Security monitor
First Claim
1. A method of creating a secure sandbox around both a monitored application and one or more software components associated therewith in accordance with a predetermined security policy, said method comprising the steps of:
- intercepting a selected set of application programming interface (API) function calls issued by said monitored application by replacing the addresses of all API functions to be intercepted in an import data table associated with said monitored application with addresses of security monitor functions, each security monitor function associated with a different API function;
intercepting API function calls issued by said software component by replacing the addresses of API functions to be intercepted in an import data table associated with said software component with addresses of sub functions, each stub function operative to call a security monitor function associated with a different API function;
intercepting non-API function calls issued by said software component by replacing the addresses of non-API functions to be intercepted in an import data table associated with said software component with addresses of stub functions, each stub function operative to call a security monitor function associated with a different non-API function;
creating a call chain operative to permit distinguishing between function calls made by said software component from function calls made by said monitored application;
blocking intercepted API calls that are forbidden according to the security policy; and
allowing intercepted API calls that are permitted according to the security policy.
4 Assignments
0 Petitions
Accused Products
Abstract
The present invention is a method of creating a secure sandbox within which a plurality of downloaded software components can execute in a secure manner. The software components can be of any type, e.g., Java, ActiveX, Netscape plugin, etc. The invention implements a security monitor that is injected to the address space of an arbitrary monitored application such as a Web browser, e.g., Internet Explorer, Netscape Navigator, etc. The monitored application then executes in a secure mode in which every software component downloaded executes in a secure sandbox. The security monitor detects when such a software component is downloaded and is operative to create the sandbox around it before it is permitted to execute. If the software component attempts to commit an action that breaches security, it halts the software component'"'"'s execution and issues a warning to the user. The security monitor detects attempted security breaches by the software component in accordance with a user configurable security policy. Such a policy may include limiting file read/write access, access to directories, disk access, creation and the reading/writing of network connections, access to system resources and services and access to the address spaces of other processes.
-
Citations
19 Claims
-
1. A method of creating a secure sandbox around both a monitored application and one or more software components associated therewith in accordance with a predetermined security policy, said method comprising the steps of:
-
intercepting a selected set of application programming interface (API) function calls issued by said monitored application by replacing the addresses of all API functions to be intercepted in an import data table associated with said monitored application with addresses of security monitor functions, each security monitor function associated with a different API function; intercepting API function calls issued by said software component by replacing the addresses of API functions to be intercepted in an import data table associated with said software component with addresses of sub functions, each stub function operative to call a security monitor function associated with a different API function; intercepting non-API function calls issued by said software component by replacing the addresses of non-API functions to be intercepted in an import data table associated with said software component with addresses of stub functions, each stub function operative to call a security monitor function associated with a different non-API function; creating a call chain operative to permit distinguishing between function calls made by said software component from function calls made by said monitored application; blocking intercepted API calls that are forbidden according to the security policy; and allowing intercepted API calls that are permitted according to the security policy. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method of monitoring the execution of an application and one or more software component associated therewith in accordance with a predetermined security policy, said method comprising the steps of:
-
intercepting a selected set of application programming interface (API) function calls issued by said monitored application by replacing the addresses of all API functions to be intercepted in an import data table associated with said monitored application with addresses of security monitor functions, each security monitor function associated with a different API function; intercepting API function calls issued by said software component by replacing the addresses of API functions to be intercepted in an import data table associated with said software component with addresses of stub functions, each stub function operative to call a security monitor function associated with a different API function; intercepting non-API function calls issued by said software component by replacing the addresses of non-API functions to be intercepted in an import data table associated with said software component with addresses of stub functions, each stub function operative to call a security monitor function associated with a different non-API function; determining whether an intercepted API call issued by said monitored application originated from a non-API call issued by the software component via the generation of a call chain by said software component when a non-API function is called; blocking intercepted API calls that originated with a non-API call from the software component that are forbidden according to the security policy; and allowing intercepted API calls that originated with a non-API call from the software component that are permitted according to the security policy. - View Dependent Claims (7, 8, 9)
-
-
10. A method of monitoring the execution of application and one or more software components associated therewith in accordance with a predetermined security policy, said method comprising the steps of:
-
injecting a security monitor into the address space of said monitored application; generating a plurality of stub functions corresponding to application programming interface (API) function calls and non-API function calls which are called by the software component; redirecting all API calls and all non-API calls made by the software component; redirecting API calls made by said monitored application to said security monitor; setting a flag when said software component makes a call to either an API function or a non-API function; redirecting a portion of API calls received by said plurality of stub functions to said security monitor; redirecting said non-API calls made by the software component to their corresponding non-API functions; and applying the predetermined security policy to an API call when said flag is set. - View Dependent Claims (11)
-
-
12. A method of monitoring the execution of an application and one or more software components associated therewith in accordance with a predetermined security policy, said method comprising the steps of:
-
applying interception to the application including all its modules whether loaded initially or during execution thereof; detecting the loading of a software component external to the application; applying interception to all calls made by the software component to functions located in other modules; and applying the security policy to said calls made by the software component. - View Dependent Claims (13)
-
-
14. A method of monitoring the execution of an application and one or more software components associated therewith in accordance with a predetermined security policy, said method comprising the steps of:
-
installing means for interception within said monitored application including all modules associated therewith whether loaded initially or during execution thereof; detecting the loading of a sore component external to said monitored application; installing means for intercepting to all API and non-API function calls made by the software component to functions located in other modules; setting a flag when a function call is issued by the software component to any function located in another module located external thereto; and applying the security policy to an API call when said flag is set. - View Dependent Claims (15, 16)
-
-
17. A method of creating a secure sandbox around both a monitored application and one or more software components associated therewith in accordance with a predetermined security policy, said method comprising the steps of:
-
intercepting a selected set of application programming interface (API) function calls issued by said monitored application by replacing the addresses of all API functions to be intercepted in an import data table associated with said monitored application with addresses of security monitor functions, each security monitor function associated with a different API function; detecting a load API function call issued by said monitored application; blocking intercepted API calls that are forbidden according to the security policy; and allowing intercepted API calls that are permitted according to the security policy. - View Dependent Claims (18, 19)
-
Specification