VULNERABILITY SHIELD SYSTEM

US 20100024035A1
Filed: 07/23/2009
Published: 01/28/2010
Est. Priority Date: 07/26/2008
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method comprising:

recognizing that a first software module is being loaded into a first operating system process running on a computer;

checking to see if the first software module is a known vulnerable software module andif the first software module is a known vulnerable software module then marking the first operating system process as a vulnerable process, andif the first software module is not a known vulnerable software module then checking to see if the first software module is marked do not run andif the first software module is marked do not run then blocking the first software module from loading;

recognizing that a new file is being written in the computer by the first operating system process; and

checking to see if the new file is an executable file andif the new file is an executable file then checking to see if the first operating system process is marked as a vulnerable process, andif the first operating system process is marked as a vulnerable process then marking the new file as a second software module marked as do not run.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security against computer software attacks is provided by blocking the use of known software vulnerabilities by attackers. Rather than merely discovering attacking software after it has installed itself into a computer system as in the prior art, software with a known vulnerability is monitored so that when it takes a potentially dangerous action, such as creating new attack software, that new attack software is marked and then prevented from loading. If the newly attack software cannot load, it cannot execute thus thwarting use of the newly written software to perform whatever nefarious act was intended by the attacker.

12 Citations

View as Search Results

24 Claims

1. A computer implemented method comprising:
- recognizing that a first software module is being loaded into a first operating system process running on a computer;
  
  checking to see if the first software module is a known vulnerable software module andif the first software module is a known vulnerable software module then marking the first operating system process as a vulnerable process, andif the first software module is not a known vulnerable software module then checking to see if the first software module is marked do not run andif the first software module is marked do not run then blocking the first software module from loading;
  
  recognizing that a new file is being written in the computer by the first operating system process; and
  
  checking to see if the new file is an executable file andif the new file is an executable file then checking to see if the first operating system process is marked as a vulnerable process, andif the first operating system process is marked as a vulnerable process then marking the new file as a second software module marked as do not run.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer implemented method of claim 1 further comprising:
    - recognizing that the second software module is being loaded into the first operating system process or a second operating system process running on the computer; and
      
      checking to see if the second software module is a known vulnerable software module andif the second software module is a known vulnerable software module then marking as a vulnerable process whichever of the first operating system process or the second operating process the second software module is being loaded into, andif the second software module is not a known vulnerable software module then checking to see if the second software module is marked do not run andif the second software module is marked do not run then blocking the second software module from loading.
  - 3. The computer implemented method of claim 1 wherein recognizing that a first software module is being loaded into a first operating system process running on a computer is accomplished by monitoring the operating system for a module load event.
  - 4. The computer implemented method of claim 1 wherein checking to see if the first software module is a known vulnerable software module is accomplished by checking to see if a name of the first software module matches a name on a list of known vulnerable software modules.
  - 5. The computer implemented method of claim 1 wherein marking the first operating system process a vulnerable process is accomplished by adding an identifier of the first operating system process to a list of vulnerable processes.
  - 6. The computer implemented method of claim 1 wherein checking to see if the first software module is marked do not run is accomplished by checking to see if a name of the first software module matches a name on a list of do not run modules.
  - 7. The computer implemented method of claim 1 wherein blocking the first software module from loading is accomplished by causing a module load process of the operating system to return a failure code.
  - 8. The computer implemented method of claim 1 wherein recognizing that a new file is being written in the computer by the first operating system process is accomplished by detecting that the operating system is performing a file write or file name change.
  - 9. The computer implemented method of claim 1 wherein checking to see if the first operating system process is marked as a vulnerable process is accomplished by checking to see if an identifier of the first operating system process matches an identifier on a list of vulnerable processes.
  - 10. The computer implemented method of claim 1 wherein marking the new file as a second software module marked do not run is accomplished by adding a name of the second software module to a list of do not run modules.

11. A computer implemented method comprising:
- recognizing that a first software module is being loaded into a first operating system process running on a computer;
  
  checking to see if the first software module is a known vulnerable software module andif the first software module is a known vulnerable software module thenchecking to see if a vulnerable function is known to exist within the known vulnerable software module andif a vulnerable function is known to exist within the known vulnerable software module then marking the first operating system as a vulnerable process if the vulnerable function is used andif a vulnerable function is not known to exist within the known vulnerable software module then marking the first operating system process as a vulnerable process, andif the first software module is not a known vulnerable software module then checking to see if the first software module is marked do not run andif the first software module is marked do not run then blocking the first software module from loading;
  
  recognizing that a new file is being written in the computer by the first operating system process; and
  
  checking to see if the new file is an executable file andif the new file is an executable file then checking to see if the first operating system process is marked as a vulnerable process, andif the first operating system process is marked as a vulnerable process then marking the new file as a second software module marked as do not run.

