SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM PROTECTION OF AN OPERATING SYSTEM KERNEL

US 20120255016A1
Filed: 03/31/2011
Published: 10/04/2012
Est. Priority Date: 03/31/2011
Status: Active Grant

First Claim

Patent Images

1. A method for securing an electronic device, comprising:

trapping, at a level below all of the operating systems of an electronic device accessing components of an operating system and a set of drivers, attempted accesses to the components of the operating system and the set of drivers executing on the electronic device;

in response to trapping an attempted access, comparing contextual information associated with the attempted access to the access map; and

determining if the attempted access is trusted based on the comparison;

wherein, the access map is generated by;

trapping, at a level below all of the operating systems of a second electronic device accessing the components of a second operating system and a second set of drivers, accesses to the components of the second operating system and the second set of drivers executing on the second electronic device, wherein the second operating system and the second set of drivers are substantially free of malware; and

in response to trapping the accesses, recording contextual information regarding the accesses to an access map.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A below-operating system security agent may be configured to: (i) trap attempted accesses to the components of the operating system and the set of drivers executing on the electronic device; (ii) in response to trapping an attempted access, compare contextual information associated with the attempted access to an access map; and (iii) determine if the attempted access is trusted based on the comparison. The access map may be generated by: (i) trapping, at a level below all of the operating systems of a second electronic device accessing components of the second operating system and the second set of drivers executing on the second electronic device and each substantially free of malware, accesses to components of the second operating system and the second set of drivers executing on the second electronic device; and (ii) in response to trapping the accesses, recording contextual information regarding the accesses to the access map.

Citations

21 Claims

1. A method for securing an electronic device, comprising:
- trapping, at a level below all of the operating systems of an electronic device accessing components of an operating system and a set of drivers, attempted accesses to the components of the operating system and the set of drivers executing on the electronic device;
  
  in response to trapping an attempted access, comparing contextual information associated with the attempted access to the access map; and
  
  determining if the attempted access is trusted based on the comparison;
  
  wherein, the access map is generated by;
  
  trapping, at a level below all of the operating systems of a second electronic device accessing the components of a second operating system and a second set of drivers, accesses to the components of the second operating system and the second set of drivers executing on the second electronic device, wherein the second operating system and the second set of drivers are substantially free of malware; and
  
  in response to trapping the accesses, recording contextual information regarding the accesses to an access map.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method according to claim 1, wherein determining if the attempted access is trusted based on the comparison comprises determining an attempted access is trusted if the attempted access has a corresponding entry in the access map.
  - 3. A method according to claim 1, wherein determining if the attempted access is trusted based on the comparison comprises determining an attempted access is not trusted if the attempted access does not have a corresponding entry in the access map.
  - 4. A method according to claim 1, further comprising allowing the attempted access if the attempted access is determined to be trusted.
  - 5. A method according to claim 1, further comprising initiating corrective action if the attempted access is not determined to be trusted.
  - 6. A method according to claim 5, wherein initiating corrective action comprises communicating forensic evidence to a protection server.
  - 7. A method according to claim 5, wherein initiating corrective action comprises denying the attempted access.

8. A system for securing an electronic device, comprising:
- a memory;
  
  a processor;
  
  one or more operating systems residing in the memory for execution by the processor; and
  
  a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing components of an operating system and a set of drivers, and further configured to;
  
  trap attempted accesses to the components of the operating system and the set of drivers executing on the electronic device;
  
  in response to trapping an attempted access, compare contextual information associated with the attempted access to an access map; and
  
  determine if the attempted access is trusted based on the comparison;
  
  wherein, the access map is generated by;
  
  trapping, at a level below all of the operating systems of a second electronic device accessing components of the second operating system and the second set of drivers executing on the second electronic device, accesses to components of the second operating system and the second set of drivers executing on the second electronic device, wherein the second operating system and the second set of drivers are substantially free of malware; and
  
  in response to trapping the accesses, recording contextual information regarding the accesses to the access map.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. A system according to claim 8, wherein determining if the attempted access is trusted based on the comparison comprises determining an attempted access is trusted if the attempted access has a corresponding entry in the access map.
  - 10. A system according to claim 8, wherein determining if the attempted access is trusted based on the comparison comprises determining an attempted access is not trusted if the attempted access does not have a corresponding entry in the access map.
  - 11. A system according to claim 8, further comprising the security agent configured to allow the attempted access if the attempted access is determined to be trusted.
  - 12. A system according to claim 8, further comprising the security agent configured to initiate corrective action if the attempted access is not determined to be trusted.
  - 13. A system according to claim 12, wherein initiating corrective action comprises communicating forensic evidence to a protection server.
  - 14. A method according to claim 12, wherein initiating corrective action comprises denying the attempted access.

15. An article of manufacture, comprising:
- a computer readable medium;
  
  computer-executable instructions carried on the computer readable medium, the instructions readable by a processor, the instructions, when executed, for causing the processor to, at a level below all of the operating systems of an electronic device accessing components of an operating system and a set of drivers executing on the electronic device;
  
  trap attempted accesses to the components of an operating system and the set of drivers executing on the electronic device;
  
  in response to trapping an attempted access, compare contextual information associated with the attempted access to an access map; and
  
  determine if the attempted access is trusted based on the comparison;
  
  wherein, the access map is generated by;
  
  trapping, at a level below all of the operating systems of a second electronic device accessing components of a second operating system and a second set of drivers executing on the second electronic device, accesses to components of the second operating system and the second set of drivers executing on the second electronic device, wherein the second operating system and the second set of drivers are substantially free of malware; and
  
  in response to trapping the accesses, recording contextual information regarding the accesses to the access map.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. An article according to claim 15, wherein determining if the attempted access is trusted based on the comparison comprises determining an attempted access is trusted if the attempted access has a corresponding entry in the access map.
  - 17. An article according to claim 15, wherein determining if the attempted access is trusted based on the comparison comprises determining an attempted access is not trusted if the attempted access does not have a corresponding entry in the access map.
  - 18. An article according to claim 15, wherein the processor is further caused to allow the attempted access if the attempted access is determined to be trusted.
  - 19. An article according to claim 15, wherein the processor is further caused to initiate corrective action if the attempted access is not determined to be trusted.
  - 20. An article according to claim 19, wherein initiating corrective action comprises communicating forensic evidence to a protection server.
  - 21. An article according to claim 19, wherein initiating corrective action comprises denying the attempted access.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Sallam, Ahmed Said

Granted Patent

US 8,650,642 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/445   by mutual authentication, e...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM PROTECTION OF AN OPERATING SYSTEM KERNEL

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM PROTECTION OF AN OPERATING SYSTEM KERNEL

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links