System and method for inspecting dynamically generated executable code
First Claim
1. A method for protecting a client computer from dynamically generated malicious content, comprising:
- receiving at a gateway computer content being sent to a client computer for processing, the content including a call to an original function, and the call including an input;
modifying the content at the gateway computer, comprising replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input to a security computer for inspection;
transmitting the modified content from the gateway computer to the client computer;
processing the modified content at the client computer;
transmitting the input to the security computer for inspection when the substitute function is invoked;
determining at the security computer whether it is safe for the client computer to invoke the original function with the input;
transmitting an indicator of whether it is safe for the client computer to invoke the original function with the input, from the security computer to the client computer; and
invoking the original function at the client computer with the input, only if the indicator received from the security computer indicates that such invocation is safe.
7 Assignments
0 Petitions
Accused Products
Abstract
A method for protecting a client computer from dynamically generated malicious content, including receiving at a gateway computer content being sent to a client computer for processing, the content including a call to an original function, and the call including an input, modifying the content at the gateway computer, including replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input to a security computer for inspection, transmitting the modified content from the gateway computer to the client computer, processing the modified content at the client computer, transmitting the input to the security computer for inspection when the substitute function is invoked, determining at the security computer whether it is safe for the client computer to invoke the original function with the input, transmitting an indicator of whether it is safe for the client computer to invoke the original function with the input, from the security computer to the client computer, and invoking the original function at the client computer with the input, only if the indicator received from the security computer indicates that such invocation is safe. A system and a computer-readable storage medium are also described and claimed.
-
Citations
69 Claims
-
1. A method for protecting a client computer from dynamically generated malicious content, comprising:
-
receiving at a gateway computer content being sent to a client computer for processing, the content including a call to an original function, and the call including an input;
modifying the content at the gateway computer, comprising replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input to a security computer for inspection;
transmitting the modified content from the gateway computer to the client computer;
processing the modified content at the client computer;
transmitting the input to the security computer for inspection when the substitute function is invoked;
determining at the security computer whether it is safe for the client computer to invoke the original function with the input;
transmitting an indicator of whether it is safe for the client computer to invoke the original function with the input, from the security computer to the client computer; and
invoking the original function at the client computer with the input, only if the indicator received from the security computer indicates that such invocation is safe. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for protecting a client computer from dynamically generated malicious content, comprising:
-
a gateway computer, comprising;
a gateway receiver for receiving content being sent to a client computer for processing, the content including a call to an original function, and the call including an input;
a content modifier for modifying the received content by replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input to a security computer for inspection; and
a gateway transmitter for transmitting the modified content from the gateway computer to said client computer;
a security computer, comprising;
a security receiver for receiving the input from said client computer;
an input inspector for determining whether it is safe for said client computer to invoke the original function with the input; and
a security transmitter for transmitting an indicator of the determining to said client computer; and
a client computer communicating with said gateway computer and with said security computer, comprising;
a client receiver for receiving the modified content from said gateway computer, and for receiving the indicator from said security computer;
a content processor for processing the modified content, and for invoking the original function only if the indicator indicates that such invocation is safe; and
a client transmitter for transmitting the input to said security computer for inspection, when the substitute function is invoked. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A computer-readable storage medium storing program code for causing at least one computing device to:
-
receive content including a call to an original function, and the call including an input;
replace the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspection, thereby generating modified content;
process the modified content;
transmit the input for inspection, when the substitute function is invoked while processing the modified content, and suspend processing of the modified content;
determine whether it is safe for a computer to invoke the original function with the input;
transmit an indicator of whether it is safe to invoke the original function with the input; and
resume processing of the modified content after receiving the indicator, and invoke the original function with the input only if the indicator indicates that such invocation is safe.