12. A computer implemented method comprising:
- determining that a first software module is being loaded into a first operating system process running on a computer;
  
  confirming that the first software module is a known vulnerable software module;
  
  marking the first operating system process as a vulnerable process;
  
  determining that the first operating system process is writing a second software module;
  
  confirming that the first operating system process is marked as a vulnerable process;
  
  marking the second software module as do not run;
  
  recognizing that the second software module is being loaded into the first operating system process or a second operating system process running on the computer;
  
  confirming that the second software module is marked as do not run; and
  
  blocking the second software module from loading.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The computer implemented method of claim 12 wherein determining that a first software module is being loaded into a first operating system process running on a computer is accomplished by monitoring the operating system for a module load event.
  - 14. The computer implemented method of claim 12 wherein confirming that the first software module is a known vulnerable software module is accomplished by confirming that a name of the first software module matches a name on a list of known vulnerable software modules.
  - 15. The computer implemented method of claim 12 wherein marking the first operating system process as a vulnerable process is accomplished by adding an identifier of the first operating system process to a list of vulnerable processes.
  - 16. The computer implemented method of claim 12 wherein determining that the first operating system process is writing a second software module is accomplished by detecting that the operating system is performing a file write or file name change for a file that includes executable program code.
  - 17. The computer implemented method of claim 12 wherein confirming that the first software module is running in the first operating system process marked as a vulnerable process is accomplished by confirming that an identifier of the first operating system process matches an identifier on a list of vulnerable processes.
  - 18. The computer implemented method of claim 12 wherein marking the second software module as do not run is accomplished by adding a name of the second software module to a list of do not run modules.
  - 19. The computer implemented method of claim 12 wherein recognizing that the second software module is being loaded into the first operating system process or a second operating system process running on the computer is accomplished by monitoring the computer operating system for a module load event.
  - 20. The computer implemented method of claim 12 wherein confirming that the second software module is marked as do not run is accomplished by confirming that a name of the second software module matches a name on a list of do not run modules.
  - 21. The computer implemented method of claim 12 wherein blocking the second software module from loading is accomplished by causing a module load process of the operating system to return a failure code.

22. A computer readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method comprising:
- recognizing that a first software module is being loaded into a first operating system process running on a computer;
  
  checking to see if the first software module is a known vulnerable software module andif the first software module is a known vulnerable software module then marking the first operating system process as a vulnerable process, andif the first software module is not a known vulnerable software module then checking to see if the first software module is marked do not run andif the first software module is marked do not run then blocking the first software module from loading;
  
  recognizing that a new file is being written in the computer by the first operating system process; and
  
  checking to see if the new file is an executable file andif the new file is an executable file then checking to see if the first operating system process is marked as a vulnerable process, andif the first operating system process is marked as a vulnerable process then marking the new file as a second software module marked as do not run.

23. A computer readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method comprising:
- determining that a first software module is being loaded into a first operating system process running on a computer;
  
  confirming that the first software module is a known vulnerable software module;
  
  marking the first operating system process as a vulnerable process;
  
  determining that the first operating system process is writing a second software module;
  
  confirming that the first operating system process is marked as a vulnerable process;
  
  marking the second software module as do not run;
  
  recognizing that the second software module is being loaded into the first operating system process or a second operating system process running on the computer;
  
  confirming that the second software module is marked as do not run; and
  
  blocking the second software module from loading.

24. A computer implemented method comprising:
- recognizing that a first software module is being loaded into a first operating system process running on a computer;
  
  checking to see if the first software module is a known vulnerable software module andif the first software module is a known vulnerable software module thenchecking to see if a vulnerable function is known to exist within the known vulnerable software module andchecking to see if a vulnerable parameter for the vulnerable function has a known parameter pattern andif the vulnerable function is used and its vulnerable parameter value matches the known parameter pattern then marking the first operating system process as a vulnerable process, andif a vulnerable function pattern is not known to exist within the known vulnerable software module then marking the first operating system process as a vulnerable process, andif the first software module is not a known vulnerable software module then checking to see if the first software module is marked do not run andif the first software module is marked do not run then blocking the first software module from loading;
  
  recognizing that a new file is being written in the computer by the first operating system process; and
  
  checking to see if the new file is an executable file andif the new file is an executable file then checking to see if the first operating system process is marked as a vulnerable process, andif the first operating system process is marked as a vulnerable process then marking the new file as a second software module marked as do not run.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Greencastle Technology Incorporated
Original Assignee
Greencastle Technology Incorporated
Inventors
Wallace, David R.

Granted Patent

US 8,763,129 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/629   to features or functions of...

VULNERABILITY SHIELD SYSTEM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

12 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

VULNERABILITY SHIELD SYSTEM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links