Sensor for detecting and eliminating inter-process memory breaches in multitasking operating systems

US 7,260,845 B2
Filed: 01/08/2002
Issued: 08/21/2007
Est. Priority Date: 01/09/2001
Status: Expired

First Claim

Patent Images

1. A security method for detecting malicious inter-process memory breaches in a computer using a multi-tasking operating system and having a memory divisible into memory spaces with the memory including a plurality of shared code resource (SCR) stacks, each stack including a plurality of SCRs that while being executed for carrying out the various demands of a plurality of program processes, during computer operation, are organized in specific chain-like structures with specific behaviors and with boundaries between memory spaces for said program processes but with a common physical memory space for a SCR stack, said computer, when carrying out a program process, having the capability of extending an SCR stack by at least one of adding and replacing at least one SCR to the organized chain-like structure of the SCR stack and modifying the SCR stack'"'"'s behavior, said security method comprising the steps of:

(a) creating and storing a knowledge base that is comprised of structure and/or behavior information of each SCR stack during its execution in the memory of the computer;

(b) selecting for continuous monitoring an SCR stack which is being activated and executed by the computer operating system;

(c) implanting a dedicated SCR within said selected and activated SCR stack;

(d) monitoring said selected and activated SCR stack while it is being executed in memory via said dedicated SCR implanted in said selected and activated SCR stack to determine at least one of its structure and behavior;

(e) generating a report by said dedicated SCR in said selected and activated SCR stack while said selected and activated SCR stack is activated and executing, said report being indicative of at least one of the structure and behavior of said selected and activated SCR stack;

(f) transmitting said report for comparison with said stored knowledge base;

(g) comparing the indications of said transmitted report with said knowledge base;

(h) ceasing the activity and execution of said selected and activated SCR stack responsive to any non-matching detected between the indications of said report and said knowledge base to stop any hostile activity resulting in violation of the authenticity, structure and/or behavior of said SCR stack; and

(i) issuing an alert indicative of the hostile activity responsive to ceasing the activity and execution of said selected and activated SCR stack according to step (h).

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a method for detecting and eliminating SCR breach operations by a second party within the memory space allocated to a first party, in a multi-tasking system, which comprises: (a) pre-recording by the first party within a knowledge base the structure and/or behavior of an SCR stack; (b) implanting within the SCR stack a dedicated SCR for reporting on the structure and/or behavior of said SCR stack when the SCR stack is activated; (c) when the SCR stack is activated, comparing the data reported by the dedicated SCR with the pre-recorded stack structure and/or behavior; (d) whenever non-matching in the structure and/or behavior is found, ceasing the activity of the activated stack, and alerting.

45 Citations

View as Search Results

13 Claims

1. A security method for detecting malicious inter-process memory breaches in a computer using a multi-tasking operating system and having a memory divisible into memory spaces with the memory including a plurality of shared code resource (SCR) stacks, each stack including a plurality of SCRs that while being executed for carrying out the various demands of a plurality of program processes, during computer operation, are organized in specific chain-like structures with specific behaviors and with boundaries between memory spaces for said program processes but with a common physical memory space for a SCR stack, said computer, when carrying out a program process, having the capability of extending an SCR stack by at least one of adding and replacing at least one SCR to the organized chain-like structure of the SCR stack and modifying the SCR stack'"'"'s behavior, said security method comprising the steps of:
- (a) creating and storing a knowledge base that is comprised of structure and/or behavior information of each SCR stack during its execution in the memory of the computer;
  
  (b) selecting for continuous monitoring an SCR stack which is being activated and executed by the computer operating system;
  
  (c) implanting a dedicated SCR within said selected and activated SCR stack;
  
  (d) monitoring said selected and activated SCR stack while it is being executed in memory via said dedicated SCR implanted in said selected and activated SCR stack to determine at least one of its structure and behavior;
  
  (e) generating a report by said dedicated SCR in said selected and activated SCR stack while said selected and activated SCR stack is activated and executing, said report being indicative of at least one of the structure and behavior of said selected and activated SCR stack;
  
  (f) transmitting said report for comparison with said stored knowledge base;
  
  (g) comparing the indications of said transmitted report with said knowledge base;
  
  (h) ceasing the activity and execution of said selected and activated SCR stack responsive to any non-matching detected between the indications of said report and said knowledge base to stop any hostile activity resulting in violation of the authenticity, structure and/or behavior of said SCR stack; and
  
