APPLICATION SANDBOXING USING A DYNAMIC OPTIMIZATION FRAMEWORK

US 20130139264A1
Filed: 11/28/2011
Published: 05/30/2013
Est. Priority Date: 11/28/2011
Status: Active Grant

First Claim

Patent Images

1. A method for preventing malware attacks, comprising:

launching an application on an electronic device;

intercepting one or more instructions from the application, the application attempting to execute the one or more instructions;

determining whether the one or more instructions includes an attempt to access a sensitive system resource of the electronic device;

rewriting the one or more instructions to access the secured system resource of the electronic device;

executing the rewritten instructions on the electronic device; and

observing the results of the rewritten instructions.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for preventing malware attacks includes, launching an application on an electronic device, intercepting one or more instructions from the application, determining whether the one or more instructions includes an attempt to access a sensitive system resource of the electronic device, rewriting the one or more instructions to access the secured system resource of the electronic device, executing the rewritten instructions on the electronic device, and observing the results of the rewritten instructions. The application is attempting to execute the one or more instructions.

Citations

31 Claims

1. A method for preventing malware attacks, comprising:
- launching an application on an electronic device;
  
  intercepting one or more instructions from the application, the application attempting to execute the one or more instructions;
  
  determining whether the one or more instructions includes an attempt to access a sensitive system resource of the electronic device;
  
  rewriting the one or more instructions to access the secured system resource of the electronic device;
  
  executing the rewritten instructions on the electronic device; and
  
  observing the results of the rewritten instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - determining whether the results of rewritten instructions indicate an attempted malicious action;
      
      based on the determination of the results, determining that the application is associated with malware.
  - 3. The method of claim 1, wherein:
    - intercepting the one or more instructions includes intercepting a first segment of instructions and a second segment of instructions; and
      
      determining whether the one or more instructions includes an attempt to access a sensitive system resource and rewriting the one or more instructions includes;
      
      determining whether the first segment includes an attempt to access a first sensitive system resource;
      
      based on such a determination, rewriting the first segment to access a first secured system resource;
      
      determining whether the second segment includes an attempt to access a second sensitive system resource; and
      
      based on such a determination, rewriting the second segment to access a second system resource;
      
      configuring the application to use the data.
  - 4. The method of claim 1, wherein determining whether the instructions include an attempt to access a sensitive system resource comprises determining whether the attempt corresponds to a known method of malware attack on the electronic device.
  - 5. The method of claim 1, wherein rewriting the instructions includes:
    - rewriting a suspicious instruction accessing the sensitive system resource; and
      
      maintaining a non-suspicious instruction not accessing the sensitive system resource.
  - 6. The method of claim 1, further comprising:
    - determining whether the one or more instructions includes a repeat of the attempt to access the sensitive resource of the electronic device; and
      
      based on such a determination, executing the rewritten instructions without repeating the rewrite of the one or more instructions.
  - 7. The method of claim 1, wherein:
    - the sensitive system resource includes a registry; and
      
      rewriting the one or more instructions includes rewriting the instructions to access a spoofed registry.
  - 8. The method of claim 1, wherein:
    - the sensitive system resource includes a file; and
      
      rewriting the one or more instructions includes rewriting the instructions to access a spoofed file.
  - 9. The method of claim 1, wherein:
    - the sensitive system resource includes an address in memory; and
      
      rewriting the one or more instructions includes rewriting the instructions to access a spoofed address in memory.
  - 10. The method of claim 1, whereinthe sensitive system resource includes an operating system function;
    - andrewriting the one or more instructions includes rewriting the instructions to access a spoofed operating system function.
  - 11. The method of claim 1, wherein:
    - the sensitive system resource includes a driver; and
      
      rewriting the one or more instructions includes rewriting the instructions to load a spoofed driver.

12. An article of manufacture, comprising:
- a computer readable medium; and
  
  computer-executable instructions carried on the computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to;
  
  launch an application on an electronic device;
  
  intercept one or more instructions from the application, the application attempting to execute the one or more instructions;
  
  determine whether the one or more instructions includes an attempt to access a sensitive system resource of the electronic device;
  
  rewrite the one or more instructions to access a secured system resource of the electronic device;
  
  execute the rewritten instructions on the electronic device; and
  
  observe the results of the rewritten instructions.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The article of claim 12, wherein the processor is further caused to:
    - determine whether the results of rewritten instructions indicate an attempted malicious action;
      
      based on the determination of the results, determine that the application is associated with malware.
  - 14. The article of claim 12, wherein:
    - intercepting the one or more instructions includes intercepting a first segment of instructions and a second segment of instructions; and
      
      determining whether the one or more instructions includes an attempt to access a sensitive system resource and rewriting the one or more instructions includes;
      
