Run time code integrity checks

US 20040143739A1
Filed: 01/16/2003
Published: 07/22/2004
Est. Priority Date: 01/16/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method for detecting tampered program data comprising at least one program unit, the method comprising:

receiving a request for use of said at least one program unit;

computing a first fingerprint over stored data associated with said at least one program unit; and

determining whether said stored data is valid based at least in part on whether said first fingerprint matches a second fingerprint, said second fingerprint computed over said stored data prior to said receiving.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting tampered program data comprising at least one program unit includes receiving a request for use of the at least one program unit, computing a first fingerprint over stored data associated with the at least one program unit and determining whether the stored data is valid based at least in part on whether the first fingerprint matches a second fingerprint. The second fingerprint is computed over the stored data prior to receiving the request for use of the at least one program unit.

Citations

95 Claims

1. A method for detecting tampered program data comprising at least one program unit, the method comprising:
- receiving a request for use of said at least one program unit;
  
  computing a first fingerprint over stored data associated with said at least one program unit; and
  
  determining whether said stored data is valid based at least in part on whether said first fingerprint matches a second fingerprint, said second fingerprint computed over said stored data prior to said receiving.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein said second fingerprint is computed upon commitment of said stored data.
  - 3. The method of claim 1 wherein said use comprises execution of said at least one program unit.
  - 4. The method of claim 1 wherein said use comprises instantiation of said at least one program unit.
  - 5. The method of claim 1 wherein said use comprises reading said at least one program unit.
  - 6. The method of claim 1 wherein said program comprises a Java™
    - program.
  - 7. The method of claim 6 wherein said at least one program unit comprises one of a package, a class, a method, an instance variable and a class variable.
  - 8. The method of claim 1 wherein said first fingerprint comprises a checksum;
    - and said second fingerprint comprises a checksum.
  - 9. The method of claim 1 wherein said first fingerprint comprises a cyclic redundancy code (CRC);
    - and said second fingerprint comprises a CRC.

10. A method for determining at run-time whether a program unit is fit for execution on a device, the method comprising:
- receiving a request to use said at least one program unit;
  
  computing a first storage commitment fingerprint over said at least one program unit in response to said request; and
  
  indicating said at least one program unit is fit for execution based at least in part on whether said first storage commitment fingerprint matches a second storage commitment fingerprint computed over said at least one program unit upon completely loading said at least one program unit in a non-volatile memory on said device.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10 wherein said use comprises execution of said at least one program unit.
  - 12. The method of claim 10 wherein said use comprises creating an instantiation of said at least one program unit.
  - 13. The method of claim 10 wherein said use comprises reading said at least one program unit.
  - 14. The method of claim 10 wherein said at least one program unit comprises at least one of a package, a class or a method.
  - 15. The method of claim 10 wherein said first storage commitment fingerprint is based at least in part on at least one storage commitment fingerprint of a lower-level program unit;
    - and said second storage commitment fingerprint is based at least in part on at least one storage commitment fingerprint of a lower-level program unit.
  - 16. The method of claim 10 wherein said first storage commitment fingerprint is based at least in part on data of a lower-level program unit;
    - and said second storage commitment fingerprint is based at least in part on data of a lower-level program unit.

17. A method for run-time program unit integrity checking, the method comprising:
- receiving a request to use said at least one program unit;
  
  determining a dispatch table associated with a protection unit of said at least one program unit, said dispatch table comprising an entry for each callable routine in said protection unit, each entry comprising a check bit and a routine address, said check bit to indicate whether the corresponding routine has been checked, said routine address comprising the start address of said callable routine;
  
  checking said protection unit if said protection unit has not been checked, said checking comprising;
  
  loading a dispatch table template from a first memory to a second memory; and
  
  making all check bits in said dispatch table indicate an unchecked status if said protection unit comprises a collective protection unit;
  
  examining a dispatch table entry corresponding to said at least one program unit;
  
  verifying said protection unit and making check bits of all entries in said dispatch table indicate a checked status if the check bit of said dispatch table entry indicates an unchecked status; and
  
  calling said at least one program unit using said routine address.

