action;
  
  determining, by the computing system, that a second software process running on the VM has invoked the system call;
  
  determining, by the computing system, which one of the following applies;
  
  (i) the second software process invoked the system call using the randomized calling convention for the system call, or (ii) the second software process invoked the system call not using the randomized calling convention for the system call; and
  
  responsive to determining that the second software process invoked the system call using the randomized calling convention for the system call, performing, by the computer system, the system call without performing the cybersecurity defense action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein performing the cybersecurity defense action comprises terminating whichever software process invoked the system call.
  - 3. The method of claim 1, wherein the cybersecurity defense action is user configurable.
  - 4. The method of claim 1, wherein the VM is a first VM of a plurality of VMs, the method comprising:
    - initializing, by the computing system, the plurality of VMs, wherein initializing the plurality of VMs comprises, for each respective VM of the plurality of VMs, initializing the respective VM, wherein initializing the respective VM comprises;
      
      generating a respective randomized instance of the operating system, the respective randomized instance of the operating system having a respective randomized calling convention for the system call of the operating system, the respective randomized calling convention for the system call being different from the publicly available calling convention for the system call;
      
      generating a respective randomized instance of the software program, wherein the respective randomized instance of the software program is configured to use the respective randomized calling convention for the system call when invoking the system call; and
      
      installing the respective randomized instance of the operating system and the respective randomized instance of the software program on the respective VM,wherein the randomized calling convention for the system call is different in each of the respective randomized instances of the operating system.
  - 5. The method of claim 1, wherein:
    - the system call has one or more parameters,for each respective parameter of the one or more parameters, the publicly available calling convention for the system call specifies a mapping of the respective parameter to a respective register in a set of registers, andgenerating the randomized instance of the operating system comprises;
      
      for each respective parameter of the one or more parameters, generating, by the computing system, a mapping of the respective parameter to a register in the set of registers different from the register to which the respective parameter is mapped in the publicly available calling convention.
  - 6. The method of claim 5, wherein:
    - the publicly available calling convention for the system call specifies that a parameter of the system call is stored in a first register and the randomized calling convention for the system call specifies that the parameter for the system call is stored in a second, different register, andthe method comprises;
      
      prior to the second software process invoking the system call, storing, by the computing system, a tripwire value in the second register; and
      
      in response to determining that the second software process has invoked the system call, determining, by the computing system, based on whether the second register still contains the tripwire value, whether the second software process has invoked the system call using the randomized calling convention, wherein the computing system determines that the second software process has invoked the system call using the randomized calling convention based on the second register containing a value other than the tripwire value, wherein the computing system determines that the first software process invoked the system call using the publicly available calling convention based on the second register still containing the tripwire value.
  - 7. The method of claim 5, wherein:
    - the publicly available calling convention for the system call specifies that a parameter of the system call is stored in a first register and the randomized calling convention for the system call specifies that the parameter for the system call is stored in a second, different register, andthe method comprises;
      
      prior to the first software process invoking the system call, storing, by the computing system, a tripwire value in the first register; and
      
      in response to determining that the first software process has invoked the system call, determining, by the computing system, based on whether the first register still contains the tripwire value, whether the first software process has invoked the system call using the publicly available calling convention, wherein the computing system determines that the first software process invoked the system call using the publicly available calling convention based on the first register containing a value other than the tripwire value.
  - 8. The method of claim 1, wherein:
    - the system call has one or more parameters,for each respective parameter of the one or more parameters, the publicly available calling convention for the system call specifies a mapping of the respective parameter to a first respective position relative to a stack pointer of a call stack; and
      
      generating the randomized instance of the operating system comprises;
      
      for each respective parameter of the one or more parameters, generating, by the computing system, a mapping of the respective parameter to a second respective position relative to the stack pointer of the call stack, the second respective position being different from the first respective position.
  - 9. The method of claim 8, wherein:
    - generating the mapping comprises;
      
      generating, by the computing system, a pseudorandom number; and
      
      generating, by the computing system, the mapping such that there is a gap between bits allocated in the call stack for a first parameter of the system call and bits allocated in the call stack for a second parameter of the system call, the gap consisting of a series of consecutive bits equal in length to the pseudorandom number;
      
      the method comprises;
      
      in response to determining that the second software process invoked the system call, determining, by the computing system, whether the second software process stored data in the gap, wherein the computing system determines that the second software process invoked the system call not using the randomized calling convention based on the second software process having written data in the gap.