-
-
24. A method for protecting a client computer from dynamically generated malicious content, comprising:
-
receiving content being sent to a client computer for processing, the content including a call to an original function, and the call including an input;
modifying the content, comprising replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input to a security computer for inspection; and
transmitting the modified content to the client computer for processing. - View Dependent Claims (25, 26, 27)
-
-
28. A system for protecting a client computer from dynamically generated malicious content, comprising:
-
a receiver for receiving content being sent to a client computer for processing, the content including a call to an original function, and the call including an input;
a content modifier for modifying the received content by replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input to a security computer for inspection; and
a transmitter for transmitting the modified content to the client computer. - View Dependent Claims (29, 30, 31)
-
-
32. A computer-readable storage medium storing program code for causing a computing device to:
-
receive content including a call to an original function, and the call including an input; and
replace the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspection.
-
-
33. A method for protecting a client computer from dynamically generated malicious content, comprising:
-
receiving content being sent to a client computer for processing, the content including a call to an original function, and the call including an input;
modifying the content, comprising replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspection;
transmitting the modified content to the client computer for processing;
receiving the input from the client computer;
determining whether it is safe for the client computer to invoke the original function with the input; and
transmitting to the client computer an indicator of whether it is safe for the client computer to invoke the original function with the input. - View Dependent Claims (34, 35, 36, 37, 38, 39)
-
-
40. A system for protecting a client computer from dynamically generated malicious content, comprising:
-
a receiver (i) for receiving content being sent to a client computer for processing, the content including a call to an original function, and the call including an input, and (ii) for receiving the input from the client computer;
a content modifier for modifying the received content by replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspection;
an input inspector for determining whether it is safe for the client computer to invoke the original function with the input; and
a transmitter (i) for transmitting the modified content to the client computer, and (ii) for transmitting an indicator of the determining to the client computer. - View Dependent Claims (41, 42, 43, 44, 45, 46)
-
-
47. A computer-readable storage medium storing program code for causing a computing device to:
-
receive content including a call to an original function, and the call including an input;
replace the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspection; and
determine whether it is safe for a computer to invoke the original function with the input.
-
-
48. A method for protecting a computer from dynamically generated malicious content, comprising:
-
processing content received over a network, the content including a call to a first function, and the call including an input;
transmitting the input to a security computer for inspection, when the first function is invoked;
receiving from the security computer an indicator of whether it is safe to invoke a second function with the input; and
invoking the second function with the input, only if the indicator indicates that such invocation is safe. - View Dependent Claims (49)
-
-
50. A system for protecting a computer from dynamically generated malicious content, comprising:
-
a content processor (i) for processing content received over a network, the content including a call to a first function, and the call including an input, and (ii) for invoking a second function with the input, only if a security computer indicates that such invocation is safe;
a transmitter for transmitting the input to the security computer for inspection, when the first function is invoked; and
a receiver for receiving an indicator from the security computer whether it is safe to invoke the second function with the input. - View Dependent Claims (51)
-
-
52. A computer-readable storage medium storing program code for causing a computing device to:
-
process content received over a network, the content including a call to a first function, and the call including an input;
transmit the input for inspection, when the first function is invoked, and suspend processing of the content;
receive an indicator of whether it is safe to invoke a second function with the input; and
resume processing of the content after receiving the indicator, and invoke the second function with the input only if the indicator indicates that such invocation is safe.
-
-
53. A method for protecting a client computer from dynamically generated malicious content, comprising:
-
receiving an input from a client computer;
determining whether it is safe for the client computer to invoke a function with the input; and
transmitting an indicator of said determining to the client computer. - View Dependent Claims (54, 55, 56, 57, 58, 59, 60)
-
-
61. A system for protecting a client computer from dynamically generated malicious content, comprising:
-
a receiver for receiving an input from a client computer;
an input inspector for determining whether it is safe for the client computer to invoke a function with the input; and
a transmitter for transmitting an indicator of the determining to the client computer. - View Dependent Claims (62, 63, 64, 65, 66, 67, 68)
-
-
69. A computer-readable storage medium storing program code for causing a computing device to:
-
receive an input from a computer;
determine whether it is safe for the computer to invoke a function with the input; and
transmit an indicator of the determination to the computer.
-
Specification