18. A method for run-time program unit integrity checking, the method comprising:
- receiving a program comprising a plurality of program units;
  
  determining whether a first method and a second method are within the same protection unit if said first method includes a call to said second method;
  
  rewriting said call to invoke a gateway dispatcher if said first method and said second method are not within the same protection unit, said gateway dispatcher capable of determining a dispatch table associated with the protection unit comprising said second method, said dispatch table comprising an entry for each callable routine in said protection unit, each entry comprising a check bit and a routine address, said check bit to indicate whether the corresponding routine has been checked, said routine address comprising the start address of said callable routine, said gateway dispatcher also capable of using said dispatch table to ensure that said protection unit has been checked prior to calling said second method.

19. A method for detecting tampered program data comprising at least one program unit, the method comprising:
- step for receiving a request for use of said at least one program unit;
  
  step for computing a first fingerprint over stored data associated with said at least one program unit; and
  
  step for determining whether said stored data is valid based at least in part on whether said first fingerprint matches a second fingerprint, said second fingerprint computed over said stored data prior to said receiving.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The method of claim 19 wherein said second fingerprint is computed upon commitment of said stored data.
  - 21. The method of claim 19 wherein said use comprises execution of said at least one program unit.
  - 22. The method of claim 19 wherein said use comprises instantiation of said at least one program unit.
  - 23. The method of claim 19 wherein said use comprises reading said at least one program unit.
  - 24. The method of claim 19 wherein said program comprises a Java™
    - program.
  - 25. The method of claim 24 wherein said at least one program unit comprises one of a package, a class, a method, an instance variable and a class variable.
  - 26. The method of claim 19 wherein said first fingerprint comprises a checksum;
    - and said second fingerprint comprises a checksum.
  - 27. The method of claim 19 wherein said first fingerprint comprises a cyclic redundancy code (CRC);
    - and said second fingerprint comprises a CRC.

28. A method for determining at run-time whether a program unit is fit for execution on a device, the method comprising:
- step for receiving a request to use said at least one program unit;
  
  step for computing a first storage commitment fingerprint over said at least one program unit in response to said request; and
  
  step for indicating said at least one program unit is fit for execution based at least in part on whether said first storage commitment fingerprint matches a second storage commitment fingerprint computed over said at least one program unit upon completely loading said at least one program unit in a non-volatile memory on said device.
- View Dependent Claims (29, 30, 31, 32, 33, 34)
- - 29. The method of claim 28 wherein said use comprises execution of said at least one program unit.
  - 30. The method of claim 28 wherein said use comprises creating an instantiation of said at least one program unit.
  - 31. The method of claim 28 wherein said use comprises reading said at least one program unit.
  - 32. The method of claim 28 wherein said at least one program unit comprises at least one of a package, a class or a method.
  - 33. The method of claim 28 wherein said first storage commitment fingerprint is based at least in part on at least one storage commitment fingerprint of a lower-level program unit;
    - and said second storage commitment fingerprint is based at least in part on at least one storage commitment fingerprint of a lower-level program unit.
  - 34. The method of claim 28 wherein said first storage commitment fingerprint is based at least in part on data of a lower-level program unit;
    - and said second storage commitment fingerprint is based at least in part on data of a lower-level program unit.

35. A method for run-time program unit integrity checking, the method comprising:
- step for receiving a request to use said at least one program unit;
  
  step for determining a dispatch table associated with a protection unit of said at least one program unit, said dispatch table comprising an entry for each callable routine in said protection unit, each entry comprising a check bit and a routine address, said check bit to indicate whether the corresponding routine has been checked, said routine address comprising the start address of said callable routine;
  
  step for checking said protection unit if said protection unit has not been checked, said checking comprising;
  
  loading a dispatch table template from a first memory to a second memory; and
  
  making all check bits in said dispatch table indicate an unchecked status if said protection unit comprises a collective protection unit;
  
  step for examining a dispatch table entry corresponding to said at least one program unit;
  
  step for verifying said protection unit and making check bits of all entries in said dispatch table indicate a checked status if the check bit of said dispatch table entry indicates an unchecked status; and
  
  step for calling said at least one program unit using said routine address.

