Securing applications and operating systems

US 20050246522A1
Filed: 04/30/2004
Published: 11/03/2005
Est. Priority Date: 04/30/2004
Status: Active Grant

First Claim

Patent Images

1. A method performed by a kernel mode operating system component of a computer system for securing its operating system, comprising:

detecting that a component of the operating system is performing an operation;

retrieving a policy previously registered for the operation, the policy including a condition and an action;

determining whether the condition associated with the policy is satisfied; and

when the condition associated with the policy is satisfied, performing an action associated with the condition; and

causing a notification message relating to the operation to be sent to a user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for securing applications and operating systems are provided. In an embodiment, the system notifies a user that a security enforcement action is being taken even though the condition prompting the action is detected by a security engine that executes in kernel mode. The security engine enforces security policies that help to ensure that a vulnerability of an application or operating system cannot be exploited. In an embodiment, the security system may solicit input from a user relating to a security enforcement action even though the condition prompting the action is detected by a security engine that executes in kernel mode. Security policies may be defined as sets of rules, each having a condition and an action. The security system thus enables kernel mode components to provide notifications to a user or solicit input from the user.

Citations

51 Claims

1. A method performed by a kernel mode operating system component of a computer system for securing its operating system, comprising:
- detecting that a component of the operating system is performing an operation;
  
  retrieving a policy previously registered for the operation, the policy including a condition and an action;
  
  determining whether the condition associated with the policy is satisfied; and
  
  when the condition associated with the policy is satisfied, performing an action associated with the condition; and
  
  causing a notification message relating to the operation to be sent to a user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the component of the operating system is an application.
  - 3. The method of claim 1 wherein the action is to allow the operation.
  - 4. The method of claim 1 wherein the action is to deny the operation.
  - 5. The method of claim 1 wherein the method is performed by a security engine.
  - 6. The method of claim 1 wherein the causing includes invoking an application program interface of a host services component that performs in user mode.
  - 7. The method of claim 6 wherein the host services component provides input from the user when the application program interface invocation returns.
  - 8. The method of claim 1 wherein the causing includes sending an event through an event tracing component to a host services component that performs in user mode.

9. A method performed by a kernel mode operating system component of a computer system for securing its operating system, comprising:
- detecting that a component of the operating system is performing an operation;
  
  retrieving a policy previously registered for the operation, the policy including a condition and an action;
  
  determining whether the condition associated with the policy is satisfied; and
  
  when the condition associated with the policy is satisfied, causing input to be solicited from a user; and
  
  receiving an indication of a specified action based on the input from the user.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 10. The method of claim 9 wherein the component of the operating system is an application.
  - 11. The method of claim 9 including performing the specified action.
  - 12. The method of claim 9 wherein the specified action is to deny the operation.
  - 13. The method of claim 9 wherein the specified action is to allow the operation.
  - 14. The method of claim 9 wherein the specified action is received from a host services component.
  - 15. The method of claim 14 wherein the host services component receives an indication of the input from the user from a notification application.
  - 16. The method of claim 9 wherein the causing includes requesting a user mode component to solicit the input from the user.
  - 17. The method of claim 16 wherein the user mode component is a host services component.
  - 18. The method of claim 9 wherein the causing includes invoking an application program interface of a host services component that performs in user mode.
  - 19. The method of claim 18 wherein input from the user is received from the host services component when the application program interface invocation returns.
  - 20. The method of claim 9 wherein the causing includes sending an event through an event tracing component to a host services component that performs in user mode.

