Peer assembly inspection

US 7,634,806 B2
Filed: 05/30/2002
Issued: 12/15/2009
Est. Priority Date: 05/30/2002
Status: Active Grant

First Claim

Patent Images

1. A method for preventing undesirable behavior by an executable code module received from a potentially untrusted source, the executable code module including one or more independent agents, the executable code module being inspected with an assembler utility to ensure that each of the one or more independent agents receives equal resource treatment during execution within a particular node module, the method comprising:

(i) querying a database to ensure that each independent agent receives equal resource treatment during execution within a particular node module for identifying information corresponding to an executable code module received at a host system;

(ii) when step (i) returns a predetermined result, scanning the code module concerning each independent agent, with the assembler utility for an indication that the code module has a potential to cause undesired behavior in the receiving host when executed, wherein said scanning comprises;

(a) for each type in the code module that is a managed type, enumerating each managed type,(b) for each managed type enumerated in step (a) that contains a member, enumerating each member, and(c) comparing the value of each enumerated managed type and enumerated member to a list of predetermined values and determining the value of at least one of the enumerated managed types and the enumerated member list for the each independent agent as not defined by the assembler utility; and

(iii) when step (ii) finds the indication the code module has the potential to cause undesired behavior in the receiving host when executed, preventing execution of the code module at the receiving host, and otherwise the assembler utility loading executable code for common privilege settings for a set of Application Program Interfaces into the each executable code module.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for preventing undesired behaviors by executable code modules in a peer-to-peer computer system are provided. When a code module is received, an assembly inspection module queries a blacklist for the received code module. When the received code module is found on the blacklist, the computer system prevents execution of the received code module. Each peer includes an assembly inspection module. When the received code module is not found on the blacklist, the assembly inspection module inspects the received executable code module, prior to execution, to determine whether the code module can perform any undesired behaviors. If so, the received code module is added to the blacklist and prevented from executing.

44 Citations

View as Search Results

38 Claims

1. A method for preventing undesirable behavior by an executable code module received from a potentially untrusted source, the executable code module including one or more independent agents, the executable code module being inspected with an assembler utility to ensure that each of the one or more independent agents receives equal resource treatment during execution within a particular node module, the method comprising:
- (i) querying a database to ensure that each independent agent receives equal resource treatment during execution within a particular node module for identifying information corresponding to an executable code module received at a host system;
  
  (ii) when step (i) returns a predetermined result, scanning the code module concerning each independent agent, with the assembler utility for an indication that the code module has a potential to cause undesired behavior in the receiving host when executed, wherein said scanning comprises;
  
  (a) for each type in the code module that is a managed type, enumerating each managed type,(b) for each managed type enumerated in step (a) that contains a member, enumerating each member, and(c) comparing the value of each enumerated managed type and enumerated member to a list of predetermined values and determining the value of at least one of the enumerated managed types and the enumerated member list for the each independent agent as not defined by the assembler utility; and
  
  (iii) when step (ii) finds the indication the code module has the potential to cause undesired behavior in the receiving host when executed, preventing execution of the code module at the receiving host, and otherwise the assembler utility loading executable code for common privilege settings for a set of Application Program Interfaces into the each executable code module.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein in step (ii) the predetermined result comprises not finding the identifying information in the database.
  - 3. The method of claim 1, further comprising the step of preventing execution of the code module when step (i) finds in the database the identifying information corresponding to the code module.
  - 4. The method of claim 1, further comprising the step of adding the identifying information to the database when step (ii) finds the indication the code module has the potential to cause undesired behavior in the receiving host when executed.
  - 5. The method of claim 1, wherein in step (ii) the indication comprises a predetermined computer instruction.
  - 6. The method of claim 1, wherein in step (ii) the indication comprises an instruction that initiates use of a system resource.
  - 7. The method of claim 6, wherein the system resource comprises a CPU.
  - 8. The method of claim 6, wherein the system resource comprises spawning a system thread.
  - 9. The method of claim 6, wherein the system resource comprises memory.
  - 10. The method of claim 6, wherein the system resource comprises a user interface.
  - 11. The method of claim 1, wherein the database comprises a blacklist database.
  - 12. The method of claim 1, wherein the identifying information corresponding to the code module comprises a name of a file.
  - 13. The method of claim 1, wherein the identifying information corresponding to the code module comprises a Common Language Runtime strong name.
  - 14. The method of claim 1, wherein step (ii) comprises scanning the code module for any instruction of a plurality of instructions that have the potential to cause undesired behavior in the receiving host when executed, and further comprising:
    - (iv) executing the code module when step (iii) does not find any of the plurality of instructions.
  - 15. The method of claim 1, wherein step (ii) comprises:
    - (a) mapping the code module to a memory;
      
      (b) determining whether a mapped image is valid; and
      
      (c) determining whether code module metadata is well-formed.
  - 16. The method of claim 1, wherein the indication comprises a predetermined managed type.
  - 17. The method of claim 1, wherein the indication comprises a derivative of a predetermined managed type.
  - 18. The method of claim 1, wherein the indication comprises a predetermined constructor.
  - 19. The method of claim 1, wherein the indication comprises a type visibility.