36. A method for run-time program unit integrity checking, the method comprising:
- step for receiving a program comprising a plurality of program units;
  
  step for determining whether a first method and a second method are within the same protection unit if said first method includes a call to said second method;
  
  step for rewriting said call to invoke a gateway dispatcher if said first method and said second method are not within the same protection unit, said gateway dispatcher capable of determining a dispatch table associated with the protection unit comprising said second method, said dispatch table comprising an entry for each callable routine in said protection unit, each entry comprising a check bit and a routine address, said check bit to indicate whether the corresponding routine has been checked, said routine address comprising the start address of said callable routine, said gateway dispatcher also capable of using said dispatch table to ensure that said protection unit has been checked prior to calling said second method.

37. A program storage device readable by a machine, embodying a program of instructions executable by the machine to perform a method for detecting tampered program data comprising at least one program unit, the method comprising:
- receiving a request for use of said at least one program unit;
  
  computing a first fingerprint over stored data associated with said at least one program unit; and
  
  determining whether said stored data is valid based at least in part on whether said first fingerprint matches a second fingerprint, said second fingerprint computed over said stored data prior to said receiving.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45)
- - 38. The program storage device of claim 37 wherein said second fingerprint is computed upon commitment of said stored data.
  - 39. The program storage device of claim 37 wherein said use comprises execution of said at least one program unit.
  - 40. The program storage device of claim 37 wherein said use comprises instantiation of said at least one program unit.
  - 41. The program storage device of claim 37 wherein said use comprises reading said at least one program unit.
  - 42. The program storage device of claim 37 wherein said program comprises a Java™
    - program.
  - 43. The program storage device of claim 42 wherein said at least one program unit comprises one of a package, a class, a method, an instance variable and a class variable.
  - 44. The program storage device of claim 37 wherein said first fingerprint comprises a checksum;
    - and said second fingerprint comprises a checksum.
  - 45. The program storage device of claim 37 wherein said first fingerprint comprises a cyclic redundancy code (CRC);
    - and said second fingerprint comprises a CRC.

46. A program storage device readable by a machine, embodying a program of instructions executable by the machine to perform a method for detecting determining at run-time whether a program unit is fit for execution on a device, the method comprising:
- receiving a request to use said at least one program unit;
  
  computing a first storage commitment fingerprint over said at least one program unit in response to said request; and
  
  indicating said at least one program unit is fit for execution based at least in part on whether said first storage commitment fingerprint matches a second storage commitment fingerprint computed over said at least one program unit upon completely loading said at least one program unit in a non-volatile memory on said device.
- View Dependent Claims (47, 48, 49, 50, 51, 52)
- - 47. The program storage device of claim 46 wherein said use comprises execution of said at least one program unit.
  - 48. The program storage device of claim 46 wherein said use comprises creating an instantiation of said at least one program unit.
  - 49. The program storage device of claim 46 wherein said use comprises reading said at least one program unit.
  - 50. The program storage device of claim 46 wherein said at least one program unit comprises at least one of a package, a class or a method.
  - 51. The program storage device of claim 46 wherein said first storage commitment fingerprint is based at least in part on at least one storage commitment fingerprint of a lower-level program unit;
    - and said second storage commitment fingerprint is based at least in part on at least one storage commitment fingerprint of a lower-level program unit.
  - 52. The program storage device of claim 46 wherein said first storage commitment fingerprint is based at least in part on data of a lower-level program unit;
    - and said second storage commitment fingerprint is based at least in part on data of a lower-level program unit.

