Security monitor

US 5,974,549 A
Filed: 03/27/1997
Issued: 10/26/1999
Est. Priority Date: 03/27/1997
Status: Expired due to Term

First Claim

Patent Images

1. A method of creating a secure sandbox around both a monitored application and one or more software components associated therewith in accordance with a predetermined security policy, said method comprising the steps of:

intercepting a selected set of application programming interface (API) function calls issued by said monitored application by replacing the addresses of all API functions to be intercepted in an import data table associated with said monitored application with addresses of security monitor functions, each security monitor function associated with a different API function;

intercepting API function calls issued by said software component by replacing the addresses of API functions to be intercepted in an import data table associated with said software component with addresses of sub functions, each stub function operative to call a security monitor function associated with a different API function;

intercepting non-API function calls issued by said software component by replacing the addresses of non-API functions to be intercepted in an import data table associated with said software component with addresses of stub functions, each stub function operative to call a security monitor function associated with a different non-API function;

creating a call chain operative to permit distinguishing between function calls made by said software component from function calls made by said monitored application;

blocking intercepted API calls that are forbidden according to the security policy; and

allowing intercepted API calls that are permitted according to the security policy.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is a method of creating a secure sandbox within which a plurality of downloaded software components can execute in a secure manner. The software components can be of any type, e.g., Java, ActiveX, Netscape plugin, etc. The invention implements a security monitor that is injected to the address space of an arbitrary monitored application such as a Web browser, e.g., Internet Explorer, Netscape Navigator, etc. The monitored application then executes in a secure mode in which every software component downloaded executes in a secure sandbox. The security monitor detects when such a software component is downloaded and is operative to create the sandbox around it before it is permitted to execute. If the software component attempts to commit an action that breaches security, it halts the software component'"'"'s execution and issues a warning to the user. The security monitor detects attempted security breaches by the software component in accordance with a user configurable security policy. Such a policy may include limiting file read/write access, access to directories, disk access, creation and the reading/writing of network connections, access to system resources and services and access to the address spaces of other processes.

Citations

19 Claims

1. A method of creating a secure sandbox around both a monitored application and one or more software components associated therewith in accordance with a predetermined security policy, said method comprising the steps of:
- intercepting a selected set of application programming interface (API) function calls issued by said monitored application by replacing the addresses of all API functions to be intercepted in an import data table associated with said monitored application with addresses of security monitor functions, each security monitor function associated with a different API function;
  
  intercepting API function calls issued by said software component by replacing the addresses of API functions to be intercepted in an import data table associated with said software component with addresses of sub functions, each stub function operative to call a security monitor function associated with a different API function;
  
  intercepting non-API function calls issued by said software component by replacing the addresses of non-API functions to be intercepted in an import data table associated with said software component with addresses of stub functions, each stub function operative to call a security monitor function associated with a different non-API function;
  
  creating a call chain operative to permit distinguishing between function calls made by said software component from function calls made by said monitored application;
  
  blocking intercepted API calls that are forbidden according to the security policy; and
  
  allowing intercepted API calls that are permitted according to the security policy.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method according to claim 1, further comprising the step of injecting a security monitor implementing said secure sandbox into the address space of the monitored application.
  - 3. The method according to claim 1, wherein said step of blocking intercepted API calls comprises the step of preventing the execution of API calls that are in said selected set of API function is which have been determined to have originated by said software component and which have been determined to be forbidden according to the security policy.
  - 4. The method according to claim 1, wherein said step of allowing intercepted API calls comprises the step of allowing intercepted API calls that have been determined to have originated by said monitored application and which are permitted according to the security policy.
  - 5. The method according to claim 1, wherein said software component comprises one of the following:
    - ActiveX control, Java component and Netscape Plugin component.

6. A method of monitoring the execution of an application and one or more software component associated therewith in accordance with a predetermined security policy, said method comprising the steps of:
- intercepting a selected set of application programming interface (API) function calls issued by said monitored application by replacing the addresses of all API functions to be intercepted in an import data table associated with said monitored application with addresses of security monitor functions, each security monitor function associated with a different API function;
  
  intercepting API function calls issued by said software component by replacing the addresses of API functions to be intercepted in an import data table associated with said software component with addresses of stub functions, each stub function operative to call a security monitor function associated with a different API function;
  
  intercepting non-API function calls issued by said software component by replacing the addresses of non-API functions to be intercepted in an import data table associated with said software component with addresses of stub functions, each stub function operative to call a security monitor function associated with a different non-API function;
  
  determining whether an intercepted API call issued by said monitored application originated from a non-API call issued by the software component via the generation of a call chain by said software component when a non-API function is called;
  
  blocking intercepted API calls that originated with a non-API call from the software component that are forbidden according to the security policy; and
  
  allowing intercepted API calls that originated with a non-API call from the software component that are permitted according to the security policy.
- View Dependent Claims (7, 8, 9)
- - 7. The method according to claim 6, further comprising the step of injecting a security monitor into the address space of the monitored application.
  - 8. The method according to claim 6, further comprising the step of injecting a security monitor into the address space of said monitored application, said step of injecting comprising the steps of:
    - launching said monitored application suspend mode;
      
      allocating memory in the address space of said monitored application;
      
      copying a loading function to said allocated memory;
      
      creating a thread operative to execute said loading function which in turn functions to load said security monitor;
      
      installing means for the interception of application programming interface (API) function calls made by said monitored application and said software component, and non-API function calls made by said software component;
      
      unsuspending said thread and deallocating memory;
      
      unsuspending said monitored application and permitting it to execute.
  - 9. The method according to claim 6, wherein said software component comprises one of the following:
    - ActiveX control, Java component and Netscape Plugin component.

