Computer System Security

US 20160357958A1
Filed: 06/08/2016
Published: 12/08/2016
Est. Priority Date: 06/08/2015
Status: Active Application

First Claim

Patent Images

1. A computer-implemented method, comprising:

identifying a plurality of software modules in a computing system in response to a process event;

determining a thread start address for a first thread corresponding to the process event;

determining whether the first thread is associated with one or more software modules of the plurality based on the thread start address; and

generating a security event if the first thread is not associated with the one or more software modules.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security system monitors a computer system for process events to perform verification related to the event. A thread related to an event is identified and a set of software modules of the computer system are enumerated. The thread is verified by determining whether the thread corresponds to one of the software modules. Code related to the thread is verified by loading code segments from storage into memory and comparing newly loaded code with original code segments in memory. The stack is verified by determining whether the thread matches one or more stack addresses of the stack. The execution path related to the event is verified by comparison to a set of predefined execution paths. If any of the security verifications fail, a security event is generated such as by blocking execution of code related to the event.

Citations

34 Claims

1. A computer-implemented method, comprising:
- identifying a plurality of software modules in a computing system in response to a process event;
  
  determining a thread start address for a first thread corresponding to the process event;
  
  determining whether the first thread is associated with one or more software modules of the plurality based on the thread start address; and
  
  generating a security event if the first thread is not associated with the one or more software modules.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-implemented method of claim 1, further comprising:
    - receiving a process event notification from a first process indicating the process event, the first process including the first thread.
  - 3. The computer-implemented method of claim 2, wherein:
    - determining the thread start address comprises querying an operating system of the computing system to determine the thread start address of the first thread.
  - 4. The computer-implemented method of claim 3, wherein:
    - determining whether the first thread is associated with one of more software modules of the plurality comprises determining whether the thread start address is within an address range of the plurality of software modules.
  - 5. The method of claim 4, further comprising:
    - identifying a first software module from the plurality of software modules associated with the first process based on the thread start address;
      
      determining whether the first software module is listed as a legitimate software module; and
      
      generating a security event if the first module is not listed as a legitimate software module.
  - 6. The computer-implemented method of claim 5, wherein:
    - the plurality of software modules is a plurality of shared libraries; and
      
      identifying the plurality of software modules comprises enumerating the plurality of shared libraries.
  - 7. The method of claim 6, wherein:
    - the event notification is a call received from the first process to trigger determining the thread start address.
  - 8. The computer-implemented method of claim 1, further comprising:
    - loading a security agent into a first process upon execution of the first process; and
      
      generating a process event notification by the security agent in response to a thread attach event associated with the first thread.
  - 9. The computer-implemented method of claim 8, wherein:
    - loading the security agent into the first process comprises compiling the security agent as a library and inserting the library into the first process.
  - 10. The computer-implemented method of claim 1, further comprising:
    - forcibly injecting a security agent into a first process associated with the first thread upon execution of the first process; and
      
      generating a process event notification by the security agent in response to a thread attach event associated with the first thread.
  - 11. The computer-implemented method of claim 10, wherein:
    - forcibly injecting the security agent comprises injecting the security agent in the first process through a debugging application programming interface.
  - 12. The computer-implemented method of claim 10, wherein:
    - forcibly injecting the security agent comprises injecting the security agent in the first process through a kernel of the operating system.

13. A computer-implemented method, comprising:
- in response to a process event, determining in a memory a first base address of a first code segment;
  
  loading in the first memory at a second base address a second code segment corresponding to the first code segment;
  
  modifying the second code segment based on the first base address;
  
  comparing the second code segment to the first code segment after modifying the second code segment; and
  
  generating a security event if the first code segment does not match the second code segment.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer-implemented method of claim 13, modifying the second code segment comprises:
    - applying relocations to one or more instructions in the second code segment based on the first base address.
  - 15. The computer-implemented method of claim 14, wherein:
    - comparing the second code segment with the first code segment comprises performing a binary comparison of the first code segment and the second code segment.
  - 16. The computer-implemented method of claim 14, wherein:
    - comparing the second code segment with the first code segment comprises performing a checksum on the first code segment and the second code segment.
  - 17. The computer-implemented method of claim 13, further comprising:
    - generating the security event in response to a failure to load the second code segment.
  - 18. The computer-implemented method of claim 13, further comprising:
    - identifying a first process associated with a first thread in response to an event notification for the process event, the first process being associated with a first copy of a file in the memory including the first code segment;
      
      identifying in a second memory the file; and
      
      wherein loading in the first memory comprises loading a second copy of the file in the first memory at the second base address.

