SYSTEM AND METHOD FOR PROVIDING A SECURED OPERATING SYSTEM EXECUTION ENVIRONMENT

US 20120255017A1
Filed: 03/31/2011
Published: 10/04/2012
Est. Priority Date: 03/31/2011
Status: Active Grant

First Claim

Patent Images

1. A system for launching a security architecture, comprising:

an electronic device comprising a processor and one or more operating systems;

a security agent configured to;

execute at a level below all operating systems of the electronic device accessing a resource;

intercept a request to access the resource of the electronic device, the request originating from the operational level of one of one or more operating systems of the electronic device; and

determine if the request is indicative of malware; and

a launching module comprising;

a secured launching agent configured to launch the security agent; and

a boot manager configured to boot the secured launching agent before booting the one or more operating systems.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a system for launching a security architecture includes an electronic device comprising a processor and one or more operating systems, a security agent, and a launching module. The launching module comprises a boot manager and a secured launching agent. The boot manager is configured to boot the secured launching agent before booting the operating systems, and the secured launching agent is configured to load a security agent. The security agent is configured to execute at a level below all operating systems of the electronic device, intercept a request to access a resource of the electronic device, the request originating from the operational level of one of one or more operating systems of the electronic device, and determine if a request is indicative of malware. In some embodiments, the secured launching agent may be configured to determine whether the security agent is infected with malware prior to loading the security agent.

307 Citations

60 Claims

1. A system for launching a security architecture, comprising:
- an electronic device comprising a processor and one or more operating systems;
  
  a security agent configured to;
  
  execute at a level below all operating systems of the electronic device accessing a resource;
  
  intercept a request to access the resource of the electronic device, the request originating from the operational level of one of one or more operating systems of the electronic device; and
  
  determine if the request is indicative of malware; and
  
  a launching module comprising;
  
  a secured launching agent configured to launch the security agent; and
  
  a boot manager configured to boot the secured launching agent before booting the one or more operating systems.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The system of claim 1, wherein the boot manager is further configured to replace an existing Master Boot Record with an alternate Master Boot Record prior to booting the secured launching agent, wherein the alternate Master Boot Record is configured to boot the secured launching agent.
  - 3. The system of claim 1, wherein the secured launching agent is further configured to determine whether the security agent is infected with malware prior to launching the security agent.
  - 4. The system of claim 3, wherein determining whether the security agent is infected with malware comprises determining whether one or more hash values associated with the security agent indicate that the security agent is infected with malware.
  - 5. The system of claim 3, wherein the secured launching agent is further configured to restore the security agent from a backup copy if the security agent is infected with malware.
  - 6. The system of claim 1, wherein the secured launching agent is further configured to determine whether any of the one or more operating systems are infected with malware.
  - 7. The system of claim 1, wherein the secured launching agent is further configured to determine whether the launching module is infected with malware.
  - 8. The system of claim 1, wherein the secured launching agent is further configured to create a backup copy of the security agent.
  - 9. The system of claim 8, wherein the security agent is further configured to update the backup copy of the security agent.
  - 10. The system of claim 1, wherein:
    - the resource is a storage device; and
      
      the security agent configured to determine if the request is indicative of malware is configured to;
      
      determine if the request involves a protected area of the storage device; and
      
      if the request involves a protected area of the storage device, determine if the request is authorized.
  - 11. The system of claim 10, wherein the protected area includes one or more files associated with the security agent.
  - 12. The system of claim 10, wherein the protected area includes one or more files associated with the one or more operating systems.
  - 13. The system of claim 10, wherein the protected area includes a Master Boot Record.
  - 14. The system of claim 10, wherein the protected area includes one or more files associated with the launching module.
  - 15. The system of claim 1, wherein the security agent is further configured to utilize a disk mapping bitmap containing metadata corresponding to one or more files associated with the security agent.
  - 16. The system of claim 15, wherein the metadata specifies one or more sectors on a storage device where each of the one or more files are stored.
  - 17. The system of claim 15, wherein the metadata specifies a hash value for each of the one or more files for verifying the integrity of each of the one or more files.
  - 18. The system of claim 1:
    - further comprising a virtual machine monitor; and
      
      wherein the security agent is executing in the virtual machine monitor.
  - 19. The system of claim 1, wherein:
    - the processor comprises microcode; and
      
      the security agent is executing in the microcode.
  - 20. The system of claim 1, further comprising:
    - a storage device memory;
      
      a storage device firmware residing in the storage device memory;
      
      a disk security agent executing in the storage device firmware, the disk security agent configured to trap access to one or more protected files associated with the launching module; and
      
      wherein the disk security agent is communicatively coupled to the security agent.

