CONSTRAINT INJECTION SYSTEM FOR IMMUNIZING SOFTWARE PROGRAMS AGAINST VULNERABILITIES AND ATTACKS

US 20060277539A1
Filed: 06/06/2006
Published: 12/07/2006
Est. Priority Date: 06/07/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for protecting software, comprising:

inserting constraint code into a computer program to be protected at a patch point which is between instructions of the computer program; and

executing the constraint code when a control flow of the computer program reaches the patch point.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A constraint is inserted into a program to address a vulnerability of the program to attacks. The constraint includes a segment of code that determines when the program has been asked to execute a “corner case” which does not occur in normal operations. The constraint code can access a library of detector and remediator functions to detect various attacks and remediate against them. Optionally, the detector can be employed without the remediator for analysis. The context of the program can be saved and restored if necessary to continue operating after remediation is performed. The constraints can include descriptors, along with machine instructions or byte code, which indicate how the constraints are to be used.

203 Citations

89 Claims

1. A computer-implemented method for protecting software, comprising:
- inserting constraint code into a computer program to be protected at a patch point which is between instructions of the computer program; and
  
  executing the constraint code when a control flow of the computer program reaches the patch point.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71)
- - 2. The computer-implemented method of claim 1, wherein:
    - the constraint code eliminates a vulnerability in the computer program.
  - 3. The computer-implemented method of claim 1, wherein:
    - the constraint code protects against an attack against the computer program.
  - 4. The computer-implemented method of claim 1, wherein:
    - the constraint code fixes a bug in the computer program.
  - 5. The computer-implemented method of claim 1, wherein:
    - the constraint code filters content in the computer program.
  - 6. The computer-implemented method of claim 1, wherein:
    - the constraint code enforces a security policy in the computer program.
  - 7. The computer-implemented method of claim 1, wherein:
    - the constraint code extends a functionality of the computer program.
  - 8. The computer-implemented method of claim 1, wherein:
    - the constraint code monitors a behavior of the computer program.
  - 9. The computer-implemented method of claim 1, wherein:
    - the constraint code saves a context of the computer program and code for restoring a context of the computer program.
  - 10. The computer-implemented method of claim 1, wherein:
    - the constraint code calls a library of detector and/or remediator functions.
  - 11. The computer-implemented method of claim 1, wherein:
    - the constraint code calls a detector for detecting when a vulnerability is invoked in the computer program.
  - 12. The computer-implemented method of claim 1, wherein:
    - the constraint code calls a detector for detecting when a vulnerability is invoked in the computer program, and call a remediator, responsive to the detector, for taking remediation action.
  - 13. The computer-implemented method of claim 12, wherein:
    - the detector follows a set of rules defined by an application binary interface (ABI).
  - 14. The computer-implemented method of claim 12, wherein:
    - the remediator follows a set of rules defined by an application binary interface (ABI).
  - 15. The computer-implemented method of claim 12, wherein:
    - the constraint code includes a set of support functions accessible to the detector and remediator.
  - 16. The computer-implemented method of claim 1, further comprising:
    - dynamically switching the constraint code, as the computer program is running, between a detection mode in which invocation of a vulnerability in a computer program is detected, but no remediation action is taken, and a protection mode, in which invocation of the vulnerability in the computer program is detected, and remediation action is taken in response thereto.
  - 17. The computer-implemented method of claim 1, wherein:
    - the constraint code provides a black box constraint.
