Proactive computer malware protection through dynamic translation

US 7,636,856 B2
Filed: 12/06/2004
Issued: 12/22/2009
Est. Priority Date: 12/06/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for generating safe program code in response to receiving a request to execute potential malware, the method comprising:

loading an executable into memory to be executed by a hardware processor of a computer system;

dividing the executable into blocks of instructions, wherein a block of instructions has a single entry point and a single exit point, the blocks of instructions including a first block and a second block, wherein the instructions of the first and second block each perform a functionality, wherein properties of the blocks are maintained in a data structure, the properties include an indication whether the instructions of a particular block have been translated into safe instructions;

prior to executing the first block, translating the instructions of the first block into safe instructions that perform the same functionality as the instructions of the first block, and updating the properties of the first block in the data structure to indicate that the instructions of the first block have been translated to safe instructions;

executing the safe instructions of the first block on the hardware processor;

prior to executing the second block, translating the instructions of the second block into safe instructions that perform the same functionality as the instructions of the second block, and updating the properties of the second block in the data structure to indicate that the instructions of the second block have been translated to safe instructions;

commencing to execute the safe instructions of the second block on the hardware processor;

during the execution of the safe instructions of the second block, detecting that the safe instructions of the second block modify the instructions of the first block; and

updating the properties of the first block to indicate that the instructions of the first block have not be translated such that upon attempting to execute the safe instructions of the first block, the modified instructions of the first block will be translated into new safe instructions prior to executing the first block.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention includes a system and method for translating potential malware devices into safe program code. The potential malware is translated from any one of a number of different types of source languages, including, but not limited to, native CPU program code, platform independent .NET byte code, scripting program code, and the like. Then the translated program code is compiled into program code that may be understood and executed by the native CPU. Before and/or during execution, the present invention causes a scanner to search for potential malware stored in memory. If malware is not detected, the computing device causes the CPU to execute the translated program code. However, execution and/or analysis of potential malware may be interrupted if computer memory that stores potential malware is altered during execution. In this instance, the potential malware now stored in memory is translated into safe program code before being executed.

52 Citations

View as Search Results

22 Claims

1. A computer-implemented method for generating safe program code in response to receiving a request to execute potential malware, the method comprising:
- loading an executable into memory to be executed by a hardware processor of a computer system;
  
  dividing the executable into blocks of instructions, wherein a block of instructions has a single entry point and a single exit point, the blocks of instructions including a first block and a second block, wherein the instructions of the first and second block each perform a functionality, wherein properties of the blocks are maintained in a data structure, the properties include an indication whether the instructions of a particular block have been translated into safe instructions;
  
  prior to executing the first block, translating the instructions of the first block into safe instructions that perform the same functionality as the instructions of the first block, and updating the properties of the first block in the data structure to indicate that the instructions of the first block have been translated to safe instructions;
  
  executing the safe instructions of the first block on the hardware processor;
  
  prior to executing the second block, translating the instructions of the second block into safe instructions that perform the same functionality as the instructions of the second block, and updating the properties of the second block in the data structure to indicate that the instructions of the second block have been translated to safe instructions;
  
  commencing to execute the safe instructions of the second block on the hardware processor;
  
  during the execution of the safe instructions of the second block, detecting that the safe instructions of the second block modify the instructions of the first block; and
  
  updating the properties of the first block to indicate that the instructions of the first block have not be translated such that upon attempting to execute the safe instructions of the first block, the modified instructions of the first block will be translated into new safe instructions prior to executing the first block.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the safe instructions of the first and second blocks are stored in a separate location in memory from the executable.
  - 3. The method of claim 1, wherein detecting that the safe instructions of the second block modify the instructions of the first block comprises processing an interrupt.
  - 4. The method of claim 1, wherein the data structure further includes an indication of whether a particular block has been scanned for malware, the method further comprising:
    - prior to executing the first or second blocks, determining whether the block to be executed has been scanned for malware by accessing the properties of the data structure, such that if the properties indicate that the block to be executed has not been scanned, the block is scanned prior to execution and the properties are updated accordingly.
  - 5. The method of claim 1, wherein the data structure further includes an indication of the flow of execution between blocks.
  - 6. The method of claim 1, wherein safe instructions are generated by:
    - generating a set of instructions in an architecture-neutral format that are incapable of implementing malware functionality, the set of instructions providing the same functionality as the instructions from the block; and
      
      compiling the set of instructions composed in the architecture-neutral format into program code that is executable on at least one computing device.
  - 7. The method of claim 1, wherein safe instructions include functionality to perform the following:
    - detect errors that occur during execution;
      
      interrupt execution and call an exception handler; and
      
      store information necessary to resume execution after the exception handler completes execution.

