CONSTRAINT INJECTION SYSTEM FOR IMMUNIZING SOFTWARE PROGRAMS AGAINST VULNERABILITIES AND ATTACKS

US 20110185433A1
Filed: 04/01/2011
Published: 07/28/2011
Est. Priority Date: 06/07/2005
Status: Active Grant

First Claim

Patent Images

1. A non-transitory machine readable storage medium non-transiently storing computer instructions for immunizing a computer program against vulnerabilities and attacks at runtime, the computer instructions comprising:

a node manager in communication with a central management console and configured to dynamically load a constraint library into a computer program while the computer program is running, the constraint library containing a constraint;

a managed program execution engine configured to insert constraint code associated with the constraint of the loaded library into the computer program while the computer program is running, the constraint code comprising machine instructions that correct a flaw of the computer program, the flaw being a security vulnerability or a bug; and

a constraint management engine in communication with the node manager and the managed program execution engine, the constraint management engine being configured to dynamically turn the constraint code of the loaded constraint library on or off as the computer program is running, in response to user input.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A constraint is inserted into a program to address a vulnerability of the program to attacks. The constraint includes a segment of code that determines when the program has been asked to execute a “corner case” which does not occur in normal operations. The constraint code can access a library of detector and remediator functions to detect various attacks and remediate against them. Optionally, the detector can be employed without the remediator for analysis. The context of the program can be saved and restored if necessary to continue operating after remediation is performed. The constraints can include descriptors, along with machine instructions or byte code, which indicate how the constraints are to be used.

Citations

20 Claims

1. A non-transitory machine readable storage medium non-transiently storing computer instructions for immunizing a computer program against vulnerabilities and attacks at runtime, the computer instructions comprising:
- a node manager in communication with a central management console and configured to dynamically load a constraint library into a computer program while the computer program is running, the constraint library containing a constraint;
  
  a managed program execution engine configured to insert constraint code associated with the constraint of the loaded library into the computer program while the computer program is running, the constraint code comprising machine instructions that correct a flaw of the computer program, the flaw being a security vulnerability or a bug; and
  
  a constraint management engine in communication with the node manager and the managed program execution engine, the constraint management engine being configured to dynamically turn the constraint code of the loaded constraint library on or off as the computer program is running, in response to user input.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The machine readable storage medium of claim 1, wherein when the constraint code is off, machine instructions that correct the flow of the computer program are not called and when the constraint code is on, machine instructions that correct the flaw of the computer program are called.
  - 3. The machine readable storage medium of claim 1, wherein the constraint library is loaded into the computer program and dynamically turned on without restarting of the computer program.
  - 4. The machine readable storage medium of claim 1, wherein the constraint code is inserted in computer program instructions of the computer program that reside in a memory of a computer system executing the computer program.
  - 5. The machine readable storage medium of claim 1, wherein the managed program execution engine manages a code cache, wherein a code fragment of the computer program is modified to insert one or more instructions of the constraint code to call the constraint in the dynamically loaded library.
  - 6. The machine readable storage medium of claim 5, wherein a user input specifies a location to insert the one or more instructions of the constraint code in the code fragment.
  - 7. The machine readable storage medium of claim 1, wherein the dynamically loaded constraint library is loaded into constraint library storage, wherein the constraint is called from the constraint library in the constraint library storage when the constraint code is turned on.
  - 8. The machine readable storage medium of claim 1, wherein:
    - the library is loaded in an off state, andthe library is turned on allowing the constraint to be called from the constraint code inserted in the computer program.
  - 9. The machine readable storage medium of claim 1, wherein the constraint management engine is configured to:
    - call a detector function in the library without calling a remediator function in the library when the constraint code has been dynamically switched to a detection mode, andcall a detector function in the library and a remediator function in the library when the constraint code has been dynamically switched to a remediation mode.

10. A method for immunizing a computer program against vulnerabilities and attacks at runtime, the method comprising:
- dynamically loading a constraint library into a computer program while the computer program is running, the constraint library containing a constraint;
  
  inserting constraint code associated with the constraint of the loaded library into the computer program while the computer program is running, the constraint code comprising machine instructions that correct a flaw of the computer program, the flaw being a security vulnerability or a bug; and
  
  dynamically turning the constraint code of the loaded constraint library on or off as the computer program is running, in response to user input.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, wherein when the constraint code is off, machine instructions that correct the flow of the computer program are not called and when the constraint code is on, machine instructions that correct the flaw of the computer program are called.
  - 12. The method of claim 10, wherein the constraint library is loaded into the computer program and dynamically turned on without restarting of the computer program.
  - 13. The method of claim 10, wherein the constraint code is inserted in computer program instructions of the computer program that reside in a memory of a computer system executing the computer program.
  - 14. The method of claim 10, wherein inserting comprises:
    - loading a code fragment of the computer program into a code cache; and
      
      modifying the code fragment to insert one or more instructions of the constraint code to call the constraint of the dynamically loaded library.
  - 15. The method of claim 14, wherein a user input specifies a location to insert the one or more instructions of the constraint code in the code fragment.
  - 16. The method of claim 10, wherein the dynamically loaded constraint library is loaded into constraint library storage, wherein the constraint is called from the constraint library in the constraint library storage when the constraint code is turned on.
  - 17. The method of claim 10, wherein:
    - the library is loaded in an off state, andthe library is turned on allowing the constraint to be called from the constraint code inserted in the computer program.
  - 18. The method of claim 10, further comprising:
    - calling a detector function in the library without calling a remediator function in the library when the constraint code has been dynamically switched to a detection mode, andcalling a detector function in the library and a remediator function in the library when the constraint code has been dynamically switched to a remediation mode.

19. An apparatus configured to immunize a computer program against vulnerabilities and attacks at runtime, the apparatus comprising:
- one or more computer processors; and
  
  a computer-readable storage medium comprising instructions for controlling the one or more computer processors to be operable to;
  
  dynamically load a constraint library into a computer program while the computer program is running, the constraint library containing a constraint;
  
  insert constraint code associated with the constraint of the loaded library into the computer program while the computer program is running, the constraint code comprising machine instructions that correct a flaw of the computer program, the flaw being a security vulnerability or a bug; and
  
  dynamically turn the constraint code of the loaded constraint library on or off as the computer program is running, in response to user input.
- View Dependent Claims (20)
- - 20. The apparatus of claim 19, wherein when the constraint code is off, machine instructions that correct the flow of the computer program are not called and when the constraint code is on, machine instructions that correct the flaw of the computer program are called.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
AMARASINGHE, Saman P., WILBOURN, Sandy, KIRIANSKY, Vladimir L., GARNETT, Tim, RENERT, Charles, BRUENING, Derek L., CHANDRAMOHAN, Bharath, Wu, Warren

Granted Patent

US 8,656,497 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 21/577   Assessing vulnerabilities a...

CONSTRAINT INJECTION SYSTEM FOR IMMUNIZING SOFTWARE PROGRAMS AGAINST VULNERABILITIES AND ATTACKS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CONSTRAINT INJECTION SYSTEM FOR IMMUNIZING SOFTWARE PROGRAMS AGAINST VULNERABILITIES AND ATTACKS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links