Network-based patching machine

US 20060156032A1
Filed: 01/03/2005
Published: 07/13/2006
Est. Priority Date: 01/03/2005
Status: Active Grant

First Claim

Patent Images

1. A method for protecting a computer system using a universal patching machine rather than exclusively applying vendor security patches to produce a vendor-patched computer system, wherein when input data is applied to the vendor-patched computer system, a resulting output and state for the vendor-patched computer system are produced, the method comprising:

attempting to generate a conversion function that modifies input data to the computer system so that the computer system has an output and state that exactly match the output and state of the vendor-patched computer system in response to the input data before modification;

if it is to not possible to generate the conversion function that modifies the input data so that the output and state of the computer system exactly match the output and state of the vendor-patched computer system, attempting to generate a conversion function that modifies the input data to the computer system so that the computer system has a state that exactly matches the state of the vendor-patched computer in response to the input data before modification and that has an output that approximately matches the output of the vendor-patched computer in response to the input data before modification; and

if it is to not possible to generate a conversion function that modifies the input data so that the state of the computer system exactly matches the state of the vendor-patched computer system and so that the output of the computer system approximately matches the output of the vendor-patched computer system, generating a conversion function that modifies input data to the computer system so that the computer system has a state and output that approximately match the state and output of the vendor-patched computer in response to the input data before modification.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A universal patching machine is used to provide network-based security for a data network. The universal patching machine may be implemented on a network appliance located at the edge of the data network. From this location, the universal patching machine intercepts data traffic between the internet and the data network. The universal patching machine examines the intercepted data traffic to detect security vulnerabilities. If a vulnerability violation is detected, the universal patching machine modifies the data traffic to remove the violation. Fixing the data traffic in this way ensures that the vulnerability cannot be exploited in an attack against the data network. The universal patching machine is formed from patch processors and a packet controller. The patch processors are formed from network patches. In operation, the patch processors detect vulnerabilities and issue modification commands that direct the packet controller to fix the data traffic.

54 Citations

View as Search Results

19 Claims

1. A method for protecting a computer system using a universal patching machine rather than exclusively applying vendor security patches to produce a vendor-patched computer system, wherein when input data is applied to the vendor-patched computer system, a resulting output and state for the vendor-patched computer system are produced, the method comprising:
- attempting to generate a conversion function that modifies input data to the computer system so that the computer system has an output and state that exactly match the output and state of the vendor-patched computer system in response to the input data before modification;
  
  if it is to not possible to generate the conversion function that modifies the input data so that the output and state of the computer system exactly match the output and state of the vendor-patched computer system, attempting to generate a conversion function that modifies the input data to the computer system so that the computer system has a state that exactly matches the state of the vendor-patched computer in response to the input data before modification and that has an output that approximately matches the output of the vendor-patched computer in response to the input data before modification; and
  
  if it is to not possible to generate a conversion function that modifies the input data so that the state of the computer system exactly matches the state of the vendor-patched computer system and so that the output of the computer system approximately matches the output of the vendor-patched computer system, generating a conversion function that modifies input data to the computer system so that the computer system has a state and output that approximately match the state and output of the vendor-patched computer in response to the input data before modification.

2. A method for protecting a computer network by using a universal patching machine implemented on a network appliance to detect and fix vulnerability violations in data traffic flowing through the network appliance between a communications network and the computer network, wherein the universal patching machine includes patch processors and a packet controller, the method comprising:
- forming the patch processors in the universal patching machine from a plurality of network patches;
  
  receiving the data traffic with the universal patching machine;
  
  using the patch processors to detect vulnerability violations in the received data traffic;
  
  when a vulnerability violation is detected in the data traffic by the patch processors, using the patch processors to issue a modification command to the packet controller that directs the packet controller to fix the data traffic and remove the vulnerability violation; and
  
  using the universal patching machine to provide the fixed data traffic to the computer network.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 3. The method defined in claim 2 further comprising:
    - identifying vulnerabilities that need network patching before forming the patch processors; and
      