53. A program storage device readable by a machine, embodying a program of instructions executable by the machine to perform a method for run-time program unit integrity checking, the method comprising:
- receiving a request to use said at least one program unit;
  
  determining a dispatch table associated with a protection unit of said at least one program unit, said dispatch table comprising an entry for each callable routine in said protection unit, each entry comprising a check bit and a routine address, said check bit to indicate whether the corresponding routine has been checked, said routine address comprising the start address of said callable routine;
  
  checking said protection unit if said protection unit has not been checked, said checking comprising;
  
  loading a dispatch table template from a first memory to a second memory; and
  
  making all check bits in said dispatch table indicate an unchecked status if said protection unit comprises a collective protection unit;
  
  examining a dispatch table entry corresponding to said at least one program unit;
  
  verifying said protection unit and making check bits of all entries in said dispatch table indicate a checked status if the check bit of said dispatch table entry indicates an unchecked status; and
  
  calling said at least one program unit using said routine address.

54. A program storage device readable by a machine, embodying a program of instructions executable by the machine to perform a method for run-time program unit integrity checking, the apparatus comprising:
- means for receiving a program comprising a plurality of program units;
  
  means for determining whether a first method and a second method are within the same protection unit if said first method includes a call to said second method;
  
  means for rewriting said call to invoke a gateway dispatcher if said first method and said second method are not within the same protection unit, said gateway dispatcher capable of determining a dispatch table associated with the protection unit comprising said second method, said dispatch table comprising an entry for each callable routine in said protection unit, each entry comprising a check bit and a routine address, said check bit to indicate whether the corresponding routine has been checked, said routine address comprising the start address of said callable routine, said gateway dispatcher also capable of using said dispatch table to ensure that said protection unit has been checked prior to calling said second method.

55. An apparatus for detecting tampered program data comprising at least one program unit, the apparatus comprising:
- means for receiving a request for use of said at least one program unit;
  
  means for computing a first fingerprint over stored data associated with said at least one program unit; and
  
  means for determining whether said stored data is valid based at least in part on whether said first fingerprint matches a second fingerprint, said second fingerprint computed over said stored data prior to said receiving.
- View Dependent Claims (56, 57, 58, 59, 60, 61, 62, 63)
- - 56. The apparatus of claim 55 wherein said second fingerprint is computed upon commitment of said stored data.
  - 57. The apparatus of claim 55 wherein said use comprises execution of said at least one program unit.
  - 58. The apparatus of claim 55 wherein said use comprises instantiation of said at least one program unit.
  - 59. The apparatus of claim 55 wherein said use comprises reading said at least one program unit.
  - 60. The apparatus of claim 55 wherein said program comprises a Java™
    - program.
  - 61. The apparatus of claim 60 wherein said at least one program unit comprises one of a package, a class, a method, an instance variable and a class variable.
  - 62. The apparatus of claim 55 wherein said first fingerprint comprises a checksum;
    - and said second fingerprint comprises a checksum.
  - 63. The apparatus of claim 55 wherein said first fingerprint comprises a cyclic redundancy code (CRC);
    - and said second fingerprint comprises a CRC.

64. An apparatus for determining at run-time whether a program unit is fit for execution on a device, the apparatus comprising:
- means for receiving a request to use said at least one program unit;
  
  means for computing a first storage commitment fingerprint over said at least one program unit in response to said request; and
  
  means for indicating said at least one program unit is fit for execution based at least in part on whether said first storage commitment fingerprint matches a second storage commitment fingerprint computed over said at least one program unit upon completely loading said at least one program unit in a non-volatile memory on said device.
- View Dependent Claims (65, 66, 67, 68, 69, 70)
- - 65. The apparatus of claim 64 wherein said use comprises execution of said at least one program unit.
  - 66. The apparatus of claim 64 wherein said use comprises creating an instantiation of said at least one program unit.
  - 67. The apparatus of claim 64 wherein said use comprises reading said at least one program unit.
  - 68. The apparatus of claim 64 wherein said at least one program unit comprises at least one of a package, a class or a method.
  - 69. The apparatus of claim 64 wherein said first storage commitment fingerprint is based at least in part on at least one storage commitment fingerprint of a lower-level program unit;
    - and said second storage commitment fingerprint is based at least in part on at least one storage commitment fingerprint of a lower-level program unit.
  - 70. The apparatus of claim 64 wherein said first storage commitment fingerprint is based at least in part on data of a lower-level program unit;
    - and said second storage commitment fingerprint is based at least in part on data of a lower-level program unit.