10. A method of monitoring the execution of application and one or more software components associated therewith in accordance with a predetermined security policy, said method comprising the steps of:
- injecting a security monitor into the address space of said monitored application;
  
  generating a plurality of stub functions corresponding to application programming interface (API) function calls and non-API function calls which are called by the software component;
  
  redirecting all API calls and all non-API calls made by the software component;
  
  redirecting API calls made by said monitored application to said security monitor;
  
  setting a flag when said software component makes a call to either an API function or a non-API function;
  
  redirecting a portion of API calls received by said plurality of stub functions to said security monitor;
  
  redirecting said non-API calls made by the software component to their corresponding non-API functions; and
  
  applying the predetermined security policy to an API call when said flag is set.
- View Dependent Claims (11)
- - 11. The method according to claim 10, wherein said software component comprises one of the following:
    - ActiveX control, Java component and Netscape Plugin component.

12. A method of monitoring the execution of an application and one or more software components associated therewith in accordance with a predetermined security policy, said method comprising the steps of:
- applying interception to the application including all its modules whether loaded initially or during execution thereof;
  
  detecting the loading of a software component external to the application;
  
  applying interception to all calls made by the software component to functions located in other modules; and
  
  applying the security policy to said calls made by the software component.
- View Dependent Claims (13)
- - 13. The method according to claim 12, wherein said software component comprises one of the following:
    - ActiveX control, Java component and Netscape Plugin component.

14. A method of monitoring the execution of an application and one or more software components associated therewith in accordance with a predetermined security policy, said method comprising the steps of:
- installing means for interception within said monitored application including all modules associated therewith whether loaded initially or during execution thereof;
  
  detecting the loading of a sore component external to said monitored application;
  
  installing means for intercepting to all API and non-API function calls made by the software component to functions located in other modules;
  
  setting a flag when a function call is issued by the software component to any function located in another module located external thereto; and
  
  applying the security policy to an API call when said flag is set.
- View Dependent Claims (15, 16)
- - 15. The method according to claim 14, wherein said software component comprises one of the following:
    - ActiveX control, Java component and Netscape Plugin component.
  - 16. The method according to claim 14, wherein said step of detecting comprises the step of detecting one of the API functions from the group consisting of CoGetClassObject(), LoadLibrary() and LoadLibraryEx().

17. A method of creating a secure sandbox around both a monitored application and one or more software components associated therewith in accordance with a predetermined security policy, said method comprising the steps of:
- intercepting a selected set of application programming interface (API) function calls issued by said monitored application by replacing the addresses of all API functions to be intercepted in an import data table associated with said monitored application with addresses of security monitor functions, each security monitor function associated with a different API function;
  
  detecting a load API function call issued by said monitored application;
  
  blocking intercepted API calls that are forbidden according to the security policy; and
  
  allowing intercepted API calls that are permitted according to the security policy.
- View Dependent Claims (18, 19)
- - 18. The method according to claim 17, wherein said load type API function call comprises one API function call from the group consisting of CoGetClassObject(), LoadLibrary() and LoadLibraryEx().
  - 19. The method according to claim 17, further comprising the steps of:
    - upon detention of a load type API function call;
      
      intercepting API function calls issued by said software component by replacing the addresses of API functions to be intercepted an import data table associated with said software component with addresses of stub functions each stub function operative to call a security monitor function associated with a different API function;
      
      intercepting non-API function calls issued by said software component by replacing the addresses of non-API functions to be intercepted in an import data table associated with said software component with addresses of stub functions, each stub function operative to call a security monitor function associated with a different non-API function; and
      
      creating a call chain operative to permit distinguishing between function calls made by said software component from function calls made by said monitored application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Soliton Ltd.
Inventors
Golan, Gilad
Primary Examiner(s)
Kizou, Hassan
Assistant Examiner(s)
NGUYEN, NGUYEN X

Application Number

US08/825,102
Time in Patent Office

943 Days
Field of Search

395/186, 395/187.01, 395/188.01, 395/200.09, 395/425, 395/500, 395/575, 395/600, 395/700, 713/200, 714/47
US Class Current

726/23
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 2221/2149   Restricted operating enviro...

G06F 9/468   Specific access rights for ...

Security monitor

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Security monitor

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links