      determining which network patches are needed by the patch processors to detect and fix the identified vulnerabilities, wherein forming the patch processors in the universal patching machine comprises forming the patch processors in the universal patching machine from the network patches needed to detect and fix the identified vulnerabilities.
  - 4. The method defined in claim 2 wherein each network patch comprises state machine logic and functions that detect and fix the vulnerability violations and wherein forming the patch processors comprises merging the state machine logic from a plurality of network patches to form a unified state machine.
  - 5. The method defined in claim 4 wherein merging the state machine logic comprises eliminating duplicative state machine logic when forming the unified state machine.
  - 6. The method defined in claim 2 wherein each network patch comprises state machine logic, the method further comprising fixing the data traffic to remove the vulnerability violations while using new network patch state machine logic for new sessions in the data traffic and old network patch state machine logic for old sessions in the data traffic.
  - 7. The method defined in claim 2 further comprising updating the universal patching machine without disrupting the flow of the data traffic by selecting a point in time at which to apply a new set of network patches with the universal patching machine that does not disrupt the flow of the data traffic.
  - 8. The method defined in claim 2 wherein the universal patching machine operates on the data traffic at multiple network layers, the method further comprising using the patch processors to process the data traffic at network layers 6 and 7.
  - 9. The method defined in claim 2 wherein the packet controller operates on the data traffic at multiple network layers, the method further comprising using the packet controller to process the data traffic one or more network layers below network layer 5.
  - 10. The method defined in claim 2 wherein the patch processors and packet controller operate on the data traffic at multiple network layers, the method further comprising using the patch processors to process the data traffic at network layers 5, 6, and 7 and using the packet controller to process the data traffic at one or more network layers below network layer 5.
  - 11. The method defined in claim 2 further comprising using the universal patching machine to determine at network layer 3 whether to forward the data traffic to the computer network without processing by the patch processors or whether to route the data traffic to the patch processors to detect vulnerability violations.
  - 12. The method defined in claim 2 wherein a client computer is connected to the communications network and wherein the computer network includes a server, the method further comprising using the packet controller to determine whether to forward the data traffic without processing by the patch processors by determining whether the data traffic is destined to the client computer or to the server.
  - 13. The method defined in claim 2 wherein the patch processors and packet controller operate on the data traffic at multiple network layers, the method comprising:
    - identifying a block of data traffic that is to be forwarded without processing by the patch processors at network layers 6 and 7;
      
      specifying a start location and block size for the block of the data traffic that is to be forwarded without processing by the patch processors at network layers 6 and 7; and
      
      forwarding the block of the data traffic to the computer network without processing by the patch processors at network layers 6 and 7.
  - 14. The method defined in claim 2 wherein the patch processors and packet controller operate on the data traffic at multiple network layers, the method comprising:
    - identifying a block of data traffic that is to be forwarded without processing by the patch processors at network layers 6 and 7;
      
      specifying an ending pattern for the block of the data traffic that is to be forwarded without processing by the patch processors at network layers 6 and 7; and
      
      forwarding the block of the data traffic to the computer network without processing by the patch processors at network layers 6 and 7.
  - 15. The method defined in claim 2 wherein the computer network comprises a plurality of computers and wherein at least one of the computers in the computer network has an installed vendor patch, the method comprising using the packet controller to forward at least some of the data traffic that is destined to the computer with the installed vendor patch to that computer without processing by the patch processors.
  - 16. The method defined in claim 2 wherein the modification command directs the packet controller to change at least one byte in the data traffic, the method further comprising using the packet controller to fix the data traffic by changing the byte in the data traffic in response to the modification command.
  - 17. The method defined in claim 2 wherein the universal patching machine includes machine code helper functions and wherein forming the patch processors comprises using the machine code helper functions to merge state machine logic from the plurality of network patches to form a unified state machine.
  - 18. The method defined in claim 2 wherein the universal patching machine includes packet controller configuration data, the method further comprising using access policies in the packet controller configuration data to instruct the packet controller whether to route the data traffic to the patch processors or to output the data traffic from the universal patching machine without processing by the patch processors.
  - 19. The method defined in claim 2 further comprising using IP address and port information in determining whether the packet controller routes the data traffic to the patch processors or outputs the data traffic from the universal patching machine without processing by the patch processors.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
Blue Lane Technologies Incorporated (Broadcom, Inc.)
Inventors
Panjwani, Dileep Kumar

Granted Patent

US 7,343,599 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/191
CPC Class Codes

G06F 21/85 interconnection devices, e....

H04L 63/1433 Vulnerability analysis

Network-based patching machine

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

54 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Network-based patching machine

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others