  (i) issuing an alert indicative of the hostile activity responsive to ceasing the activity and execution of said selected and activated SCR stack according to step (h).
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. Method according to claim 1 wherein the knowledge base includes at least a list of all of the SCRs within the SCR stack, and the last date of their updating.
  - 3. Method according to claim 1 wherein step (g) comprises using a computer software code to compare SCR stack structure with the expected structure, the comparison comprising at least one of verifying one of the number of SCRs within the activated SCR stack, verifying the chain order of the SCRs within the SCR stack, verifying the time-stamps of the SCRs within the activated SCR stack, verifying the names of the SCRs within the activated SCR stack, verifying a signature of each SCR within the activated SCR stack, verifying the number of bits of each SCR within the activated SCR stack, verifying a checksum of each SCR within the activated SCR stack, verifying the physical path and name of each SCR within the activated SCR stack, verifying the duration of performance of the SCR stack, and verifying the duration of performance of each SCR within the SCR stack.
  - 4. Method according to claim 1 wherein step (g) comprises using a computer software code to compare SCR stack behavior with the expected behavior, the comparison comprising at least one of verifying the I/O devices to which a communication is made when the stack is activated by a specific process, and verifying the I/O addresses to which a communication is made when the stack is activated by a specific process.
  - 5. Method according to claim 1 wherein at least one of the SCRs in the activated SCR stack is a Dynamic Link Library (DLL).
  - 6. Method according to claim 1, including the step of providing software code for controlling the dedicated SCR, wherein said code is a self learning code, which is based on self learned rules.

7. A security apparatus for detecting malicious inter-process memory breaches in a computer using a multi-tasking operating system and having a memory divisible into memory spaces with the memory including a plurality of shared code resource (SCR) stacks, each stack including a plurality of SCRs that while being executed for carrying out the various demands of a plurality of program processes, during computer operation, are organized in specific chain-like structures with specific behaviors and with boundaries between memory spaces for said program processes but with a common physical memory space for a SCR stack, said computer, when carrying out a program process, having the capability of extending an SCR stack by at least one of adding and replacing at least one SCR to the organized chain-like structure of the SCR stack and modifying the SCR stack'"'"'s behavior, said security apparatus comprising:
- (a) a knowledge base that is comprised of structure and/or behavior information of each SCR stack during its execution in the memory of the computer;
  
  (b) a probe in a form of an SCR that is implanted within a selected and activated SCR stack for monitoring said selected and activated SCR stack while the stack is being executed in memory and for generating a report indicative of at least one of the structure and behavior of said selected and activated SCR stack;
  
  (c) a sensor for receiving said report and for comparing indications relating to at least one of the structure and behavior of said selected and activated SCR stack with said stored knowledge base;
  
  (d) means for ceasing the activity and execution of said selected and activated SCR stack responsive to any non-matching detected between the indications of said report and said knowledge base to stop any hostile activity resulting in violation of the authenticity, structure and/or behavior of said SCR stack; and
  
  (e) means for issuing an alert indicative of the hostile activity responsive to ceasing the activity and execution of said selected and activated SCR stack.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. Apparatus according to claim 7, which comprises a separate probe implanted within each selected SCR stack, and a common sensor receiving the report from one or more of the said implanted probes.
  - 9. Apparatus according to claim 7 wherein the knowledge base includes at least a list of all of the SCRs within the SCR stack, and the last date of their updating.
  - 10. Apparatus according to claim 7 including means for executing computer software code to compare an SCR stack structure with the expected structure stored in the knowledge base for a particular SCR stack.
  - 11. Apparatus according to claim 7 including means for executing a computer software code to compare SCR stack behavior with the expected behavior stored in the knowledge base for a particular SCR stack.
  - 12. Apparatus according to claim 7 wherein at least one of the SCRs is a Dynamic Link Library (DLL).
  - 13. Apparatus according to claim 7, wherein said sensor includes software code that is a self learning code, which is based on self learned rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Callahan Cellular LLC (Intellectual Ventures LLC)
Original Assignee
Doron Havazelet, Gabriel Kedma
Inventors
Kedma, Gabriel, Havazelet, Doron
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
Moorthy, Aravind K

Application Number

US10/041,429
Publication Number

US 20020099954A1
Time in Patent Office

2,051 Days
Field of Search

713200-205, 395185-186
US Class Current

726/23
CPC Class Codes

G06F 9/468 Specific access rights for ...

Sensor for detecting and eliminating inter-process memory breaches in multitasking operating systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

45 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Sensor for detecting and eliminating inter-process memory breaches in multitasking operating systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links