Sensor for detecting and eliminating inter-process memory breaches in multitasking operating systems
First Claim
1. A security method for detecting malicious inter-process memory breaches in a computer using a multi-tasking operating system and having a memory divisible into memory spaces with the memory including a plurality of shared code resource (SCR) stacks, each stack including a plurality of SCRs that while being executed for carrying out the various demands of a plurality of program processes, during computer operation, are organized in specific chain-like structures with specific behaviors and with boundaries between memory spaces for said program processes but with a common physical memory space for a SCR stack, said computer, when carrying out a program process, having the capability of extending an SCR stack by at least one of adding and replacing at least one SCR to the organized chain-like structure of the SCR stack and modifying the SCR stack'"'"'s behavior, said security method comprising the steps of:
- (a) creating and storing a knowledge base that is comprised of structure and/or behavior information of each SCR stack during its execution in the memory of the computer;
(b) selecting for continuous monitoring an SCR stack which is being activated and executed by the computer operating system;
(c) implanting a dedicated SCR within said selected and activated SCR stack;
(d) monitoring said selected and activated SCR stack while it is being executed in memory via said dedicated SCR implanted in said selected and activated SCR stack to determine at least one of its structure and behavior;
(e) generating a report by said dedicated SCR in said selected and activated SCR stack while said selected and activated SCR stack is activated and executing, said report being indicative of at least one of the structure and behavior of said selected and activated SCR stack;
(f) transmitting said report for comparison with said stored knowledge base;
(g) comparing the indications of said transmitted report with said knowledge base;
(h) ceasing the activity and execution of said selected and activated SCR stack responsive to any non-matching detected between the indications of said report and said knowledge base to stop any hostile activity resulting in violation of the authenticity, structure and/or behavior of said SCR stack; and
(i) issuing an alert indicative of the hostile activity responsive to ceasing the activity and execution of said selected and activated SCR stack according to step (h).
2 Assignments
0 Petitions
Accused Products
Abstract
The invention relates to a method for detecting and eliminating SCR breach operations by a second party within the memory space allocated to a first party, in a multi-tasking system, which comprises: (a) pre-recording by the first party within a knowledge base the structure and/or behavior of an SCR stack; (b) implanting within the SCR stack a dedicated SCR for reporting on the structure and/or behavior of said SCR stack when the SCR stack is activated; (c) when the SCR stack is activated, comparing the data reported by the dedicated SCR with the pre-recorded stack structure and/or behavior; (d) whenever non-matching in the structure and/or behavior is found, ceasing the activity of the activated stack, and alerting.
45 Citations
13 Claims
-
1. A security method for detecting malicious inter-process memory breaches in a computer using a multi-tasking operating system and having a memory divisible into memory spaces with the memory including a plurality of shared code resource (SCR) stacks, each stack including a plurality of SCRs that while being executed for carrying out the various demands of a plurality of program processes, during computer operation, are organized in specific chain-like structures with specific behaviors and with boundaries between memory spaces for said program processes but with a common physical memory space for a SCR stack, said computer, when carrying out a program process, having the capability of extending an SCR stack by at least one of adding and replacing at least one SCR to the organized chain-like structure of the SCR stack and modifying the SCR stack'"'"'s behavior, said security method comprising the steps of:
-
(a) creating and storing a knowledge base that is comprised of structure and/or behavior information of each SCR stack during its execution in the memory of the computer; (b) selecting for continuous monitoring an SCR stack which is being activated and executed by the computer operating system; (c) implanting a dedicated SCR within said selected and activated SCR stack; (d) monitoring said selected and activated SCR stack while it is being executed in memory via said dedicated SCR implanted in said selected and activated SCR stack to determine at least one of its structure and behavior; (e) generating a report by said dedicated SCR in said selected and activated SCR stack while said selected and activated SCR stack is activated and executing, said report being indicative of at least one of the structure and behavior of said selected and activated SCR stack; (f) transmitting said report for comparison with said stored knowledge base; (g) comparing the indications of said transmitted report with said knowledge base; (h) ceasing the activity and execution of said selected and activated SCR stack responsive to any non-matching detected between the indications of said report and said knowledge base to stop any hostile activity resulting in violation of the authenticity, structure and/or behavior of said SCR stack; and (i) issuing an alert indicative of the hostile activity responsive to ceasing the activity and execution of said selected and activated SCR stack according to step (h). - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A security apparatus for detecting malicious inter-process memory breaches in a computer using a multi-tasking operating system and having a memory divisible into memory spaces with the memory including a plurality of shared code resource (SCR) stacks, each stack including a plurality of SCRs that while being executed for carrying out the various demands of a plurality of program processes, during computer operation, are organized in specific chain-like structures with specific behaviors and with boundaries between memory spaces for said program processes but with a common physical memory space for a SCR stack, said computer, when carrying out a program process, having the capability of extending an SCR stack by at least one of adding and replacing at least one SCR to the organized chain-like structure of the SCR stack and modifying the SCR stack'"'"'s behavior, said security apparatus comprising:
-
(a) a knowledge base that is comprised of structure and/or behavior information of each SCR stack during its execution in the memory of the computer; (b) a probe in a form of an SCR that is implanted within a selected and activated SCR stack for monitoring said selected and activated SCR stack while the stack is being executed in memory and for generating a report indicative of at least one of the structure and behavior of said selected and activated SCR stack; (c) a sensor for receiving said report and for comparing indications relating to at least one of the structure and behavior of said selected and activated SCR stack with said stored knowledge base; (d) means for ceasing the activity and execution of said selected and activated SCR stack responsive to any non-matching detected between the indications of said report and said knowledge base to stop any hostile activity resulting in violation of the authenticity, structure and/or behavior of said SCR stack; and (e) means for issuing an alert indicative of the hostile activity responsive to ceasing the activity and execution of said selected and activated SCR stack. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
Specification