21. A method performed by a user mode operating system component of a computer system for securing its operating system, comprising:
- receiving an indication to communicate information to a user, the indication originating at a kernel mode component and including an identifier;
  
  selecting information to communicate to the user based on the identifier included in the received indication;
  
  sending the selected information to a notification application; and
  
  when the communicated information includes a solicitation for input from the user, receiving input from the notification application; and
  
  forwarding the input to the kernel mode component.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 22. The method of claim 21 wherein the sending includes invoking an application program interface of a host services component that performs in user mode.
  - 23. The method of claim 22 wherein input from the user is received when the application program interface invocation returns.
  - 24. The method of claim 21 wherein the sending includes sending an event through an event tracing component to a host services component that performs in user mode.
  - 25. The method of claim 21 wherein the receiving input includes using a default input when input from the user is unavailable.
  - 26. The method of claim 21 wherein the receiving input includes using a prior input from the user.
  - 27. The method of claim 21 wherein the selected information includes a uniform resource locator that is used to find a resource that aids in securing the operating system.
  - 28. The method of claim 27 wherein the selected information includes informational text relating to the resource that the uniform resource locator identifies.
  - 29. The method of claim 21 wherein the selected information is displayed to the user.
  - 30. The method of claim 29 wherein the selected information is displayed by the notification application.
  - 31. The method of claim 29 wherein the selected information is displayed on an operating system task bar.
  - 32. The method of claim 29 wherein the selected information is displayed in a window after the user positions a pointer on an area of a window.
  - 33. The method of claim 29 wherein the selected information is queued for displaying to the user when the user is available to review the selected information.
  - 34. The method of claim 29 wherein the selected information is pooled.

35. A system operating in kernel mode of an operating system, comprising:
- a component that detects that a software component is performing an operation;
  
  a component that retrieves a policy previously registered for the operation, the policy including a condition and an action;
  
  a component that determines whether the condition associated with the policy is satisfied; and
  
  a component that, when the condition associated with the policy is satisfied, causes an action associated with the condition to be performed and causes a notification message relating to the operation to be sent to a user.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44)
- - 36. The system of claim 35 wherein the software component is an application.
  - 37. The system of claim 35 wherein the software component is an operating system component.
  - 38. The system of claim 35 wherein the notification message is sent by invoking an application program interface of a host services component that performs in user mode.
  - 39. The system of claim 38 wherein the host services component provides input from the user when the application program interface invocation returns.
  - 40. The system of claim 35 wherein the notification message is sent by sending an event through an event tracing component to a host services component that performs in user mode.
  - 41. The system of claim 35 wherein when the action is only to notify the user, the operation is allowed.
  - 42. The system of claim 35 wherein the action is to allow the operation.
  - 43. The system of claim 35 wherein the action is to deny the operation.
  - 44. The system of claim 35 wherein the components are controlled by a security engine.

45. A computer-readable medium having computer-executable instructions for performing steps in kernel mode of an operating system, comprising:
- detecting that a component of the operating system is performing an operation;
  
  retrieving a policy previously registered for the operation, the policy including a condition and an action;
  
  determining whether the condition associated with the policy is satisfied; and
  
  when the condition associated with the policy is satisfied, performing an action associated with the condition; and
  
  causing an informational message relating to the operation to be sent to a user.
- View Dependent Claims (46, 47, 48, 49, 50, 51)
- - 46. The computer-readable medium of claim 45 wherein the causing includes invoking an application program interface of a host services component that performs in user mode.
  - 47. The computer-readable medium of claim 46 wherein input from the user is provided when the application program interface invocation returns.
  - 48. The computer-readable medium of claim 45 wherein the causing includes sending an event through an event tracing component to a host services component that performs in user mode.
  - 49. The computer-readable medium of claim 45 wherein the informational message is a notification.
  - 50. The computer-readable medium of claim 45 wherein the informational message is a solicitation for input.
  - 51. The computer-readable medium of claim 50 further comprising:
    - receiving an input in response to the solicitation for input;
      
      when the input indicates to allow the operation, allowing the operation; and
      
      when the input indicates to deny the operation, denying the operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Samuelsson, Anders, Fakes, Thomas, Townsend, Steven

Granted Patent

US 7,530,093 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/150
CPC Class Codes

G06F 21/53 by executing in a restricte...

G06F 2221/2105 Dual mode as a secondary as...

Securing applications and operating systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

51 Claims

Specification

Solutions

Use Cases

Quick Links

Securing applications and operating systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

51 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links