  - 18. The computer-implemented method of claim 1, wherein:
    - the constraint code provides a parameter-exposed constraint.
  - 19. The computer-implemented method of claim 1, wherein:
    - the constraint code provides a GUI-exposed constraint.
  - 20. The computer-implemented method of claim 1, wherein:
    - the constraint code provides a customer-developed constraint.
  - 21. The computer-implemented method of claim 1, wherein:
    - the constraint code comprises an arbitrary code block.
  - 22. The computer-implemented method of claim 1, wherein:
    - the constraint code comprises a restricted code block.
  - 23. The computer-implemented method of claim 1, further comprising:
    - providing a validation routine for API interception.
  - 24. The computer-implemented method of claim 1, further comprising:
    - the constraint code provides filtering of inputs to the computer program.
  - 25. The computer-implemented method of claim 1, wherein:
    - the patch point is identified based on an offset from a starting address of a module of the computer program.
  - 26. The computer-implemented method of claim 1, wherein:
    - the patch point is identified based on an absolute address of a module of the computer program.
  - 27. The computer-implemented method of claim 1, wherein:
    - the patch point is identified based on an offset from a symbolic address of a module of the computer program.
  - 28. The computer-implemented method of claim 1, wherein:
    - the patch point is identified based on API interception hook.
  - 29. The computer-implemented method of claim 1, wherein:
    - the patch point is identified based on a system call hook.
  - 30. The computer-implemented method of claim 1, wherein:
    - the patch point is identified based on a code pattern match hook.
  - 31. The computer-implemented method of claim 1, wherein:
    - the patch point is identified based on multiple identification modes.
  - 32. The computer-implemented method of claim 1, wherein:
    - the constraint code is inserted into the computer program using a trampoline.
  - 33. The computer-implemented method of claim 1, wherein:
    - the constraint code is inserted into the computer program by expanding a portion of the computer program in a cache.
  - 34. The computer-implemented method of claim 1, wherein:
    - the constraint code is inserted into the computer program using a binary rewrite.
  - 35. The computer-implemented method of claim 1, wherein:
    - the constraint code is inserted into the computer program using an object code rewrite.
  - 36. The computer-implemented method of claim 1, wherein:
    - the computer program comprises byte code, and the constraint code is inserted into the computer program by modifying the byte code.
  - 37. The computer-implemented method of claim 1, wherein:
    - the constraint code is inserted into the computer program at an application- or system-defined interception point.
  - 38. The computer-implemented method of claim 1, wherein:
    - the constraint code is inserted into the computer program using a loader rewrite.
  - 39. The computer-implemented method of claim 1, wherein:
    - the constraint code is inserted into the computer program using a system call shim.
  - 40. The computer-implemented method of claim 1, further comprising:
    - providing at least one descriptor for the constraint code that provides information on how the constraint code is to be used.
  - 41. The computer-implemented method of claim 1, wherein:
    - the constraint code follows a set of rules defined by an application binary interface (ABI).
  - 42. The computer-implemented method of claim 1, wherein:
    - the constraint code comprises assembly code or machine instructions.
  - 43. The computer-implemented method of claim 1, wherein:
    - the constraint code uses a function of a library.
  - 44. The computer-implemented method of claim 43, wherein:
    - the library comprises a dynamic link library (DLL).
  - 45. The computer-implemented method of claim 1, wherein:
    - the constraint code uses a machine instruction function object.
  - 46. The computer-implemented method of claim 1, wherein:
    - the constraint code is provided as a code block which is inlined into the computer program.
  - 47. The computer-implemented method of claim 1, wherein:
    - the constraint code is provided as a code block which replaces an existing code block in the computer program.