71. An apparatus for run-time program unit integrity checking, the apparatus comprising:
- means for receiving a request to use said at least one program unit;
  
  means for determining a dispatch table associated with a protection unit of said at least one program unit, said dispatch table comprising an entry for each callable routine in said protection unit, each entry comprising a check bit and a routine address, said check bit to indicate whether the corresponding routine has been checked, said routine address comprising the start address of said callable routine;
  
  means for checking said protection unit if said protection unit has not been checked, said checking comprising;
  
  loading a dispatch table template from a first memory to a second memory; and
  
  making all check bits in said dispatch table indicate an unchecked status if said protection unit comprises a collective protection unit;
  
  means for examining a dispatch table entry corresponding to said at least one program unit;
  
  means for verifying said protection unit and making check bits of all entries in said dispatch table indicate a checked status if the check bit of said dispatch table entry indicates an unchecked status; and
  
  means for calling said at least one program unit using said routine address.

72. An apparatus for run-time program unit integrity checking, the apparatus comprising:
- means for receiving a program comprising a plurality of program units;
  
  means for determining whether a first method and a second method are within the same protection unit if said first method includes a call to said second method;
  
  means for rewriting said call to invoke a gateway dispatcher if said first method and said second method are not within the same protection unit, said gateway dispatcher capable of determining a dispatch table associated with the protection unit comprising said second method, said dispatch table comprising an entry for each callable routine in said protection unit, each entry comprising a check bit and a routine address, said check bit to indicate whether the corresponding routine has been checked, said routine address comprising the start address of said callable routine, said gateway dispatcher also capable of using said dispatch table to ensure that said protection unit has been checked prior to calling said second method.

73. An apparatus for detecting tampered program data comprising at least one program unit, the apparatus comprising:
- a memory for storing said program data; and
  
  a processor configured to;
  
  receive a request for use of said at least one program unit;
  
  compute a first fingerprint over stored data associated with said at least one program unit; and
  
  determine whether said stored data is valid based at least in part on whether said first fingerprint matches a second fingerprint, said second fingerprint computed over said stored data prior to said receiving.
- View Dependent Claims (74, 75, 76, 77, 78, 79, 80, 81)
- - 74. The apparatus of claim 73 wherein said processor is further configured to compute said second fingerprint upon commitment of said stored data.
  - 75. The apparatus of claim 73 wherein said use comprises execution of said at least one program unit.
  - 76. The apparatus of claim 73 wherein said use comprises instantiation of said at least one program unit.
  - 77. The apparatus of claim 73 wherein said use comprises reading said at least one program unit.
  - 78. The apparatus of claim 73 wherein said program comprises a Java™
    - program.
  - 79. The apparatus of claim 78 wherein said at least one program unit comprises one of a package, a class, a method, an instance variable and a class variable.
  - 80. The apparatus of claim 73 wherein said first fingerprint comprises a checksum;
    - and said second fingerprint comprises a checksum.
  - 81. The apparatus of claim 73 wherein said first fingerprint comprises a cyclic redundancy code (CRC);
    - and said second fingerprint comprises a CRC.

82. An apparatus for determining at run-time whether a program unit is fit for execution on a device, the apparatus comprising:
- a memory for storing program data comprising said at least one program unit; and
  
  a processor configured to;
  
  receive a request to use said at least one program unit;
  
  compute a first storage commitment fingerprint over said at least one program unit in response to said request; and
  