10. A computing system comprising:
- a development computing system comprising a first set of one or more processors; and
  
  a runtime computing system comprising a second set of one or more processors,wherein the development computing system is configured to;
  
  initialize a virtual machine (VM), wherein initializing the VM comprises;
  
  generating a randomized instance of an operating system, the randomized instance of the operating system having a randomized calling convention for a system call of an operating system, wherein;
  
  the randomized calling convention for the system call is a first scheme for how the system call receives parameters from a caller of the system call and how the system call returns a result, if any,a publicly available calling convention for the system call is a second scheme for how the system call receives parameters from the caller of the system call and how the system call returns the result, if any, andthe randomized calling convention for the system call is different from a publicly-available calling convention for the system call;
  
  generating a randomized instance of a software program, the randomized instance of the software program configured to use the randomized calling convention for the system call when invoking the system call; and
  
  installing the randomized instance of the operating system and the randomized instance of the software program on the VM; and
  
  deploy the VM on the runtime computing system, andwherein the runtime computing system is configured to;
  
  determine that a software process running on the VM has invoked the system call;
  
  determine which one of the following applies;
  
  (i) the software process invoked the system call using the randomized calling convention for the system call, or (ii) the software process invoked the system call not using the randomized calling convention for the system call;
  
  responsive to determining that the software process invoked the system call not using the randomized calling convention for the system call, perform a cybersecurity defense action; and
  
  responsive to determining that the software process invoked the system call using the randomized calling convention for the system call, perform the system call without performing the cybersecurity defense action.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The computing system of claim 10, wherein the runtime computing system is configured such that, as part of performing the cybersecurity defense action, the runtime computing system terminates whichever software process invoked the system call.
  - 12. The computing system of claim 10, wherein the VM is a first VM of a plurality of VMs, the development computing system is configured to initialize the plurality of VMs, wherein the development computing system is configured such that, as part of initializing the plurality of VMs, the development computing system, for each respective VM of the plurality of VMs, initializes the respective VM, wherein the development computing system is configured such that, as part of initializing the respective VM, the development computing system:
    - generates a respective randomized instance of the operating system, the respective randomized instance of the operating system having a respective randomized calling convention for the system call of the operating system, the respective randomized calling convention for the system call being different from the publicly-available calling convention for the system call;
      
      generates a respective randomized instance of the software program, wherein the respective randomized instance of the software program is configured to use the respective randomized calling convention for the system call when invoking the system call; and
      
      installs the respective randomized instance of the operating system and the respective randomized instance of the software program on the respective VM,wherein the randomized calling convention for the system call is different in each of the respective randomized instances of the operating system.
  - 13. The computing system of claim 10, wherein:
    - the system call has one or more parameters,for each respective parameter of the one or more parameters, the publicly-available calling convention for the system call specifies a mapping of the respective parameter to a respective register in a set of registers, andthe development computing system is configured such that, as part of generating the randomized instance of the operating system, the development computing system;
      
      for each respective parameter of the one or more parameters, generates a mapping of the respective parameter to a register in the set of registers different from the register to which the respective parameter is mapped in the publicly-available calling convention.
  - 14. The computing system of claim 13, wherein:
    - the publicly-available calling convention for the system call specifies that a parameter of the system call is stored in a first register and the randomized calling convention for the system call specifies that the parameter for the system call is stored in a second, different register, andthe runtime computing system is configured to;
      
      prior to the software process invoking the system call, store a tripwire value in the second register; and
      