  - 48. The computer-implemented method of claim 1, further comprising:
    - implementing a constraint application policy to determine which applications the constraint code should be inserted into.
  - 49. The computer-implemented method of claim 1, further comprising:
    - providing status information regarding the constraint.
  - 50. The computer-implemented method of claim 1, further comprising:
    - providing statistical information regarding the constraint.
  - 51. The computer-implemented method of claim 1, further comprising:
    - injecting a constraint of the constraint code into the computer program when at least one library of the computer program matches a vulnerability.
  - 52. The computer-implemented method of claim 1, further comprising:
    - injecting a constraint of the constraint code into the computer program when requirements of a vulnerability are satisfied.
  - 53. The computer-implemented method of claim 1, further comprising:
    - flushing the constraint code to remove a fix offered by a policy.
  - 54. The computer-implemented method of claim 1, further comprising:
    - verifying an integrity of the constraint code using a signature.
  - 55. The computer-implemented method of claim 1, further comprising:
    - verifying an integrity of the constraint code using a hash.
  - 56. The computer-implemented method of claim 1, wherein:
    - the inserting comprises copying a code fragment of the computer program to a cache, and inserting at least one instruction of the constraint code into the code fragment in the cache, between the instructions of the computer program.
  - 57. The computer-implemented method of claim 56, wherein:
    - the at least one instruction of the constraint code calls a gateway, which calls a library of detector and/or remediator functions.
  - 58. The computer-implemented method of claim 57, wherein:
    - the gateway returns the control flow to the code fragment.
  - 59. The computer-implemented method of claim 1, wherein:
    - the inserting comprises replacing at least one instruction of the computer program with at least one instruction of the constraint code, and storing the at least one replaced instruction at a gateway.
  - 60. The computer-implemented method of claim 59, wherein:
    - the at least one instruction of the constraint code calls the gateway, which calls a library of detector and/or remediator functions, and executes the at least one replaced instruction.
  - 61. The computer-implemented method of claim 60, wherein:
    - the gateway returns the control flow to the code fragment.
  - 62. The computer-implemented method of claim 59, wherein:
    - the replacing is performed in a memory in which a code fragment which contains the at least one replaced instruction is stored, without copying the code fragment to a new location.
  - 63. The computer-implemented method of claim 59, wherein:
    - the at least one instruction of the constraint code calls the gateway, which invokes a routine for managing the constraint code, and executes the at least one replaced instruction.
  - 64. The computer-implemented method of claim 63, wherein:
    - the gateway returns the control flow to the code fragment.
  - 65. The computer-implemented method of claim 63, wherein:
    - the routine for managing the constraint code installs a new constraint.
  - 66. The computer-implemented method of claim 63, wherein:
    - the routine for managing the constraint code deactivates an active constraint.
  - 67. The computer-implemented method of claim 63, wherein:
    - the routine for managing the constraint code detects the loading of a new library by the computer program.
  - 68. The computer-implemented method of claim 63, wherein:
    - the routine for managing the constraint code determines which constraints are applicable to the computer program.
  - 69. The computer-implemented method of claim 63, wherein:
    - the at least one replaced instruction is a commonly executed instruction of the computer program.
  - 70. The computer-implemented method of claim 1, further comprising:
    - dynamically turning the constraint code on or off as the computer program is running.
  - 71. The computer-implemented method of claim 1, wherein:
    - the constraint code is inserted into the computer program at a plurality of patch points, each of the plurality of patch points calling a corresponding detector and/or remediator function.