20. A computer system that prevents an executable code module from performing an undesired behavior when executed, comprising:
- a processor;
  
  system memory;
  
  a database storing identifying information corresponding to executable code modules that performs undesired behavior when executed on the computer system;
  
  an assembly inspection module that scans executable code modules received from peer computer systems to determine whether each executable code module has a potential to perform an undesired behavior when executed on the computer system, and wherein for each type used in the received code module that is a managed type the assembly inspection module enumerates each managed type, and wherein for any enumerated managed type used by a received code module containing a member, enumerates each member of each such enumerated managed type;
  
  the system memory storing computer readable instructions that, when executed by the processor, cause the computer system to perform steps comprising;
  
  (i) querying the database for identifying information corresponding to the received executable code module;
  
  (ii) when step (i) returns a predetermined result, causing the assembly inspection module to scan the received executable code module; and
  
  (iii) preventing execution of the received executable code module when the assembly inspection module determines that the received executable code module has the potential to perform an undesired behavior when executed on the computer system.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
- - 21. The system of claim 20, wherein the computer readable instructions, when executed by the processor, further cause the computer system to perform the step of preventing the received executable code module from executing when the identifying information corresponding to the received executable code module is found in the database in step (i).
  - 22. The system of claim 20, wherein in step (ii) the predetermined result comprises not finding the identifying information in the database.
  - 23. The system of claim 20, wherein the computer readable instructions, when executed by the processor, further cause the computer system to perform the step of adding the identifying information to the database when the assembly inspection module determines that the received executable code module has the potential to perform an undesired behavior when executed on the computer system.
  - 24. The computer system of claim 20, wherein the assembly inspection module scans the received executable code module for a predetermined computer executable instruction.
  - 25. The computer system of claim 20, wherein the identifying information corresponding to the received executable code module comprises a name of the received executable code module.
  - 26. The computer system of claim 20, wherein the assembly inspection module scans the received executable code module for any computer executable instruction of a plurality of instructions that have the potential to cause undesired behavior in the computer system when executed, and wherein the computer readable instructions further cause the computer system to perform the step of executing the received executable code module when the assembly inspection module does not find any of the plurality of instructions.
  - 27. The computer system of claim 20, wherein the assembly inspection module scans for a predetermined managed type.
  - 28. The computer system of claim 20, wherein the assembly inspection module scans for any derivative of a predetermined managed type.

29. A computer architecture, comprising:
- a plurality of peer computer systems, each peer comprising an execution shell for running executable code modules, said each execution shell comprising;
  
  a discovery module that detects other peer computing systems;
  
  an interaction module for communicating with other execution shells of other detected peer computing systems; and
  
  an assembly inspection module comprising;
  
  a database of blacklisted agent programs; and
  
  computer readable instructions that, when executed by a processor of each of the peer computer systems, cause the peer computer systems to perform steps comprising;
  
  (i) querying the database for identifying information corresponding to a received executable code module;
  
  (ii) preventing the received executable code module from executing when the identifying information corresponding to the received executable code module is found in the database;
  
  (iii) scanning the received executable code module when the identifying information corresponding to the received executable code module is not found in the database, wherein said scanning comprises;
  
  (a) for each type in the code module that is a managed type enumerating each such managed type;
  
  (b) for each managed type enumerated in step (a) that contains a member enumerating each member; and
  
  (c) comparing the value of each enumerated managed type and enumerated member to a list of predetermined values; and
  
  (iv) adding the identifying information corresponding to the received executable code module when the assembly inspection module determines that the received executable code module has the potential to perform an undesired behavior when executed on the peer computer system.

30. A computer storage media for use at computer system, the computer storage media for implementing a method for preventing undesirable behavior by an executable code module received from a potentially untrusted source, the executable code module including one or more independent agents, the executable code module being inspected to ensure that each of the one or more independent agents receives equal resource treatment during execution within a particular node module, the computer storage media having stored thereon computer-executable instructions that, when executed at a processor, cause the computer system to perform the method, including the following:
- querying a database to ensure that each independent agent receives equal resource treatment during execution within a particular node module for identifying information corresponding to an executable code module received at a host system;
  
  when the query of the database returns a predetermined result, scanning the code module concerning each independent agent for an indication of the code module implementing undesired behavior in the receiving host when executed, scanning the code module including;
  
  enumerating each type in the code module to identify managed types included in the code module;
  
  enumerating the identified managed types to identify each managed type that contains a member;
  
  comparing the value of each identified managed type and identified members to a list of predetermined values;
  
  from the comparisons, determining the value of at least one of the enumerated managed types and the enumerated member list for the each independent agent as not defined by the assembler utility; and
  
  when scanning the code module concerning each independent agent finds an indication of the code module implementing undesired behavior, preventing execution of the code module at the receiving host, and otherwise the assembler utility loading.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38)
- - 31. The computer storage media of claim 30, wherein the indication comprises an instruction that initiates use of a system resource.
  - 32. The computer storage media of claim 31, wherein the system resource comprises a CPU.
  - 33. The computer storage media of claim 31, wherein the system resource comprises spawning a system thread.
  - 34. The computer storage media of claim 31, wherein the system resource comprises memory.
  - 35. The computer storage media of claim 31, wherein the system resource comprises a user interface.
  - 36. The computer storage media of claim 30, wherein the indication comprises a predetermined managed type.
  - 37. The computer storage media of claim 30, wherein the indication comprises a derivative of a predetermined managed type.
  - 38. The computer storage media of claim 30, wherein the indication comprises a type visibility.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Zinda, Eric K., Olson, Erik B.
Primary Examiner(s)
GERGISO, TECHANE

Application Number

US10/157,118
Publication Number

US 20030226033A1
Time in Patent Office

2,756 Days
Field of Search

726/23, 726/22, 713/164, 707/100
US Class Current

726/22
CPC Class Codes

G06F 21/52 during program execution, e...

H04L 63/101 Access control lists [ACL]

Peer assembly inspection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

44 Citations

38 Claims

Specification

Use Cases

Quick Links

Others

Peer assembly inspection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

38 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others