19. A computer-implemented method, comprising:
- in response to an event notification associated with a first thread, determining a thread start address for the first thread;
  
  determining one or more stack addresses allocated for the first thread by an operating system;
  
  determining whether the thread start address is within the one or more stack addresses allocated for the first thread; and
  
  generating a security event if the thread start address is not within the one or more stack addresses allocated for the first thread.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The computer-implemented method of claim 19, further comprising:
    - determining whether a stack pointer is within the one or more stack addresses allocated for the first thread; and
      
      generating a security event if the stack pointer is not within the one or more stack addresses.
  - 21. The computer-implemented method of claim 19, further comprising:
    - in response to the event notification, identifying one or more calling functions associated with the first thread;
      
      loading into a memory a second copy of the one or more calling functions associated with the first thread;
      
      comparing the second copy of the one or more calling functions with a first copy of the one or more calling functions existing in the memory; and
      
      generating a security event if the second copy and the first copy do not match.
  - 22. The computer-implemented method of claim 19, wherein the event notification is a first event notification, the method further comprising:
    - in response to a second event notification associated with the first thread, allowing execution of the first thread without determining a thread start address for the first thread.
  - 23. The computer-implemented method of claim 22, further comprising:
    - determining a first rating associated with the first event notification and a second rating associated with the second event notification.

24. A computer-implemented method, comprising:
- in response to a process event associated with a first thread, determining a thread start address for the first thread;
  
  determining a first execution path of the first thread based on the thread start address;
  
  comparing the first execution path with a plurality of predefined execution paths for an application associated with the first thread; and
  
  generating a security event if the first execution path does not match at least one of the predefined execution paths for the application.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31)
- - 25. The computer-implemented method of claim 24, further comprising:
    - analyzing the application during a training mode to define the plurality of predefined execution paths.
  - 26. The computer-implemented method of claim 24, further comprising:
    - updating a list of the plurality of predefined execution paths based on at least one system call to an operating system.
  - 27. The computer-implemented method of claim 24, wherein the process event is a first process event, the method further comprising:
    - in response to a second process event associated with the first thread, allowing execution of the first thread without comparing the first thread with the plurality of predefined execution paths.
  - 28. The computer-implemented method of claim 27, further comprising:
    - determining that the first process event is associated with a predefined set of operating system functions being called by one or more addresses; and
      
      determining that the second process event is not associated with the predefined set of operating system functions.
  - 29. The computer-implemented method of claim 24, wherein:
    - the process event is a trigger from an operating system associated with the first thread.
  - 30. The computer-implemented method of claim 24, further comprising:
    - attaching one or more debuggers to a plurality of processes associated with an operating system;
      
      modifying the plurality of processes to include a plurality of hooks; and
      
      receiving an event notification corresponding to the process event in response to execution of one or more of the plurality of hooks.
  - 31. The computer-implemented method of claim 24, wherein:
    - the plurality of predefined execution paths are for an application associated with the first thread.

32. An apparatus, comprising:
- a central processing unit;
  
  a memory coupled to the central processing unit, the memory configured to store a plurality of processes for execution by the central processing unit; and
  
  a security circuit coupled to the memory and the central processing unit, the security circuit is configured to access a plurality of instructions associated with a first process and compare an execution path associated with the plurality of instructions with a plurality of predefined executions paths for the first process, the security circuit is configured to block execution of the plurality of instructions in response to the execution path not matching at least one of the predefined execution paths.
- View Dependent Claims (33, 34)
- - 33. The apparatus of claim 32, wherein:
    - the security circuit comprises a random access memory module; and
      
      the random access memory module is configured to block the central processing unit from retrieving the plurality of instructions in response to the execution path not matching at least one of the predefined execution paths.
  - 34. The apparatus of claim 32, wherein:
    - the security circuit is configured to receive from an operating system executed by the central processing unit an identification of a plurality of software modules associated with the operating system;
      
      the security circuit is configured to verify that that the plurality of instructions are associated with at least one of the software modules;
      
      the security circuit is configured to block execution of the plurality of instructions in response to a failure to verify that the plurality of instructions are associated with at least one of the software modules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Guidry, Michael
Original Assignee
Guidry, Michael
Inventors
Guidry, Michael

Application Number

US15/176,726
Publication Number

US 20160357958A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 2221/2149   Restricted operating enviro...

Computer System Security

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Computer System Security

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links