72. A computer-implemented method for protecting software, comprising:
- identifying a vulnerability in a computer program;
  
  developing a constraint for eliminating the vulnerability, the constraint comprising code which is inserted into the computer program at a specified point; and
  
  releasing the constraint to at least one customer.
- View Dependent Claims (73, 74, 75)
- - 73. The computer-implemented method of claim 72, wherein:
    - the vulnerability is identified from a proof of concept exploit.
  - 74. The computer-implemented method of claim 72, wherein:
    - the vulnerability is identified from a released patch.
  - 75. The computer-implemented method of claim 72, wherein:
    - the vulnerability is identified from a released attack.

76. One or more processor readable storage devices having processor readable code embodied thereon for programming one or more processors to perform a method for protecting a software program comprising:
- inserting constraint code into a computer program to be protected at a patch point which is between instructions of the computer program; and
  
  executing the constraint code when a control flow of the computer program reaches the patch point.
- View Dependent Claims (77, 78, 79, 80, 81, 82)
- - 77. The one or more processor readable storage devices of claim 76, wherein:
    - the constraint code calls a detector for detecting when a vulnerability is invoked in the computer program, and call a remediator, responsive to the detector, for taking remediation action.
  - 78. The one or more processor readable storage devices of claim 76, wherein the method performed further comprises:
    - dynamically switching the constraint code, as the computer program is running, between a detection mode in which invocation of a vulnerability in a computer program is detected, but no remediation action is taken, and a protection mode, in which invocation of the vulnerability in the computer program is detected, and remediation action is taken in response thereto.
  - 79. The one or more processor readable storage devices of claim 76, wherein:
    - the inserting comprises copying a code fragment of the computer program to a cache, and inserting at least one instruction of the constraint code into the code fragment in the cache, between the instructions of the computer program.
  - 80. The one or more processor readable storage devices of claim 79, wherein:
    - the at least one instruction of the constraint code calls a gateway, which calls a library of detector and/or remediator functions.
  - 81. The one or more processor readable storage devices of claim 76, wherein:
    - the inserting comprises replacing at least one instruction of the computer program with at least one instruction of the constraint code, and storing the at least one replaced instruction at a gateway.
  - 82. The one or more processor readable storage devices of claim 81, wherein:
    - the at least one instruction of the constraint code calls the gateway, which calls a library of detector and/or remediator functions, and executes the at least one replaced instruction.

83. A computer-implemented system for protecting software, comprising:
- one or more storage devices; and
  
  one or more processors in communication with said one or more storage devices, said one or more processors performing a method comprising;
  
  inserting constraint code into a computer program to be protected at a patch point which is between instructions of the computer program; and
  
  executing the constraint code when a control flow of the computer program reaches the patch point.
- View Dependent Claims (84, 85, 86, 87, 88, 89)
- - 84. The computer-implemented system of claim 83, wherein:
    - the constraint code calls a detector for detecting when a vulnerability is invoked in the computer program, and call a remediator, responsive to the detector, for taking remediation action.
  - 85. The computer-implemented system of claim 83, wherein the method performed further comprises:
    - dynamically switching the constraint code, as the computer program is running, between a detection mode in which invocation of a vulnerability in a computer program is detected, but no remediation action is taken, and a protection mode, in which invocation of the vulnerability in the computer program is detected, and remediation action is taken in response thereto.
  - 86. The computer-implemented system of claim 83, wherein:
    - the inserting comprises copying a code fragment of the computer program to a cache, and inserting at least one instruction of the constraint code into the code fragment in the cache, between the instructions of the computer program.
  - 87. The computer-implemented system of claim 86, wherein:
    - the at least one instruction of the constraint code calls a gateway, which calls a library of detector and/or remediator functions.
  - 88. The computer-implemented system of claim 83, wherein:
    - the inserting comprises replacing at least one instruction of the computer program with at least one instruction of the constraint code, and storing the at least one replaced instruction at a gateway.
  - 89. The computer-implemented system of claim 88, wherein:
    - the at least one instruction of the constraint code calls the gateway, which calls a library of detector and/or remediator functions, and executes the at least one replaced instruction.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
Massachusetts Institute of Technology
Inventors
Kiriansky, Vladimir L., Bruening, Derek L., Amarasinghe, Saman P., Garnett, Tim, Chandramohan, Bharath, Renert, Charles, Wu, Warren, Wilbourn, Sandy

Granted Patent

US 7,945,958 B2
Time in Patent Office

Days
Field of Search
US Class Current

717/168
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 21/577   Assessing vulnerabilities a...

CONSTRAINT INJECTION SYSTEM FOR IMMUNIZING SOFTWARE PROGRAMS AGAINST VULNERABILITIES AND ATTACKS

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

203 Citations

89 Claims

Specification

Solutions

Use Cases

Quick Links

CONSTRAINT INJECTION SYSTEM FOR IMMUNIZING SOFTWARE PROGRAMS AGAINST VULNERABILITIES AND ATTACKS

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

203 Citations

89 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links