Containment of worms
First Claim
1. One or more computer readable storage media containing computer readable instructions that, when implemented, perform a method comprising:
- a) receiving an instruction to write or store received information in a first portion of a memory of a computing system;
b) associating a first dirty indicator with the first portion of the memory, the first dirty indicator indicating ‘
dirty’
if the received information is received from an untrusted source or from a fourth portion of the memory with a fourth dirty indicator indicating ‘
dirty’
;
c) receiving an instruction to load the received information into a program counter or to execute the received information; and
d) providing an indication of a program vulnerability if the first dirty indicator indicates ‘
dirty’
.
2 Assignments
0 Petitions
Accused Products
Abstract
One aspect of the invention is a vulnerability detection mechanism that can detect a large class of attacks through dynamic dataflow analysis. Another aspect of the invention includes self-certifying alerts as the basis for safely sharing knowledge about worms. Another aspect of the invention is a resilient and self-organizing protocol to propagate alerts to all non-infected nodes in a timely fashion, even when under active attack during a worm outbreak. Another aspect of the invention is a system architecture that enables a large number of mutually untrusting computers to collaborate in the task of stopping a previously unknown worm, even when the worm is spreading rapidly and exploiting unknown vulnerabilities in popular software packages.
-
Citations
20 Claims
-
1. One or more computer readable storage media containing computer readable instructions that, when implemented, perform a method comprising:
-
a) receiving an instruction to write or store received information in a first portion of a memory of a computing system; b) associating a first dirty indicator with the first portion of the memory, the first dirty indicator indicating ‘
dirty’
if the received information is received from an untrusted source or from a fourth portion of the memory with a fourth dirty indicator indicating ‘
dirty’
;c) receiving an instruction to load the received information into a program counter or to execute the received information; and d) providing an indication of a program vulnerability if the first dirty indicator indicates ‘
dirty’
. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method comprising:
-
a) maintaining at least one contamination data store which tracks whether a source of a stored value is an untrusted source or a trusted source; b) before loading the stored value into a program pointer, examining the at least one contamination store; c) if the at least one contamination data store indicates that the stored value is from a trusted source, loading the stored value; d) if the at least one contamination data store indicates that the stored value is from an untrusted source, refusing to automatically load the stored value; and e) in response to refusing to automatically load the stored value, determining a storage location of the stored value and determining an input source of the stored value from the at least one contamination data store. - View Dependent Claims (15, 16, 17)
-
-
18. One or more computer readable storage media containing computer executable components comprising:
-
a) means for detecting a worm attack using dynamic data flow analysis; b) means for generating an alert, in response to a detection of a worm attack; c) means for distributing the alert, in response to generation of the alert. - View Dependent Claims (19, 20)
-
Specification