Secure system for allowing the execution of authorized computer program code
First Claim
1. A method of allowing authorized code to execute on a computer system, the method comprising:
- intercepting a request to create a process associated with a code module;
determining if the request is authorized by authenticating the request with reference to a multi-level whitelist; and
allowing the code module to be loaded and executed by granting the request if the request is authorized.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are described for allowing the execution of authorized computer program code and for protecting computer systems and networks from unauthorized code execution. In one embodiment, a multi-level proactive whitelist approach is employed to secure a computer system by allowing only the execution of authorized computer program code thereby protecting the computer system against the execution of malicious code such as viruses, Trojan horses, spy-ware, and/or the like. Various embodiments use a kernel-level driver, which intercepts or “hooks” certain system Application Programming Interface (API) calls in order to monitor the creation of processes prior to code execution. The kernel-level driver may also intercept and monitor the loading of code modules by running processes, and the passing of non-executable code modules, such as script files, to approved or running code modules via command line options, for example. Once intercepted, a multi-level whitelist approach may be used to authorize the code execution.
322 Citations
47 Claims
-
1. A method of allowing authorized code to execute on a computer system, the method comprising:
-
intercepting a request to create a process associated with a code module;
determining if the request is authorized by authenticating the request with reference to a multi-level whitelist; and
allowing the code module to be loaded and executed by granting the request if the request is authorized. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of allowing authorized code to execute on a computer system, the method comprising:
-
storing information in a most recently used (MRU) cache, the information being associated with a code module that has previously been authenticated on the computer system, wherein the information includes one or more parameters associated with the code module; and
responsive to a subsequent new process creation request corresponding to the code module, determining whether the code module is allowed to run with reference to the information in the MRU cache. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. A method of allowing authorized code to execute on a computer system, the method comprising:
-
intercepting a request to load a first code module on behalf of a second code module associated with a running process;
determining if the request is authorized by authenticating the request with reference to a multi-level whitelist; and
allowing the first code module to be loaded into memory of the computer system by granting the request if the request is authorized. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A method of allowing authorized code to execute on a computer system, the method comprising:
-
storing information in a memory store, the information being associated with a code module that has previous been authenticated responsive to a request to load the code module, wherein the information includes one or more parameters associated with the code module; and
responsive to a subsequent request to load the code module, determining whether the subsequent request should be granted by using at least part of the information stored in the memory store. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37)
-
-
38. A method of allowing authorized files to execute on a computer system, the method comprising:
-
intercepting process creation wherein one or more of the code modules includes a known executable module configured to execute instructions contained within a separate script file;
if an intercepted process creation request is associated with the known executable module, then determining if a separate script file identified by the intercepted process creation request is authorized if the separate script file is in an approved list; and
allowing the intercepted process creation request if the separate script file was in the approved list. - View Dependent Claims (39)
-
-
40. A method of license enforcement, the method comprising:
-
monitoring loading of software applications;
intercepting the loading of an instance of a software application;
determining if the number of instances of the software application is greater than a number of authorized instances;
denying execution of the software application if the number of instances already running of the software application is greater than the number of authorized instances.
-
-
41. A code execution authorization system comprising:
-
a plurality of whitelists stored in one or more local files; and
a kernel driver configured to intercept and authenticate code module loading requests and new process creation requests, the kernel driver further configured to;
monitor requests to modify any one of the plurality of whitelists; and
allow or disallow the modification requests.
-
-
42. The system of 41, wherein the plurality of whitelists include one or more MRU caches, one or more local whitelists, and one or more global whitelists.
-
43. The system of 41, wherein the kernel driver is further configured to monitor and allow or disallow requests to modify configuration files.
-
44. The system of 41, wherein the kernel driver is further configured to:
scan one or more of the plurality of whitelists for an entry associated with the requesting code module, wherein the entry includes a cryptographically secure hash associated with the requesting code module.
-
45. A code execution authorization system comprising:
-
a plurality of whitelists stored in one or more memory stores;
a plurality of content authenticators capable of being utilized to validate the integrity of the plurality of whitelists, wherein each of the plurality of content authenticators is assocatied with one of the plurality of whitelists; and
a remote signing server configured to;
sign each of the plurality of content authenticators to create a plurality of digital signatures; and
verify requests of the remote signing server originating from an authorized code module associated with the code execution authorization system. - View Dependent Claims (46, 47)
-
Specification