21. A method for launching a security architecture, comprising:
- booting a secured launching agent before booting one or more operating systems of an electronic device;
  
  launching a security agent, wherein the security agent is configured to execute at a level below all of the one or more operating systems of the electronic device accessing the resource;
  
  intercepting, by the security agent, a request to access the resource of the electronic device, the request originating from the operational level of one of the one or more operating systems of the electronic device; and
  
  determining if the request is indicative of malware.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 22. The method of claim 21, further comprising replacing an existing Master Boot Record with an alternate Master Boot Record prior to booting the secured launching agent, wherein the alternate Master Boot Record is configured to boot the secured launching agent.
  - 23. The method of claim 21, further comprising determining whether the security agent is infected with malware prior to launching the security agent.
  - 24. The method of claim 23, wherein determining whether the security agent is infected with malware comprises determining whether one or more hash values associated with the security agent indicate that the security agent is infected with malware.
  - 25. The method of claim 23, further comprising restoring the security agent from a backup copy if the security agent is infected with malware.
  - 26. The method of claim 21, further comprising determining whether any of the one or more operating systems are infected with malware prior to booting any of the one or more operating systems.
  - 27. The method of claim 21, further comprising determining whether the secured launching agent is infected with malware.
  - 28. The method of claim 21, further comprising creating a backup copy of the security agent.
  - 29. The method of claim 28, further comprising updating the backup copy of the security agent.
  - 30. The method of claim 21, further comprising:
    - determining if the request involves a protected area of a storage device; and
      
      if the request involves a protected area of the storage device, determining if the request is authorized.
  - 31. The method of claim 30, wherein the protected area includes one or more files associated with the security agent.
  - 32. The method of claim 30, wherein the protected area includes one or more files associated with the one or more operating systems.
  - 33. The method of claim 30, wherein the protected area includes a Master Boot Record.
  - 34. The method of claim 30, wherein the protected area includes one or more files associated with the secured launching agent.
  - 35. The method of claim 21, further comprising utilizing a disk mapping bitmap to determine if the security agent is infected with malware, wherein the disk mapping bitmap contains metadata corresponding to one or more files associated with the security agent.
  - 36. The method of claim 35, wherein the metadata specifies one or more sectors on a storage device where each of the one or more files are stored.
  - 37. The method of claim 35, wherein the metadata specifies a hash value for each of the one or more files for verifying the integrity of each of the one or more files.
  - 38. The method of claim 21, wherein the security agent is executing in a virtual machine monitor.
  - 39. The method of claim 21, wherein the security agent is executing in microcode of a processor of the electronic device.
  - 40. The method of claim 21, wherein the security agent is executing in firmware of a storage device.

41. A non-transitory computer-readable medium encoded with logic, the logic, when executed by a processor, configured to:
- boot a secured launching agent before booting one or more operating systems of an electronic device;
  
  launch a security agent, wherein the security agent is configured to execute at a level below all of the one or more operating systems of the electronic device accessing the resource;
  
  intercept, by the security agent, a request to access the resource of the electronic device, the request originating from the operational level of one of the one or more operating systems of the electronic device; and
  
  determine if the request is indicative of malware.
- View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60)
- - 42. The computer-readable medium of claim 41, wherein the logic is further configured to replace an existing Master Boot Record with an alternate Master Boot Record prior to booting the secured launching agent, wherein the alternate Master Boot Record is configured to boot the secured launching agent.
  - 43. The computer-readable medium of claim 41, wherein the logic is further configured to determine whether the security agent is infected with malware prior to launching the security agent.
  - 44. The computer-readable medium of claim 43, wherein determining whether the security agent is infected with malware comprises determining whether one or more hash values associated with the security agent indicate that the security agent is infected with malware.
  - 45. The computer-readable medium of claim 43, wherein the logic is further configured to restore the security agent from a backup copy if the security agent is infected with malware.
  - 46. The computer-readable medium of claim 41, wherein the logic is further configured to determine whether any of the one or more operating systems are infected with malware prior to booting any of the one or more operating systems.
  - 47. The computer-readable medium of claim 41, wherein the logic is further configured to determine whether the secured launching agent is infected with malware.
  - 48. The computer-readable medium of claim 41, wherein the logic is further configured to create a backup copy of the security agent.
  - 49. The computer-readable medium of claim 48, wherein the logic is further configured to update the backup copy of the security agent.
  - 50. The computer-readable medium of claim 41, wherein the logic is further configured to:
    - determine if the request involves a protected area of a storage device; and
      
      if the request involves a protected area of the storage device, determine if the request is authorized.
  - 51. The computer-readable medium of claim 50, wherein the protected area includes one or more files associated with the security agent.
  - 52. The computer-readable medium of claim 50, wherein the protected area includes one or more files associated with the one or more operating systems.
  - 53. The computer-readable medium of claim 50, wherein the protected area includes a Master Boot Record.
  - 54. The computer-readable medium of claim 50, wherein the protected area includes one or more files associated with the secured launching agent.
  - 55. The computer-readable medium of claim 41, wherein the logic is further configured to utilize a disk mapping bitmap to determine if the security agent is infected with malware, wherein the disk mapping bitmap contains metadata corresponding to one or more files associated with the security agent.
  - 56. The computer-readable medium of claim 55, wherein the metadata specifies one or more sectors on a storage device where each of the one or more files are stored.
  - 57. The computer-readable medium of claim 55, wherein the metadata specifies a hash value for each of the one or more files for verifying the integrity of each of the one or more files.
  - 58. The computer-readable medium of claim 41, wherein the security agent is executing in a virtual machine monitor.
  - 59. The computer-readable medium of claim 41, wherein the security agent is executing in microcode of a processor of the electronic device.
  - 60. The computer-readable medium of claim 41, wherein the security agent is executing in firmware of a storage device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Sallam, Ahmed Said

Granted Patent

US 9,087,199 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/575   Secure boot

G06F 9/45558   Hypervisor-specific managem...

SYSTEM AND METHOD FOR PROVIDING A SECURED OPERATING SYSTEM EXECUTION ENVIRONMENT

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

307 Citations

60 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR PROVIDING A SECURED OPERATING SYSTEM EXECUTION ENVIRONMENT

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

307 Citations

60 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links