Filtering kernel-mode network communications

US 20090006847A1
Filed: 06/28/2007
Published: 01/01/2009
Est. Priority Date: 06/28/2007
Status: Active Grant

First Claim

Patent Images

1. At least one computer-readable medium encoded with a plurality of instructions that when executed perform a method in a computer environment that comprises a computer network to which the computer system is coupled, the method comprising acts of:

(A) determining whether a process that is executing on the computer system and attempting to send and/or receive data over the computer network is executing in an operating system kernel mode of the computer system; and

(B) notifying at least one security engine in the computer environment of the determination made in the act (A).

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments of the invention are directed to techniques for determining whether a process on a computer system that is sending or receiving data, or is attempting to send or receive data, with another computer system is executing in kernel mode or user mode and providing an indicator of this determination to a security engine. In some embodiments, such an indication is provided to a security engine (e.g., a firewall) that implements a security policy based at least in part on whether the sending or receiving process is in kernel mode or user mode, and filter communications based on a process'"'"' operating mode. This enables a security engine to maintain security policies of greater specificity and thus improve security of a computer system.

26 Citations

View as Search Results

20 Claims

1. At least one computer-readable medium encoded with a plurality of instructions that when executed perform a method in a computer environment that comprises a computer network to which the computer system is coupled, the method comprising acts of:
- (A) determining whether a process that is executing on the computer system and attempting to send and/or receive data over the computer network is executing in an operating system kernel mode of the computer system; and
  
  (B) notifying at least one security engine in the computer environment of the determination made in the act (A).
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The at least one computer-readable medium of claim 1, wherein the act (A) comprises examining a hash table storing information for at least some processes executing on the computer system indicating whether each of the at least some processes is executing in the operating system'"'"'s kernel mode.
  - 3. The at least one computer-readable medium of claim 1, wherein the computer environment further comprises at least one second computer system coupled to the computer system via the computer network, and wherein the at least one security engine establishes at least one security policy performs at least one filtering function on at least one communication passing between the computer system and the at least one second computer system, and wherein the at least one security policy employs the at least one filtering function based on the notification of act (B).
  - 4. The at least one computer-readable medium of claim 3, wherein the at least one security policy for the at least one security engine performs at least one filtering function based on a determination of whether a source for the at least one communication is a kernel mode process for the computer system.
  - 5. The at least one computer-readable medium of claim 3, wherein the at least one security policy for the at least one security engine performs at least one filtering function based on a determination of whether a destination for the at least one communication is a kernel mode process for the computer system.
  - 6. The at least one computer-readable medium of claim 3, wherein the at least one security engine is on the computer system.
  - 7. The at least one computer-readable medium of claim 3, wherein the at least one security engine is on a different computer system in the computer environment than the computer system.

8. A method for use in a computer system operating in a computer environment that further comprises a computer network to which the computer system is coupled, the method comprising:
- (A) determining whether a process that is attempting to send and/or receive at least one communication over the computer network is executing in an operating system kernel mode of the computer system;
  
  (B) notifying at least one security engine in the computer environment of the determination made in the act (A); and
  
  (C) allowing or disallowing the process to perform the operation based on a determination of the security engine.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the operation is a socket operation.
  - 10. The method of claim 8, wherein the act (A) is performed in response to a receipt of the at least one communication by the computer system.
  - 11. The method of claim 8, wherein the computer environment further comprises at least one second computer system coupled to the computer system via the computer network, and wherein the at least one security engine establishes at least one security policy performs at least one filtering function on at least one communication passing between the computer system and the at least one second computer system, and wherein the at least one security policy employs the at least one filtering function based on the notification of act (B).
  - 12. The method of claim 11, wherein the at least one security engine is a firewall.
  - 13. The method of claim 11, wherein the at least one security engine is on the computer system.
  - 14. The method of claim 11, wherein the at least one security engine is on a different computer system in the computer environment than the at least one computer system.

15. A computer environment comprising:
- at least one computer system having at least one process executing thereon that attempts to send and/or receive at least one communication over a computer network, the computer system comprising at least one processor programmed to determine whether the at least one process is executing in an operating system kernel mode of the at least one computer system; and
  
  at least one security engine that establishes at least one security policy that determines at least one filtering function that the at least one security engine performs on at least one communication sent and/or received by the computer system, wherein the at least one security policy employs at least one filtering parameter that is based on a determination of whether a source and/or destination for the at least one communication in the computer system is a process executing in an operating system kernel mode of the computer system.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer environment of claim 15, wherein the security policy is a firewall security policy.
  - 17. The computer environment of claim 16, wherein the firewall security policy comprises at least one firewall rule comprising the at least one filtering parameter.
  - 18. The computer environment of claim 15, wherein the at least one security engine is on the at least one computer system.
  - 19. The computer environment of claim 15, wherein the at least one security engine is on a different computer system in the computer environment than the at least one computer system.
  - 20. The method of claim 15, wherein determining whether the process is executing in an operating system kernel mode of the at least one computer system comprises examining a hash table storing information for at least some processes executing on the at least one computer system indicating whether each of the at least some processes is executing in the operating system'"'"'s kernel mode.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Khan, Salahuddin, Yariv, Eran, Diaz Cuellar, Gerardo, Abzarian, David

Granted Patent

US 8,341,723 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/164
CPC Class Codes

G06F 21/74   operating in dual or compar...

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Filtering kernel-mode network communications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Filtering kernel-mode network communications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links