SYSTEM AND METHOD FOR MITIGATING TOC/TOU ATTACKS IN A CLOUD COMPUTING ENVIRONMENT

US 20150373046A1
Filed: 06/18/2015
Published: 12/24/2015
Est. Priority Date: 06/20/2014
Status: Active Grant

First Claim

Patent Images

1. A method for mitigating TOCTOU attacks comprising:

requesting, by a processor, measurements representing operation of a first process on a host, wherein the host is untrusted;

based on the requesting, obtaining, by the processor, the measurements, wherein the measurements comprise a checksum that is a result of a second process executing checksum code to verify at least one last branch record on the host; and

determining, by the processor, based on the measurements, whether the first process was compromised.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system, method, and computer program product for mitigating TOCTOU attacks, which includes: as processor requesting measurements representing operation of a first process on a host that is untrusted and based on the requesting, obtaining the measurements, which include a checksum that is a result of a second process executing checksum code to verify at least one last branch record on the host. A processor also determined, based on the measurements, whether the first process was compromised.

Citations

20 Claims

1. A method for mitigating TOCTOU attacks comprising:
- requesting, by a processor, measurements representing operation of a first process on a host, wherein the host is untrusted;
  
  based on the requesting, obtaining, by the processor, the measurements, wherein the measurements comprise a checksum that is a result of a second process executing checksum code to verify at least one last branch record on the host; and
  
  determining, by the processor, based on the measurements, whether the first process was compromised.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - determining, by the processor, at least one of;
      
      whether the requesting was intercepted before the measurements were conducted, or whether a second process responsible for taking the measurements was compromised.
  - 3. The method of claim 1, wherein the requesting and the obtaining is executed on a trusted host.
  - 4. The method of claim 1, wherein the determining whether the first process was compromised comprises verifying that the first process was launched from a pre-defined location and executed from beginning to end by the host.
  - 5. The method of claim 1, wherein the requesting comprises sending a random number to the second process and wherein the checksum is a self checksum of the random number and the measurements further comprise a secure hash algorithm hash of a hypervisor running on the host, wherein the self checksum and the secure hash algorithm hash were computed by the second process.
  - 6. The method of claim 1, wherein the at least one last branch record comprises an LBR From IP pointer.
  - 7. The method of claim 1, the determining further comprises determining that the checksum is invalid, and based on the invalid checksum, determining that the first process was compromised.
  - 8. The method of claim 7, wherein executing checksum code to verify at least one last branch record comprises obtaining an invalid jump in a last branch record table on the host.
  - 9. The method of claim 7, wherein executing checksum code to verify at least one last branch record comprises obtaining a last branch record without a respective block jump.
  - 10. The method of claim 7, wherein the checksum is invalid based on an increase in verification time.
  - 11. The method of claim 1, further comprising:
    - halting, by the processor, an activity on a second host until completing the determining.

12. A computer system for mitigating TOCTOU attacks, the computer system comprising:
- a memory; and
  
  a processor in communications with the memory, wherein the computer system is configured to perform a method, the method comprising;
  
  requesting, by a processor, measurements representing operation of a first process on a host, wherein the host is untrusted;
  
  based on the requesting, obtaining, by the processor, the measurements, wherein the measurements comprise a checksum that is a result of a second process executing checksum code to verify at least one last branch record on the host; and
  
  determining, by the processor, based on the measurements, whether the first process was compromised.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The computer system of claim 12, further comprising:
    - determining, by the processor, at least one of;
      
      whether the requesting was intercepted before the measurements were conducted, or whether a second process responsible for taking the measurements was compromised.
  - 14. The computer system of claim 12, wherein the requesting and the obtaining is executed on a trusted host.
  - 15. The computer system of claim 12, wherein the determining whether the first process was compromised comprises verifying that the first process was launched from a pre-defined location and executed from beginning to end by the host.
  - 16. The computer system of claim 12, wherein the requesting comprises sending a random number to the second process and wherein the checksum is a self checksum of the random number and the measurements further comprise a secure hash algorithm hash of a hypervisor running on the host, wherein the self checksum and the secure hash algorithm hash were computed by the second process.
  - 17. The computer system of claim 12, wherein the at least one last branch record comprises an LBR From IP pointer.
  - 18. The computer system of claim 12, the determining further comprises determining that the checksum is invalid, and based on the invalid checksum, determining that the first process was compromised.

19. The computer system of claim 19, wherein executing checksum code to verify at least one last verify at least one last branch record comprises at least one of:
- obtaining an invalid jump in a last brand record table on the host, obtaining a last branch record without a block jump, or recording an increase in verification time.

20. A computer program product for mitigating TOCTOU attacks, the computer program product comprising:
- requesting, by a processor, measurements representing operation of a first process on a host, wherein the host is untrusted;
  
  based on the requesting, obtaining, by the processor, the measurements, wherein the measurements comprise a checksum that is a result of a second process executing checksum code to verify at least one last branch record on the host; and
  
  determining, by the processor, based on the measurements, whether the first process was compromised.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
KDDI Corporation, Vencore Labs, Inc.
Original Assignee
KDDI Corporation, Vencore Labs, Inc.
Inventors
Kubota, Ayumu, Sapello, Angelo, Ghosh, Abhrajit, Poylisher, Alexander, Chiang, C. Jason, Matsunaka, Takashi

Granted Patent

US 9,654,499 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/575   Secure boot

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

SYSTEM AND METHOD FOR MITIGATING TOC/TOU ATTACKS IN A CLOUD COMPUTING ENVIRONMENT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR MITIGATING TOC/TOU ATTACKS IN A CLOUD COMPUTING ENVIRONMENT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links