SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM TRAPPING AND SECURING LOADING OF CODE INTO MEMORY

US 20120254995A1
Filed: 03/31/2011
Published: 10/04/2012
Est. Priority Date: 03/31/2011
Status: Active Grant

First Claim

Patent Images

1. A system for protecting an electronic device against malware, comprising:

a memory;

an operating system configured to execute on the electronic device;

a below-operating-system security agent configured to;

trap an attempted access of a resource of the electronic device, the attempted access comprising;

attempting to write instructions to the memory; and

attempting to execute the instructions;

access one or more security rules to determine whether the attempted access is indicative of malware; and

operate at a level below all of the operating systems of the electronic device accessing the memory.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for protecting an electronic device against malware includes a memory, an operating system configured to execute on the electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to trap an attempted access of a resource of the electronic device, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic device accessing the memory. The attempted access includes attempting to write instructions to the memory and attempting to execute the instructions.

110 Citations

30 Claims

1. A system for protecting an electronic device against malware, comprising:
- a memory;
  
  an operating system configured to execute on the electronic device;
  
  a below-operating-system security agent configured to;
  
  trap an attempted access of a resource of the electronic device, the attempted access comprising;
  
  attempting to write instructions to the memory; and
  
  attempting to execute the instructions;
  
  access one or more security rules to determine whether the attempted access is indicative of malware; and
  
  operate at a level below all of the operating systems of the electronic device accessing the memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein trapping the attempted resource comprises further configuring the below-operating-system security agent to trap an attempt to allocate portions of the memory with enabled write permissions.
  - 3. The system of claim 1, wherein trapping the attempted resource comprises further configuring the below-operating-system security agent to trap an attempt to change permissions of the memory in which instructions were written.
  - 4. The system of claim 1, wherein determining whether the attempted access is indicative of malware comprises configuring the below-operating-system security agent to scan the instructions written to memory.
  - 5. The system of claim 1, wherein determining whether the attempted access is indicative of malware comprises determining the identify of an entity which made the attempted access.
  - 6. The system of claim 1, wherein trapping the attempted access comprises further configuring the below-operating-system security agent to trap an attempted access of a portion of the memory containing a memory page data structure entry for a driver, wherein the malware status of the driver is unknown.
  - 7. The system of claim 1, wherein trapping the attempted access comprises further configuring the below-operating-system security agent to trap an attempted access of a portion of the memory containing an unallocated virtual page of kernel space.
  - 8. The system of claim 1, wherein trapping the attempted access comprises further configuring the below-operating-system security agent to trap an attempted access of a portion of the memory containing an empty virtual page allocated by the operating system.
  - 9. The system of claim 1, wherein trapping the attempted access comprises further configuring the below-operating-system security agent to:
    - compare contents of a first memory page written to disk during a swap file write to the contents of a second memory page after a swap file read, the swap file read and swap file write corresponding to the same location identified by the operating system.
  - 10. The system of claim 1, wherein the below-operating system security agent is configured to:
    - allow the attempted writing of instructions; and
      
      halt the attempted execution.

11. A method for protecting an electronic device against malware, comprising:
- trapping an attempted access of a resource of an electronic device, the attempted access comprising;
  
  attempting to write instructions to a memory of the electronic device, the memory comprising the resource; and
  
  attempting to execute the instructions;
  
  accessing one or more security rules to determine whether the attempted access is indicative of malware;
  
  wherein the trapping of the attempted access and determining whether the attempted access is indicative of malware is conducted at a level below all of the operating systems of the electronic device accessing the memory.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein trapping the attempted resource comprises trapping an attempt to allocate portions of the memory with enabled write permissions.
  - 13. The method of claim 11, wherein trapping the attempted resource comprises trapping an attempt to change permissions of the memory in which instructions were written.
  - 14. The method of claim 11, wherein determining whether the attempted access is indicative of malware comprises scanning the instructions written to memory.
  - 15. The method of claim 11, wherein determining whether the attempted access is indicative of malware comprises determining the identify of an entity which made the attempted access.
  - 16. The method of claim 11, wherein trapping the attempted access comprises trapping an attempted access of a portion of the memory containing a memory page data structure entry for a driver, wherein the malware status of the driver is unknown.
  - 17. The method of claim 11, wherein trapping the attempted access comprises trapping an attempted access of a portion of the memory containing an unallocated virtual page of kernel space.
  - 18. The method of claim 11, wherein trapping the attempted access comprises trapping an attempted access of a portion of the memory containing an empty virtual page allocated by the operating system.
  - 19. The method of claim 11, wherein trapping the attempted access comprises:
    - comparing contents of a first memory page written to disk during a swap file write to the contents of a second memory page after a swap file read, the swap file read and swap file write corresponding to the same location identified by the operating system.
  - 20. The method of claim 11, further comprising:
    - allowing the attempted writing of instructions; and
      
      halting the attempted execution.

21. An article of manufacture, comprising:
- a computer readable medium; and
  
  computer-executable instructions carried on the computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to;
  
  trap an attempted access of a resource of an electronic device, the attempted access comprising;
  
  attempting to write instructions to a memory of the electronic device, the memory comprising the resource; and
  
  attempting to execute the instructions;
  
  access one or more security rules to determine whether the attempted access is indicative of malware;
  
  wherein the processor is configured to conduct the trapping of the attempted access and determining whether the attempted access is indicative of malware at a level below all of the operating systems of the electronic device accessing the memory.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The article of claim 21, wherein trapping the attempted resource comprises trapping an attempt to allocate portions of the memory with enabled write permissions.
  - 23. The article of claim 21, wherein trapping the attempted resource comprises trapping an attempt to change permissions of the memory in which instructions were written.
  - 24. The article of claim 21, wherein determining whether the attempted access is indicative of malware comprises scanning the instructions written to memory.
  - 25. The article of claim 21, wherein determining whether the attempted access is indicative of malware comprises determining the identify of an entity which made the attempted access.
  - 26. The article of claim 21, wherein trapping the attempted access comprises trapping an attempted access of a portion of the memory containing a memory page data structure entry for a driver, wherein the malware status of the driver is unknown.
  - 27. The article of claim 21, wherein trapping the attempted access comprises trapping an attempted access of a portion of the memory containing an unallocated virtual page of kernel space.
  - 28. The article of claim 21, wherein trapping the attempted access comprises trapping an attempted access of a portion of the memory containing an empty virtual page allocated by the operating system.
  - 29. The article of claim 21, wherein trapping the attempted access comprises:
    - comparing contents of a first memory page written to disk during a swap file write to the contents of a second memory page after a swap file read, the swap file read and swap file write corresponding to the same location identified by the operating system.
  - 30. The article of claim 21, wherein the processor is further caused to:
    - allow the attempted writing of instructions; and
      
      halt the attempted execution.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Sallam, Ahmed Said

Granted Patent

US 9,038,176 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

G06F 9/45558   Hypervisor-specific managem...

SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM TRAPPING AND SECURING LOADING OF CODE INTO MEMORY

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

110 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM TRAPPING AND SECURING LOADING OF CODE INTO MEMORY

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

110 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others