Application randomization mechanism
First Claim
1. A method comprising:
- initializing, by a computing system comprising one or more processors, a virtual machine (VM), wherein initializing the VM comprises;
generating, by the computing system, a randomized instance of an operating system, the randomized instance of the operating system having a randomized calling convention for a system call of an operating system, wherein;
the randomized calling convention for the system call is a first scheme for how the system call receives parameters from a caller of the system call and how the system call returns a result, if any,a publicly available calling convention for the system call is a second scheme for how the system call receives parameters from the caller of the system call and how the system call returns the result, if any, andthe randomized calling convention for the system call is different from a publicly available calling convention for the system call;
generating, by the computing system, a randomized instance of a software program, the randomized instance of the software program configured to use the randomized calling convention for the system call when invoking the system call; and
installing, by the computing system, the randomized instance of the operating system and the randomized instance of the software program on the VM;
deploying, by the computing system, the VM;
determining, by the computing system, that a first software process running on the VM has invoked the system call;
determining, by the computing system, which one of the following applies;
(i) the first software process invoked the system call using the randomized calling convention for the system call, or (ii) the first software process invoked the system call not using the randomized calling convention for the system call;
responsive to determining that the first software process invoked the system call not using the randomized calling convention for the system call, performing, by the computing system, a cybersecurity defense action;
determining, by the computing system, that a second software process running on the VM has invoked the system call;
determining, by the computing system, which one of the following applies;
(i) the second software process invoked the system call using the randomized calling convention for the system call, or (ii) the second software process invoked the system call not using the randomized calling convention for the system call; and
responsive to determining that the second software process invoked the system call using the randomized calling convention for the system call, performing, by the computer system, the system call without performing the cybersecurity defense action.
1 Assignment
0 Petitions
Accused Products
Abstract
An example method includes providing, by a computing system, first randomized configuration information, generating, by the computing system and based on the first randomized configuration information, a first unique instance of a software component, providing second randomized configuration information, wherein the second randomized configuration information is different from the first randomized configuration information, and generating, based on the second randomized configuration information, a second unique instance of the software component that is executable on the runtime computing system. The first and second unique instances of the software component comprise different instances of the same software component that each are configured to have uniquely different operating characteristics during execution on the runtime computing system, and the first and second unique instances of the software component are each further configured, during execution on the runtime computing system, to output false information to an external computing system.
-
Citations
18 Claims
-
1. A method comprising:
-
initializing, by a computing system comprising one or more processors, a virtual machine (VM), wherein initializing the VM comprises; generating, by the computing system, a randomized instance of an operating system, the randomized instance of the operating system having a randomized calling convention for a system call of an operating system, wherein; the randomized calling convention for the system call is a first scheme for how the system call receives parameters from a caller of the system call and how the system call returns a result, if any, a publicly available calling convention for the system call is a second scheme for how the system call receives parameters from the caller of the system call and how the system call returns the result, if any, and the randomized calling convention for the system call is different from a publicly available calling convention for the system call; generating, by the computing system, a randomized instance of a software program, the randomized instance of the software program configured to use the randomized calling convention for the system call when invoking the system call; and installing, by the computing system, the randomized instance of the operating system and the randomized instance of the software program on the VM; deploying, by the computing system, the VM; determining, by the computing system, that a first software process running on the VM has invoked the system call; determining, by the computing system, which one of the following applies;
(i) the first software process invoked the system call using the randomized calling convention for the system call, or (ii) the first software process invoked the system call not using the randomized calling convention for the system call;responsive to determining that the first software process invoked the system call not using the randomized calling convention for the system call, performing, by the computing system, a cybersecurity defense action; determining, by the computing system, that a second software process running on the VM has invoked the system call; determining, by the computing system, which one of the following applies;
(i) the second software process invoked the system call using the randomized calling convention for the system call, or (ii) the second software process invoked the system call not using the randomized calling convention for the system call; andresponsive to determining that the second software process invoked the system call using the randomized calling convention for the system call, performing, by the computer system, the system call without performing the cybersecurity defense action. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computing system comprising:
-
a development computing system comprising a first set of one or more processors; and a runtime computing system comprising a second set of one or more processors, wherein the development computing system is configured to; initialize a virtual machine (VM), wherein initializing the VM comprises; generating a randomized instance of an operating system, the randomized instance of the operating system having a randomized calling convention for a system call of an operating system, wherein; the randomized calling convention for the system call is a first scheme for how the system call receives parameters from a caller of the system call and how the system call returns a result, if any, a publicly available calling convention for the system call is a second scheme for how the system call receives parameters from the caller of the system call and how the system call returns the result, if any, and the randomized calling convention for the system call is different from a publicly-available calling convention for the system call; generating a randomized instance of a software program, the randomized instance of the software program configured to use the randomized calling convention for the system call when invoking the system call; and installing the randomized instance of the operating system and the randomized instance of the software program on the VM; and deploy the VM on the runtime computing system, and wherein the runtime computing system is configured to; determine that a software process running on the VM has invoked the system call; determine which one of the following applies;
(i) the software process invoked the system call using the randomized calling convention for the system call, or (ii) the software process invoked the system call not using the randomized calling convention for the system call;responsive to determining that the software process invoked the system call not using the randomized calling convention for the system call, perform a cybersecurity defense action; and responsive to determining that the software process invoked the system call using the randomized calling convention for the system call, perform the system call without performing the cybersecurity defense action. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory computer-readable data storage medium having instructions stored thereon that, when executed, cause a computing system comprising one or more processors to:
-
initialize a virtual machine (VM), wherein, as part of causing the computing system to initialize the VM, the instructions cause the computing system to; generate a randomized instance of an operating system, the randomized instance of the operating system having a randomized calling convention for a system call of an operating system, wherein; the randomized calling convention for the system call is a first scheme for how the system call receives parameters from a caller of the system call and how the system call returns a result, if any, a publicly available calling convention for the system call is a second scheme for how the system call receives parameters from the caller of the system call and how the system call returns the result, if any, and the randomized calling convention for the system call is different from a publicly-available calling convention for the system call; generate a randomized instance of a software program, the randomized instance of the software program configured to use the randomized calling convention for the system call when invoking the system call; and install the randomized instance of the operating system and the randomized instance of the software program on the VM; deploy the VM; determine that a software process running on the VM has invoked the system call; determine which one of the following applies;
(i) the software process invoked the system call using the randomized calling convention for the system call, or (ii) the software process invoked the system call not using the randomized calling convention for the system call;responsive to determining that the software process invoked the system call not using the randomized calling convention for the system call, perform a cybersecurity defense action; and responsive to determining that the software process invoked the system call using the randomized calling convention for the system call, perform the system call without performing the cybersecurity defense action.
-
Specification