      determining whether the first segment includes an attempt to access a first sensitive system resource;
      
      based on such a determination, rewriting the first segment to access a first secured system resource;
      
      determining whether the second segment includes an attempt to access a second sensitive system resource; and
      
      based on such a determination, rewriting the second segment to access a second system resource;
      
      configuring the application to use the data.
  - 15. The article of claim 12, wherein determining whether the instructions include an attempt to access a sensitive system resource comprises determining whether the attempt corresponds to a known method of malware attack on the electronic device.
  - 16. The article of claim 12, wherein causing the processor to rewrite the instructions includes causing the processor to:
    - rewrite a suspicious instruction accessing the sensitive system resource; and
      
      maintain a non-suspicious instruction not accessing the sensitive system resource.
  - 17. The article of claim 12, wherein:
    - the sensitive system resource includes a registry; and
      
      rewriting the one or more instructions includes rewriting the instructions to access a spoofed registry.
  - 18. The article of claim 12, wherein:
    - the sensitive system resource includes a file; and
      
      rewriting the one or more instructions includes rewriting the instructions to access a spoofed file.
  - 19. The article of claim 12, wherein:
    - the sensitive system resource includes an address in memory; and
      
      rewriting the one or more instructions includes rewriting the instructions to access a spoofed address in memory.
  - 20. The article of claim 12, whereinthe sensitive system resource includes an operating system function;
    - andrewriting the one or more instructions includes rewriting the instructions to access a spoofed operating system function.
  - 21. The article of claim 12, wherein:
    - the sensitive system resource includes a driver; and
      
      rewriting the one or more instructions includes rewriting the instructions to load a spoofed driver.

22. A system for preventing malware attacks, comprising:
- a processor coupled to a memory; and
  
  a dynamic optimization framework executed by the processor, resident within the memory, the framework configured to;
  
  launch an application on an electronic device;
  
  intercept one or more instructions from the application, the application attempting to execute the one or more instructions;
  
  determine whether the one or more instructions includes an attempt to access a sensitive system resource of the electronic device;
  
  rewrite the one or more instructions to access a secured system resource of the electronic device;
  
  execute the rewritten instructions on the electronic device; and
  
  observe the results of the rewritten instructions.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 23. The system of claim 22, wherein the framework is further configured to:
    - determine whether the results of rewritten instructions indicate an attempted malicious action;
      
      based on the determination of the results, determine that the application is associated with malware.
  - 24. The system of claim 22, wherein:
    - intercepting the one or more instructions includes intercepting a first segment of instructions and a second segment of instructions; and
      
      determining whether the one or more instructions includes an attempt to access a sensitive system resource and rewriting the one or more instructions includes;
      
      determining whether the first segment includes an attempt to access a first sensitive system resource;
      
      based on such a determination, rewriting the first segment to access a first secured system resource;
      
      determining whether the second segment includes an attempt to access a second sensitive system resource; and
      
      based on such a determination, rewriting the second segment to access a second system resource;
      
      configuring the application to use the data.
  - 25. The system of claim 22, wherein determining whether the instructions include an attempt to access a sensitive system resource comprises determining whether the attempt corresponds to a known method of malware attack on the electronic device.
  - 26. The system of claim 22, wherein configuring the framework to rewrite the instructions includes configuring the framework to:
    - rewrite a suspicious instruction accessing the sensitive system resource; and
      
      maintain a non-suspicious instruction not accessing the sensitive system resource.
  - 27. The system of claim 22, wherein:
    - the sensitive system resource includes a registry; and
      
      rewriting the one or more instructions includes rewriting the instructions to access a spoofed registry.
  - 28. The system of claim 22, wherein:
    - the sensitive system resource includes a file; and
      
      rewriting the one or more instructions includes rewriting the instructions to access a spoofed file.
  - 29. The system of claim 22, wherein:
    - the sensitive system resource includes an address in memory; and
      
      rewriting the one or more instructions includes rewriting the instructions to access a spoofed address in memory.
  - 30. The system of claim 22, whereinthe sensitive system resource includes an operating system function;
    - andrewriting the one or more instructions includes rewriting the instructions to access a spoofed operating system function.
  - 31. The system of claim 22, wherein:
    - the sensitive system resource includes a driver; and
      
      rewriting the one or more instructions includes rewriting the instructions to load a spoofed driver.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Brinkley, Matthew D., Permeh, Ryan Reza

Granted Patent

US 8,590,041 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/54   by adding security routines...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

APPLICATION SANDBOXING USING A DYNAMIC OPTIMIZATION FRAMEWORK

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

APPLICATION SANDBOXING USING A DYNAMIC OPTIMIZATION FRAMEWORK

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links