Secure posture assessment

US 10,574,653 B1
Filed: 09/28/2017
Issued: 02/25/2020
Est. Priority Date: 09/28/2017
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a posture assessment system comprising one or more server computing devices, wherein the posture assessment system is configured to at least;

receive a posture assessment request from a user computing device, the posture assessment request comprising configuration data regarding an operating system configuration of the user computing device;

generate configuration verification data based at least partly on the configuration data, wherein the configuration verification data comprises an encoded representation of at least a portion of an operating system expected to be present on the user computing device;

generate an expected assessment result comprising an encoded representation of the configuration verification data, and output of an execution confirmation function that takes at least a threshold period of time to execute;

generate client-side executable instructions that, when executed, cause the user computing device to generate an assessment result comprising an encoded representation of at least a portion of an operating system present on the user computing device and output of the execution confirmation function;

transmit the client-side executable instructions to the user computing device;

receive the assessment result from the user computing device;

analyze the assessment result with respect to the expected assessment result; and

transmit a verification token to the user computing device; and

a client-side operating system component that configures the user computing device to at least;

receive the client-side executable instructions from the posture assessment system;

execute the client-side executable instructions using a temporarily heightened degree of operating system access privileges;

transmit the assessment result to the posture assessment system; and

receive the verification token from the posture assessment system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A posture assessment system is provided that uses an application programming interface (“API”), integrated into a computing device operating system, to assess the posture of the computing device. The API provides temporarily heightened access to the operating system, and executes code provided by the posture assessment system. The code may cause performance of various operations on the computing device, such as generating encoded representations of operating system components, performing computationally-expensive functions to verify execution of the code, and the like. The output of these operations can be sent to the posture assessment system for verification.

25 Citations

20 Claims

1. A system comprising:
- a posture assessment system comprising one or more server computing devices, wherein the posture assessment system is configured to at least;
  
  receive a posture assessment request from a user computing device, the posture assessment request comprising configuration data regarding an operating system configuration of the user computing device;
  
  generate configuration verification data based at least partly on the configuration data, wherein the configuration verification data comprises an encoded representation of at least a portion of an operating system expected to be present on the user computing device;
  
  generate an expected assessment result comprising an encoded representation of the configuration verification data, and output of an execution confirmation function that takes at least a threshold period of time to execute;
  
  generate client-side executable instructions that, when executed, cause the user computing device to generate an assessment result comprising an encoded representation of at least a portion of an operating system present on the user computing device and output of the execution confirmation function;
  
  transmit the client-side executable instructions to the user computing device;
  
  receive the assessment result from the user computing device;
  
  analyze the assessment result with respect to the expected assessment result; and
  
  transmit a verification token to the user computing device; and
  
  a client-side operating system component that configures the user computing device to at least;
  
  receive the client-side executable instructions from the posture assessment system;
  
  execute the client-side executable instructions using a temporarily heightened degree of operating system access privileges;
  
  transmit the assessment result to the posture assessment system; and
  
  receive the verification token from the posture assessment system.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein the posture assessment system is further configured to generate a pseudo random data item, wherein the client-side executable instructions comprise executable instructions to use the pseudo random data item during execution of a function.
  - 3. The system of claim 1, wherein the assessment result is required to be received from the user computing device within a second period of time.
  - 4. The system of claim 1, wherein the posture assessment system is further configured to at least:
    - select the execution confirmation function from a plurality of execution confirmation functions based at least partly on one of;
      
      the encoded representation of the portion of the operating system expected to be present on the client device, a pseudo-random number, or output of a function selected using a pseudo-random number,wherein the client-side executable instructions comprise the plurality of execution confirmation functions.

