Universal patching machine

US 20080052703A1
Filed: 10/12/2007
Published: 02/28/2008
Est. Priority Date: 01/03/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method for protecting a computer network by using a universal patching machine implemented on a network appliance to detect and fix vulnerability violations in data traffic flowing through the network appliance between a communications network and the computer network, wherein the universal patching machine includes patch processors and a packet controller, the method comprising:

forming the patch processors in the universal patching machine from a plurality of network patches;

receiving the data traffic with the universal patching machine;

using the patch processors to detect vulnerability violations in the received data traffic;

when a vulnerability violation is detected in the data traffic by the patch processors, using the patch processors to issue a modification command to the packet controller that directs the packet controller to fix the data traffic and remove the vulnerability violation; and

using the universal patching machine to provide the fixed data traffic to the computer network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A universal patching machine is used to provide security for a computer system. A conversion function is generated for the patching machine that modifies input data to the computer system so that the computer system has an output and state that match the output and state that would be produced by a vendor-patched version of the computer system. The universal patching machine detects security vulnerabilities in intercepted data traffic. If a vulnerability violation is detected, the universal patching machine modifies the data traffic to remove the violation. Fixing the data traffic in this way ensures that the vulnerability cannot be exploited in an attack against the data network. The universal patching machine is formed from patch processors and a packet controller. The patch processors are formed from network patches. In operation, the patch processors detect vulnerabilities and issue modification commands that direct the packet controller to fix the data traffic.

35 Citations

View as Search Results

18 Claims

1. A method for protecting a computer network by using a universal patching machine implemented on a network appliance to detect and fix vulnerability violations in data traffic flowing through the network appliance between a communications network and the computer network, wherein the universal patching machine includes patch processors and a packet controller, the method comprising:
- forming the patch processors in the universal patching machine from a plurality of network patches;
  
  receiving the data traffic with the universal patching machine;
  
  using the patch processors to detect vulnerability violations in the received data traffic;
  
  when a vulnerability violation is detected in the data traffic by the patch processors, using the patch processors to issue a modification command to the packet controller that directs the packet controller to fix the data traffic and remove the vulnerability violation; and
  
  using the universal patching machine to provide the fixed data traffic to the computer network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method defined in claim 1 further comprising:
    - identifying vulnerabilities that need network patching before forming the patch processors; and
      
      determining which network patches are needed by the patch processors to detect and fix the identified vulnerabilities, wherein forming the patch processors in the universal patching machine comprises forming the patch processors in the universal patching machine from the network patches needed to detect and fix the identified vulnerabilities.
  - 3. The method defined in claim 1 wherein each network patch comprises state machine logic and functions that detect and fix the vulnerability violations and wherein forming the patch processors comprises merging the state machine logic from a plurality of network patches to form a unified state machine.
  - 4. The method defined in claim 3 wherein merging the state machine logic comprises eliminating duplicative state machine logic when forming the unified state machine.
  - 5. The method defined in claim 1 wherein each network patch comprises state machine logic, the method further comprising fixing the data traffic to remove the vulnerability violations while using new network patch state machine logic for new sessions in the data traffic and old network patch state machine logic for old sessions in the data traffic.
  - 6. The method defined in claim 1 further comprising updating the universal patching machine without disrupting the flow of the data traffic by selecting a point in time at which to apply a new set of network patches with the universal patching machine that does not disrupt the flow of the data traffic.
  - 7. The method defined in claim 1 wherein the universal patching machine operates on the data traffic at multiple network layers, the method further comprising using the patch processors to process the data traffic at network layers 6 and 7.
  - 8. The method defined in claim 1 wherein the packet controller operates on the data traffic at multiple network layers, the method further comprising using the packet controller to process the data traffic one or more network layers below network layer 5.
  - 9. The method defined in claim 1 wherein the patch processors and packet controller operate on the data traffic at multiple network layers, the method further comprising using the patch processors to process the data traffic at network layers 5, 6, and 7 and using the packet controller to process the data traffic at one or more network layers below network layer 5.
  - 10. The method defined in claim 1 further comprising using the universal patching machine to determine at network layer 3 whether to forward the data traffic to the computer network without processing by the patch processors or whether to route the data traffic to the patch processors to detect vulnerability violations.
  - 11. The method defined in claim 1 wherein a client computer is connected to the communications network and wherein the computer network includes a server, the method further comprising using the packet controller to determine whether to forward the data traffic without processing by the patch processors by determining whether the data traffic is destined to the client computer or to the server.
  - 12. The method defined in claim 1 wherein the patch processors and packet controller operate on the data traffic at multiple network layers, the method comprising:
    - identifying a block of data traffic that is to be forwarded without processing by the patch processors at network layers 6 and 7;
      
      specifying a start location and block size for the block of the data traffic that is to be forwarded without processing by the patch processors at network layers 6 and 7; and
      
      forwarding the block of the data traffic to the computer network without processing by the patch processors at network layers 6 and 7.
  - 13. The method defined in claim 1 wherein the patch processors and packet controller operate on the data traffic at multiple network layers, the method comprising:
    - identifying a block of data traffic that is to be forwarded without processing by the patch processors at network layers 6 and 7;
      
      specifying an ending pattern for the block of the data traffic that is to be forwarded without processing by the patch processors at network layers 6 and 7; and
      
      forwarding the block of the data traffic to the computer network without processing by the patch processors at network layers 6 and 7.
  - 14. The method defined in claim 1 wherein the computer network comprises a plurality of computers and wherein at least one of the computers in the computer network has an installed vendor patch, the method comprising using the packet controller to forward at least some of the data traffic that is destined to the computer with the installed vendor patch to that computer without processing by the patch processors.
  - 15. The method defined in claim 1 wherein the modification command directs the packet controller to change at least one byte in the data traffic, the method further comprising using the packet controller to fix the data traffic by changing the byte in the data traffic in response to the modification command.
  - 16. The method defined in claim 1 wherein the universal patching machine includes machine code helper functions and wherein forming the patch processors comprises using the machine code helper functions to merge state machine logic from the plurality of network patches to form a unified state machine.
  - 17. The method defined in claim 1 wherein the universal patching machine includes packet controller configuration data, the method further comprising using access policies in the packet controller configuration data to instruct the packet controller whether to route the data traffic to the patch processors or to output the data traffic from the universal patching machine without processing by the patch processors.
  - 18. The method defined in claim 1 further comprising using IP address and port information in determining whether the packet controller routes the data traffic to the patch processors or outputs the data traffic from the universal patching machine without processing by the patch processors.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VMware, Inc. (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Panjwani, Dileep

Application Number

US11/974,423
Publication Number

US 20080052703A1
Time in Patent Office

Days
Field of Search
US Class Current

717/171
CPC Class Codes

G06F 21/85 interconnection devices, e....

H04L 63/1433 Vulnerability analysis

Universal patching machine

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

35 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Universal patching machine

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links