METHOD AND APPARATUS FOR PREVENTING UNWANTED CODE EXECUTION

US 20130111584A1
Filed: 06/04/2012
Published: 05/02/2013
Est. Priority Date: 10/26/2011
Status: Active Grant

First Claim

Patent Images

1. A method of preventing unwanted code execution, the method comprising:

identifying, by the computer system, at risk portions of an associated scripting environment, wherein a portion of the associated scripting environment comprises any instance of the functions, objects and properties of the associated scripting environment;

identifying, by the computer system, at least one trusted server-side resource;

receiving trusted and untrusted scripts by the computer system, wherein trusted refers to responses received from the trusted server-side resource, and untrusted refers to responses received from other external script sources;

receiving from the trusted server-side resource at least one further message containing one or more passwords; and

preventing, by the computer system, unwanted code execution by;

re-writing said at risk portions of the associated scripting environment to require presentation of the one or more passwords in order to execute.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There is provided a method of preventing unwanted code execution in a computing environment executing a scripting language and associated environment, wherein said computing environment comprises at least one server-side resource and a client side resource, comprising determining “safe” and “at risk” or “restricted” portions of the scripting language and associated environment, determining “trusted” and “untrusted” portions of the scripting language and associated environment, determining at least one “trusted” server-side resource, receiving from the “trusted” server-side resource an initial message containing one or more high-entropy secrets, and providing an unwanted code execution protection mechanism by reconfiguring said “at risk” or “restricted” portions of the scripting language and associated environment to require presentation of the one or more high-entropy secrets in order to execute.

68 Citations

View as Search Results

20 Claims

1. A method of preventing unwanted code execution, the method comprising:
- identifying, by the computer system, at risk portions of an associated scripting environment, wherein a portion of the associated scripting environment comprises any instance of the functions, objects and properties of the associated scripting environment;
  
  identifying, by the computer system, at least one trusted server-side resource;
  
  receiving trusted and untrusted scripts by the computer system, wherein trusted refers to responses received from the trusted server-side resource, and untrusted refers to responses received from other external script sources;
  
  receiving from the trusted server-side resource at least one further message containing one or more passwords; and
  
  preventing, by the computer system, unwanted code execution by;
  
  re-writing said at risk portions of the associated scripting environment to require presentation of the one or more passwords in order to execute.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the at least one further message comprises a whole script file.
  - 3. The method of claim 1, further comprising an act of reproducing the one or more passwords across a number of client-server requests by virtue of a client-server session-identifier or a persistent client-server connection.
  - 4. The method of claim 3, further comprising an act of producing the one or more passwords by the server-side resource as a secure hash of the client-server session-identifier and a session password stored server-side and unique to the client-server session-identifier.
  - 5. The method of claim 1, wherein re-writing of the at risk portions of the scripting environment includes an act of replacing certain objects, functions and property accessory to require the passing of the one or more passwords as a parameter in order for execution to occur.
  - 6. The method of claim 5, wherein re-writing of the at risk portions of the scripting environment includes an act of renaming certain objects, functions and properties to provide each with a new identity.
  - 7. The method of claim 6, further comprising an act of determining each new identity by one of the passwords.
  - 8. The method of claim 1, wherein re-writing the at risk portions of the scripting environment includes an act of verifying certain at risk objects within the associated environment with one or more passwords as scope identifier and replacing certain objects functions and properties with equivalent functionality that limits access to the associated environment depending on the scope identifier and that requires the passing of the one or more scope identifiers and the one or more passwords as a parameter in order for execution and subsequent access to occur.
  - 9. The method of claim 5, wherein re-writing the at risk portions of the scripting language and associated environment includes an act of replacing certain objects, functions and properties with equivalent functionality that cascades the protection to newly created portions of the environment or newly created ancillary environments.
  - 10. The method of claim 1 wherein the scripting language and associated environment is self-mutable and the re-writing of said at risk portions of the scripting language and associated environment comprises using native functionality of the associated environment to render the changes immutable and the one or more passwords undiscoverable to scripts from the at risk portion.
  - 11. The method of claim 1, wherein the at risk portion includes an HTML webpage served by a webserver:
    - and the trusted portion includes a response to separate HTTP requests made to the server-side resource arising from scripting language and associated environment elements embedded in the said HTML webpage.
  - 12. The method of claim 11, wherein the one or more passwords are different for each HTML page load by using an additional page identifying parameter submitted to the server-side resource in combination with the client-server session identifier and the session password.
  - 13. The method of claim 1, wherein the scripting language is at least one of ECMAScript (JavaScript/Jscript) and VBScript.
  - 14. The method of claim 1, further comprising an act of preventing a cross site scripting (XSS) attack.
  - 15. The method of claim 1, further comprising an act of testing effectiveness of the unwanted code execution protection mechanism, wherein the act of testing the effectiveness includes an act of attempting to circumvent the protection with known circumvention techniques.
  - 16. The method of claim 1, further comprising an act of reporting activity blocked by the code execution protection mechanism.

17. A client/server environment for preventing unwanted code execution, the environment comprising:
- at least one processor operatively connected to a memory, the at least one processor when executing instructions stored in memory is configured toidentify at risk portions of an associated scripting environment, wherein a portion of the associated scripting environment comprises any instance of the functions, objects and properties of the associated scripting environment;
  
  identify at least one trusted server-side resource;
  
  receive trusted and untrusted scripts, wherein trusted refers to responses received from the trusted server-side resource, and untrusted refers to responses received from other external script sources;
  
  receive from the trusted server-side resource at least one further message containing one or more passwords; and
  
  prevent unwanted code execution by re-writing said at risk portions of the associated scripting environment to require presentation of the one or more passwords in order to execute.
- View Dependent Claims (18, 19)
- - 18. The client/server environment of claim 17, wherein the at least one further message comprises a whole script file
  - 19. The client/server environment of claim 17, wherein the at least one processor when executing the instructions stored in the memory is further configured to produce the one or more passwords by the server-side resource as a secure hash of the client-server session-identifier and a session password stored server-side and unique to the client-server session-identifier.

20. A non-transitory computer readable medium containing instructions, which when executed by at least one processor is operable to carry out a method for preventing unwanted code execution, the method comprisingidentifying at risk portions of an associated scripting environment, wherein a portion of the associated scripting environment comprises any instance of the functions, objects and properties of the associated scripting environment;
- identifying at least one trusted server-side resource;
  
  receiving trusted and untrusted scripts, wherein trusted refers to responses received from the trusted server-side resource, and untrusted refers to responses received from other external script sources;
  
  receiving from the trusted server-side resource at least one further message containing one or more passwords; and
  
  preventing unwanted code execution by re-writing said at risk portions of the associated scripting environment to require presentation of the one or more passwords in order to execute.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Datawing Limited (Ashworth Bros., Inc.)
Original Assignee
Cliquecloud Limited
Inventors
Coppock, William

Granted Patent

US 8,959,628 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/083   using passwords cryptograph...

H04L 63/145   the attack involving the pr...

H04L 63/1483   service impersonation, e.g....

H04L 67/02   based on web technology, e....

METHOD AND APPARATUS FOR PREVENTING UNWANTED CODE EXECUTION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

68 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR PREVENTING UNWANTED CODE EXECUTION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links