      in response to determining that the software process has invoked the system call, determine, based on whether the second register still contains the tripwire value, whether the software process has invoked the system call using the randomized calling convention, wherein the runtime computing system determines that the software process has invoked the system call using the randomized calling convention based on the second register containing a value other than the tripwire value, wherein the runtime computing system determines that the software process invoked the system call using the publicly available calling convention based on the second register still containing the tripwire value.
  - 15. The computing system of claim 13, wherein:
    - the publicly-available calling convention for the system call specifies that a parameter of the system call is stored in a first register and the randomized calling convention for the system call specifies that the parameter for the system call is stored in a second, different register, andthe runtime computing system is configured toprior to the software process invoking the system call, store a tripwire value in the first register; and
      
      in response to determining that the software process has invoked the system call, determine, based on whether the first register still contains the tripwire value, whether the software process has invoked the system call using the randomized calling convention, wherein the runtime computing system determines that the software process invoked the system call using the publicly available calling convention based on the first register containing a value other than the tripwire value.
  - 16. The computing system of claim 10, wherein:
    - the system call has one or more parameters,for each respective parameter of the one or more parameters, the publicly-available calling convention for the system call specifies a mapping of the respective parameter to a first respective position relative to a stack pointer of a call stack, andthe development computing system is configured such that, as part of generating the randomized instance of the operating system, the development computing system;
      
      for each respective parameter of the one or more parameters, generates a mapping of the respective parameter to a second respective position relative to the stack pointer of the call stack, the second respective position being different from the first respective position.
  - 17. The computing system of claim 16, wherein:
    - the development computing system is configured such that, as part of generating the mapping, the development computing system;
      
      generates a pseudorandom number; and
      
      generates the mapping such that there is a gap between bits allocated in the call stack for a first parameter of the system call and bits allocated in the call stack for a second parameter of the system call, the gap consisting of a series of consecutive bits equal in length to the pseudorandom number, andthe runtime computing system is configured to;
      
      in response to determining that the software process invoked the system call, determine whether the software process stored data in the gap, wherein the runtime computing system determines that the software process invoked the system call not using the randomized calling convention based on the first software process having written data in the gap.

18. A non-transitory computer-readable data storage medium having instructions stored thereon that, when executed, cause a computing system comprising one or more processors to:
- initialize a virtual machine (VM), wherein, as part of causing the computing system to initialize the VM, the instructions cause the computing system to;
  
  generate a randomized instance of an operating system, the randomized instance of the operating system having a randomized calling convention for a system call of an operating system, wherein;
  
  the randomized calling convention for the system call is a first scheme for how the system call receives parameters from a caller of the system call and how the system call returns a result, if any,a publicly available calling convention for the system call is a second scheme for how the system call receives parameters from the caller of the system call and how the system call returns the result, if any, andthe randomized calling convention for the system call is different from a publicly-available calling convention for the system call;
  
  generate a randomized instance of a software program, the randomized instance of the software program configured to use the randomized calling convention for the system call when invoking the system call; and
  
  install the randomized instance of the operating system and the randomized instance of the software program on the VM;
  
  deploy the VM;
  
  determine that a software process running on the VM has invoked the system call;
  
  determine which one of the following applies;
  
  (i) the software process invoked the system call using the randomized calling convention for the system call, or (ii) the software process invoked the system call not using the randomized calling convention for the system call;
  
  responsive to determining that the software process invoked the system call not using the randomized calling convention for the system call, perform a cybersecurity defense action; and
  
  responsive to determining that the software process invoked the system call using the randomized calling convention for the system call, perform the system call without performing the cybersecurity defense action.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Architecture Technology Corporation
Original Assignee
Architecture Technology Corporation
Inventors
Powers, Judson, Joyce, Robert A., McArdle, Daniel
Primary Examiner(s)
Truong, Lechi

Application Number

US15/604,868
Time in Patent Office

838 Days
Field of Search

719328
US Class Current
CPC Class Codes

G06F 2009/45562   Creating, deleting, cloning...

G06F 2009/45587   Isolation or security of vi...

G06F 21/44   Program or device authentic...

G06F 8/61   Installation

G06F 9/45558   Hypervisor-specific managem...

G06F 9/54   Interprogram communication

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Application randomization mechanism

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Application randomization mechanism

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links