×

Application randomization mechanism

  • US 10,412,114 B1
  • Filed: 05/25/2017
  • Issued: 09/10/2019
  • Est. Priority Date: 12/17/2015
  • Status: Active Grant
First Claim
Patent Images

1. A method comprising:

  • initializing, by a computing system comprising one or more processors, a virtual machine (VM), wherein initializing the VM comprises;

    generating, by the computing system, a randomized instance of an operating system, the randomized instance of the operating system having a randomized calling convention for a system call of an operating system, wherein;

    the randomized calling convention for the system call is a first scheme for how the system call receives parameters from a caller of the system call and how the system call returns a result, if any,a publicly available calling convention for the system call is a second scheme for how the system call receives parameters from the caller of the system call and how the system call returns the result, if any, andthe randomized calling convention for the system call is different from a publicly available calling convention for the system call;

    generating, by the computing system, a randomized instance of a software program, the randomized instance of the software program configured to use the randomized calling convention for the system call when invoking the system call; and

    installing, by the computing system, the randomized instance of the operating system and the randomized instance of the software program on the VM;

    deploying, by the computing system, the VM;

    determining, by the computing system, that a first software process running on the VM has invoked the system call;

    determining, by the computing system, which one of the following applies;

    (i) the first software process invoked the system call using the randomized calling convention for the system call, or (ii) the first software process invoked the system call not using the randomized calling convention for the system call;

    responsive to determining that the first software process invoked the system call not using the randomized calling convention for the system call, performing, by the computing system, a cybersecurity defense action;

    determining, by the computing system, that a second software process running on the VM has invoked the system call;

    determining, by the computing system, which one of the following applies;

    (i) the second software process invoked the system call using the randomized calling convention for the system call, or (ii) the second software process invoked the system call not using the randomized calling convention for the system call; and

    responsive to determining that the second software process invoked the system call using the randomized calling convention for the system call, performing, by the computer system, the system call without performing the cybersecurity defense action.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×