  indicate said at least one program unit is fit for execution based at least in part on whether said first storage commitment fingerprint matches a second storage commitment fingerprint computed over said at least one program unit upon completely loading said at least one program unit in a non-volatile memory on said device.
- View Dependent Claims (83, 84, 85, 86, 87, 88)
- - 83. The apparatus of claim 82 wherein said use comprises execution of said at least one program unit.
  - 84. The apparatus of claim 82 wherein said use comprises creating an instantiation of said at least one program unit.
  - 85. The apparatus of claim 82 wherein said use comprises reading said at least one program unit.
  - 86. The apparatus of claim 82 wherein said at least one program unit comprises at least one of a package, a class or a method.
  - 87. The apparatus of claim 82 wherein said first storage commitment fingerprint is based at least in part on at least one storage commitment fingerprint of a lower-level program unit;
    - and said second storage commitment fingerprint is based at least in part on at least one storage commitment fingerprint of a lower-level program unit.
  - 88. The apparatus of claim 82 wherein said first storage commitment fingerprint is based at least in part on data of a lower-level program unit;
    - and said second storage commitment fingerprint is based at least in part on data of a lower-level program unit.

89. An apparatus for run-time program unit integrity checking, the apparatus comprising:
- a memory for storing program data comprising one or more program unit; and
  
  a processor configured to;
  
  receive a request to use said at least one program unit;
  
  determine a dispatch table associated with a protection unit of said at least one program unit, said dispatch table comprising an entry for each callable routine in said protection unit, each entry comprising a check bit and a routine address, said check bit to indicate whether the corresponding routine has been checked, said routine address comprising the start address of said callable routine;
  
  check said protection unit if said protection unit has not been checked, said checking comprising;
  
  loading a dispatch table template from a first memory to a second memory; and
  
  making all check bits in said dispatch table indicate an unchecked status if said protection unit comprises a collective protection unit;
  
  examine a dispatch table entry corresponding to said at least one program unit;
  
  verify said protection unit and making check bits of all entries in said dispatch table indicate a checked status if the check bit of said dispatch table entry indicates an unchecked status; and
  
  call said at least one program unit using said routine address.

90. An apparatus for run-time program unit integrity checking, the apparatus comprising:
- a memory for storing program data comprising one or more program unit; and
  
  a processor configured to;
  
  receive a program comprising a plurality of program units;
  
  determine whether a first method and a second method are within the same protection unit if said first method includes a call to said second method;
  
  rewrite said call to invoke a gateway dispatcher if said first method and said second method are not within the same protection unit, said gateway dispatcher capable of determining a dispatch table associated with the protection unit comprising said second method, said dispatch table comprising an entry for each callable routine in said protection unit, each entry comprising a check bit and a routine address, said check bit to indicate whether the corresponding routine has been checked, said routine address comprising the start address of said callable routine, said gateway dispatcher also capable of using said dispatch table to ensure that said protection unit has been checked prior to calling said second method.

91. A memory for storing data for access by an application program being executed on a data processing system, comprising:
- a data structure stored in said memory, said data structure including information used by said program to detect tampered program data, said data structure comprising at least one executable code segment associated with a program unit and a fingerprint associated with said executable code segment, said fingerprint computed over said executable code segment prior to use of said executable code segment.
- View Dependent Claims (92, 93, 94)
- - 92. The memory of claim 91 wherein said fingerprint is computed upon commitment of said stored data.
  - 93. The method of claim 91 wherein said first fingerprint comprises a checksum.
  - 94. The memory of claim 91 wherein said first fingerprint comprises a cyclic redundancy code (CRC).

95. A memory for storing data for access by an application program being executed on a data processing system, comprising:
- a data structure stored in said memory, said data structure including information used by said program to ensure a protection unit comprising a callable routine has been checked before said callable routine is called, said data structure comprising an entry for each callable routine in said protection unit, each entry comprising a check bit and a routine address, said check bit to indicate whether the corresponding routine has been checked, said routine address comprising the start address of said callable routine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
de Jong, Eduard

Application Number

US10/346,243
Publication Number

US 20040143739A1
Time in Patent Office

Days
Field of Search
US Class Current

713/176
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/52   during program execution, e...

G06F 21/64   Protecting data integrity, ...

G06F 21/77   in smart cards

Run time code integrity checks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

95 Claims

Specification

Solutions

Use Cases

Quick Links

Run time code integrity checks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

95 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links