5. A computer-implemented method comprising:
- as performed by a computing system configured to execute specific instructions,receiving configuration data representing a configuration of a computing device;
  
  generating an encoded representation of at least a portion of data expected to be present on the computing device;
  
  determining an execution confirmation function that takes at least a threshold period of time to execute;
  
  generating an expected response using the encoded representation and output of the execution confirmation function;
  
  generating executable code that, when executed by the computing device, causes the computing device to generate a response comprising an encoded representation of at least a portion of data present on the computing device and output of the execution confirmation function, wherein the executable code comprises a first portion of code for executing auxiliary functions and a second portion of code for generating the response, wherein output from at least a portion of the auxiliary functions is excluded from the response;
  
  receiving the response from the computing device; and
  
  determining whether to validate the computing device based at least partly on analyzing the response with respect to the expected response.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 6. The computer-implemented method of claim 5, further comprising blacklisting the computing device based at least partly on the response being different than the expected response.
  - 7. The computer-implemented method of claim 5, further comprising transmitting a token to the computing device based at least partly on the response matching the expected response.
  - 8. The computer-implemented method of claim 5, wherein determining the execution confirmation function comprises selecting the execution confirmation function from a plurality of execution confirmation functions, wherein the executable code comprises the plurality of execution confirmation functions.
  - 9. The computer-implemented method of claim 8, wherein generating the executable code comprises generating code for executing each of the plurality of execution confirmation functions, wherein only a subset of the plurality of execution confirmation functions are to be executed, the subset comprising the execution confirmation function.
  - 10. The computer-implemented method of claim 5, wherein generating the executable code comprises:
    - generating code that instructs the computing device to generate an encoded representation of an operating system component; and
      
      generating code that instructs the computing device to determine to execute the execution confirmation function, out of a plurality of execution confirmation functions, based at least partly on the encoded representation of the operating system component.
  - 11. The computer-implemented method of claim 5, wherein generating the executable code comprises generating the first portion of code as a majority of the executable code.
  - 12. The computer-implemented method of claim 5, wherein generating the executable code comprises generating code that instructs the computing device to access an area of volatile storage reserved for an operating system executing on the computing device.
  - 13. The computer-implemented method of claim 5, further comprising cryptographically signing the executable code with a private encryption key, wherein the computing device has access to a public decryption key that corresponds to the private encryption key.
  - 14. The computer-implemented method of claim 5, further comprising:
    - generating an assessment message comprising the executable code and an encoded representation of the executable code; and
      
      transmitting the assessment message to the computing device, wherein determining whether to validate the response comprises analyzing at least a portion of the response with respect to the encoded representation of the executable code.
  - 15. The computer-implemented method of claim 5, wherein determining the execution confirmation function comprises determining a computationally complex function that is computationally complex due to at least one of:
    - a size of an output range of the computationally complex function, or an expected period of time to perform one or more mathematical operations of the computationally complex function.
  - 16. The computer-implemented method of claim 5, wherein determining the execution confirmation function comprises determining a computationally complex function comprising instructions to perform at least one of:
    - determining a key to decrypt an encrypted message, repeated execution of recursive operations to obtain results, or repeated execution of counting operations.

17. A non-transitory computer storage system storing executable instructions, wherein the executable instructions configure a computing system to perform a process comprising:
- receiving executable code from a remote server system via an application programming interface (API) of an operating system of the computing system;
  
  granting the executable code a temporarily heightened degree of access privileges;
  
  executing the executable code using the temporarily heightened degree of access privileges to generate a result, wherein the result comprises an encoded representation of at least a portion of data present on the computing system and output of an execution confirmation function that takes at least a threshold period of time to execute;
  
  transmitting the result to the remote server system; and
  
  revoking the temporarily heightened degree of access privileges.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer storage system of claim 17, wherein executing the executable code comprises generating an encoded representation of an operating system component.
  - 19. The non-transitory computer storage system of claim 17, wherein executing the executable code comprises selecting the execution confirmation function from a plurality of execution confirmation functions based at least partly on one of:
    - an encoded representation of an operating system component, a pseudo-random number, or output of a function selected using a pseudo-random number.
  - 20. The non-transitory computer storage system of claim 17, wherein the process further comprises verifying a source of the executable code using a locally-stored decryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Karppanen, Jari Juhani
Primary Examiner(s)
Pyzocha, Michael

Application Number

US15/718,660
Time in Patent Office

880 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/52   during program execution, e...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/3247   involving digital signatures

Secure posture assessment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Secure posture assessment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others