Method and system for enforcing a security policy via a security virtual machine

US 20050257243A1
Filed: 04/27/2004
Published: 11/17/2005
Est. Priority Date: 04/27/2004
Status: Active Grant

First Claim

Patent Images

1. A method in a computer system for enforcing a security policy, the method comprising:

providing a security policy;

compiling the security policy into a security program based on an instruction set of a security virtual machine;

loading the security program into an instruction store of the security virtual machine; and

upon occurrence of a security enforcement event, executing the instructions of the instruction store based on data of the security enforcement event to enforce the security policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for enforcing a security policy encoded in an instruction set of a security virtual machine is provided. A security system provides a security virtual machine that executes security programs expressed in the instruction set of the security virtual machine. The security system stores the security program in an instruction store of the security virtual machine. When a security enforcement event occurs, the security virtual machine executes the instructions of its instruction store using data of the security enforcement event to enforce the security policy.

Citations

39 Claims

1. A method in a computer system for enforcing a security policy, the method comprising:
- providing a security policy;
  
  compiling the security policy into a security program based on an instruction set of a security virtual machine;
  
  loading the security program into an instruction store of the security virtual machine; and
  
  upon occurrence of a security enforcement event, executing the instructions of the instruction store based on data of the security enforcement event to enforce the security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1 wherein the security policy specifies security for system calls.
  - 3. The method of claim 1 wherein the security enforcement event is an application placing a system call.
  - 4. The method of claim 3 wherein parameters of the system calls are the data of the security enforcement event.
  - 5. The method of claim 3 wherein process control information of an application that places the system call is the data of the security enforcement event.
  - 6. The method of claim 1 wherein data of the security program is stored in a literal data structure.
  - 7. The method of claim 6 wherein an instruction contains a reference to literal data stored in the literal data structure.
  - 8. The method of claim 1 wherein data of the security program is stored in a dynamic data structure.
  - 9. The method of claim 8 wherein an instruction contains a reference to dynamic data stored in the dynamic data structure.
  - 10. The method of claim 1 wherein an instruction identifies a location of the next instruction to execute.
  - 11. The method of claim 1 wherein the security virtual machine supports Boolean, integer, string, and raw binary data types.
  - 12. The method of claim 1 wherein the security virtual machine supports regular expression pattern matching comparisons.
  - 13. The method of claim 1 wherein the execution of the security program creates an output action set that specifies how to handle the security enforcement event.
  - 14. The method of claim 1 wherein the executing of the instructions is performed in kernel mode.
  - 15. The method of claim 1 wherein an instruction includes an operation code, parameters, and branch fields.
  - 16. The method of claim 15 wherein the branch fields include a true branch field that specifies the next instruction when a condition of the instruction evaluates to true and a false branch field that specifies the next instruction when the condition of the instruction evaluates to false.
  - 17. The method of claim 1 wherein the security enforcement specifies a behavior to block.

18. A security virtual machine for detecting when an application is placing a system call with parameters that violate a security policy, comprising:
- an instruction store that contains instructions that implement the security policy;
  
  a data store that contains data of the security policy;
  
  a parameter store that contains parameters of a system call; and
  
  a processor engine that executes the instructions of the instruction store using data of the data store and parameters of the parameter store to determine whether the system call violates the security policy.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 19. The security virtual machine of claim 18 wherein the instructions that implement the security policy are compiled from a representation of the security policy in a high-level language.
  - 20. The security virtual machine of claim 19 wherein the high-level language is in an XML-based format.
  - 21. The security virtual machine of claim 19 wherein the high-level language has rules that are specified in terms of a condition and an action to perform when the condition is satisfied.
  - 22. The security virtual machine of claim 18 wherein the security virtual machine executes in kernel mode.
  - 23. The security virtual machine of claim 18 wherein a system call intercept component stores parameters of an intercepted system call in the parameter store.
  - 24. The security virtual machine of claim 18 wherein a load program component loads instructions into the instruction store.
  - 25. The security virtual machine of claim 18 wherein the instruction set is a reduced instruction set.
  - 26. The security virtual machine of claim 18 including a process control information store for storing process control information that is used when executing the instructions.
  - 27. The security virtual machine of claim 18 wherein the data store includes a literal data structure and a dynamic data structure.
  - 28. The security virtual machine of claim 18 wherein instructions contain a reference to the data store.
  - 29. The security virtual machine of claim 18 wherein each instruction identifies a location of the next instruction to execute.
  - 30. The security virtual machine of claim 18 wherein the security virtual machine supports Boolean, integer, string, and raw binary data types.
  - 31. The security virtual machine of claim 18 wherein the virtual machine supports regular expression pattern matching comparisons.
  - 32. The security virtual machine of claim 18 wherein the execution of the instructions creates an output action set that specifies how to handle the enforcement of the security policy.
  - 33. The security virtual machine of claim 18 wherein an instruction includes an operation code, parameters, and branch fields.
  - 34. The security virtual machine of claim 18 wherein the branch fields include a true branch field that specifies the next instruction when a condition of the instruction evaluates to true and a false branch field that specifies the next instruction when the condition of the instruction evaluates to false.

35. A computer-readable medium containing instructions for enforcing a security policy, the instructions for execution by a security virtual machine and being compiled from a high-level language representation of the security policy.
- View Dependent Claims (36, 37, 38, 39)
- - 36. The computer-readable medium of claim 35 further containing a data store for data used to enforce the security policy.
  - 37. The computer-readable medium of claim 35 wherein the data store includes literal data and dynamic data.
  - 38. The computer-readable medium of claim 35 wherein the instructions form a relocatable security sub-program.
  - 39. The computer-readable medium of claim 35 wherein each instruction identifies a next instruction to execute.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Baker, Arthur H.

Granted Patent

US 8,607,299 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/554 involving event detection a...

G06F 21/6218 to a system of files or obj...

Method and system for enforcing a security policy via a security virtual machine

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for enforcing a security policy via a security virtual machine

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links