Low-Latency Detection of Scripting-Language-Based Exploits

US 20110197272A1
Filed: 02/09/2010
Published: 08/11/2011
Est. Priority Date: 02/09/2010
Status: Active Grant

First Claim

Patent Images

1. A method for protecting client computers, comprising:

receiving webpage data at a proxy from a webpage before the data reaches an intended recipient, the proxy is disposed as an intermediary between a server serving up the webpage and the intended recipient;

gathering scripting-language-data from the webpage data;

normalizing the scripting-language-data so as to generate normalized data;

emulating execution of the normalized scripting-language-data with a inspection-point-script-execution engine that that is adapted to provide inspection points instead of effectuating particular functions;

determining whether to prevent the data from reaching the intended recipient by analyzing inspection-data collected from the inspection points.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for protecting client computers are described. One method includes receiving webpage data at a proxy from a webpage before the data reaches an intended recipient; gathering scripting-language-data from the webpage data; normalizing the scripting-language-data so as to generate normalized data; emulating execution of the normalized scripting-language-data with a inspection-point-script-execution engine that that is adapted to provide inspection points instead of effectuating particular functions, and determining whether to block the data from the intended recipient by analyzing inspection-data collected from the inspection points.

48 Citations

View as Search Results

16 Claims

1. A method for protecting client computers, comprising:
- receiving webpage data at a proxy from a webpage before the data reaches an intended recipient, the proxy is disposed as an intermediary between a server serving up the webpage and the intended recipient;
  
  gathering scripting-language-data from the webpage data;
  
  normalizing the scripting-language-data so as to generate normalized data;
  
  emulating execution of the normalized scripting-language-data with a inspection-point-script-execution engine that that is adapted to provide inspection points instead of effectuating particular functions;
  
  determining whether to prevent the data from reaching the intended recipient by analyzing inspection-data collected from the inspection points.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, including:
    - disassembling a string that is generated during the normalizing of scripting-language-data;
      
      pseudo-executing the disassembled string; and
      
      determining whether the scripting-language-data includes shellcode.
  - 3. The method of claim 2, wherein the disassembling is responsive to a size of the string exceeding a threshold.
  - 4. The method of claim 1, including:
    - modifying an existing script-execution engine so that objects in the existing script-execution engine that are intended to provide functions are overwritten to provide inspection-data instead of the functions.
  - 5. The method of claim 1, including:
    - identifying characteristics of the normalized scripting-language-data;
      
      scoring the characteristics of the normalized scripting-language-data based upon a likelihood that the characteristics of the normalized scripting-language-data are associated with malicious scripting-language-data;
      
      scoring characteristics of the inspection data based upon a likelihood that the characteristics of the inspection data are associated with malicious scripting-language-data; and
      
      determining whether to block the data from the intended recipient based upon the scoring of the of the characteristics of the normalized scripting-language-data and the scoring of the characteristics of the inspection data.
  - 6. The method of claim 5, wherein identifying characteristics of the normalized scripting-language-data includes identifying a presence of Eval functions, identifying statements exceeding a threshold-string-size, and identifying the existence of a DOM object, and wherein the inspection-data collected from the inspection points includes an indication whether a hidden Iframe is present, an indication whether a script writes another dynamic script, and an indication whether a script error matches a known anti-emulator method.
  - 7. The method of claim 2, including:
    - identifying characteristics of the normalized scripting-language-data;
      
      scoring the characteristics of the normalized scripting-language-data based upon a likelihood that the characteristics of the normalized scripting-language-data are associated with malicious scripting-language-data;
      
      scoring characteristics of the inspection data based upon a likelihood that the characteristics of the inspection data are associated with malicious scripting-language-data; and
      
      determining whether to block the data from the intended recipient based upon the scoring of the of the characteristics of the normalized scripting-language-data, the scoring of the characteristics of the inspection data, and the determination whether the scripting-language-data includes shellcode.
  - 8. The method of claim 1, including:
    - tracking a variable during the emulated execution;
      
      delaying a storage of inspection data from an inspection point until a scope of the variable is lost.
  - 9. The method of claim 1, wherein emulating execution of the normalized scripting-language-data includes emulating a DOM.

10. A system for protecting client computers;
- comprising;
  
  an initial filter that gathers scripting-language-data from webpage data;
  
  an interpretation component that obtains inspection-data from the scripting-language-data by emulating execution of the scripting-language-data;
  
  a shellcode module that disassembles one or more strings that are generated during the emulated execution of the scripting language data so as to generate disassembled code and pseudo-executes at least a portion of the disassembled code to determine whether to block the scripting language data from reaching an intended recipient based upon pseudo-execution-data; and
  
  an analysis component that assesses the inspection data to determine whether to block the scripting language data from reaching the intended recipient.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein the initial filter includesa script consolidation portion that consolidates separated pieces of the scripting language data so as to generate consolidated scripting-language-data;
    - anda parser that tokenizes the consolidated scripting-language-data to obtain scripting-language-data that is tokenized, wherein the interpretation component emulates execution of the scripting-language-data that has been tokenized.
  - 12. The system of claim 10, wherein the interpretation component delays obtaining the inspection data until a scope of a tracked-variable is lost.
  - 13. The system of claim 10, wherein the interpretation component includes a scripting-language engine that is adapted so that objects that would ordinarily provide functions for the scripting language data provide inspection points to enable acquisition of the inspection-data.
  - 14. The system of claim 10, wherein the shellcode module does not disassemble the one or more strings unless the one or mores strings exceeds a size threshold.
  - 15. The system of claim 10, including identifying suspect regions in the disassembled code and pseudo-executing the suspect regions.

16. A method for protecting client computers, comprising:
- receiving webpage data at a proxy from a webpage before the data reaches an intended recipient, the proxy is disposed as an intermediary between a server serving up the webpage and the intended recipient;
  
  gathering scripting-language-data from the webpage data;
  
  prompting the scripting-language-data to unpack into one or more strings;
  
  disassembling ones of the one or more strings that are suspected of including shell code;
  
  determining, without pseudo-executing, whether string indicates that scripting-language-data should be blocked;
  
  pseudo-executing the disassembled suspect string if the string can not be determined to be safe.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Software Incorporated (Open Text Corporation)
Inventors
Mony, Rajesh

Granted Patent

US 8,407,790 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/12
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/0281   Proxies

H04L 63/1416   Event detection, e.g. attac...

Low-Latency Detection of Scripting-Language-Based Exploits

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

48 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Low-Latency Detection of Scripting-Language-Based Exploits

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links