8. A computer-implemented method for generating safe program code in response to receiving a request to execute potential malware, the method comprising:
- loading an executable into memory to be executed by a hardware processor of a computer system;
  
  dividing the executable into blocks of instructions, wherein a block of instructions has a single entry point and a single exit point, the blocks of instructions including a first block, wherein the instructions of the first block perform a functionality, wherein properties of the blocks are maintained in a data structure, the properties include an indication whether the instructions of a particular block have been translated into safe instructions;
  
  prior to executing the first block, translating the instructions of the first block into safe instructions that perform the same functionality as the instructions of the first block, and updating the properties of the first block in the data structure to indicate that the instructions of the first block have been translated to safe instructions;
  
  executing the safe instructions of the first block on the hardware processor;
  
  during the execution of the safe instructions of the first block, detecting that a safe instruction of the first block modifies one or more instructions of the first block that are after the current execution point;
  
  splitting the first block into two blocks, the first split block containing the safe instructions that had already been executed prior to the modification of the one or more instructions, the second split block containing the instructions of the first block after the current execution point including the modified one or more instructions; and
  
  translating the instructions of the second split block into new safe instructions prior to executing the second split block.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the safe instructions are stored in a separate location in memory from the executable.
  - 10. The method of claim 8, wherein detecting that a safe instruction of the first block modifies one or more instructions of the first block that are after the current execution point comprises processing an interrupt.
  - 11. The method of claim 8, wherein the data structure further includes an indication of whether a particular block has been scanned for malware, the method further comprising:
    - prior to executing the first, determining whether the first block has been scanned for malware by accessing the properties of the data structure, such that if the properties indicate that the first block has not been scanned, the first block is scanned prior to execution and the properties are updated accordingly.
  - 12. The method of claim 8, wherein the data structure further includes an indication of the flow of execution between blocks.
  - 13. The method of claim 8, wherein safe instructions are generated by:
    - generating a set of instructions in an architecture-neutral format that are incapable of implementing malware functionality, the set of instructions providing the same functionality as the instructions from the block; and
      
      compiling the set of instructions composed in the architecture-neutral format into program code that is executable on at least one computing device.
  - 14. The method of claim 8, wherein safe instructions include functionality to perform the following:
    - detect errors that occur during execution;
      
      interrupt execution and call an exception handler; and
      
      store information necessary to resume execution after the exception handler completes execution.

15. A computer storage medium storing computer executable instructions which when executed by a processor of a computer system generate safe program code in response to receiving a request to execute potential malware by performing the following:
- loading an executable into memory to be executed by a hardware processor of the computer system;
  
  dividing the executable into blocks of instructions, wherein a block of instructions has a single entry point and a single exit point, the blocks of instructions including a first block and a second block, wherein the instructions of the first and second block each perform a functionality, wherein properties of the blocks are maintained in a data structure, the properties include an indication whether the instructions of a particular block have been translated into safe instructions;
  
  prior to executing the first block, translating the instructions of the first block into safe instructions that perform the same functionality as the instructions of the first block, and updating the properties of the first block in the data structure to indicate that the instructions of the first block have been translated to safe instructions;
  
  executing the safe instructions of the first block on the hardware processor;
  
  prior to executing the second block, translating the instructions of the second block into safe instructions that perform the same functionality as the instructions of the second block, and updating the properties of the second block in the data structure to indicate that the instructions of the second block have been translated to safe instructions;
  
  commencing to execute the safe instructions of the second block on the hardware processor;
  
  during the execution of the safe instructions of the second block, detecting that the safe instructions of the second block modify the instructions of the first block; and
  
  updating the properties of the first block to indicate that the instructions of the first block have not be translated such that upon attempting to execute the safe instructions of the first block, the modified instructions of the first block will be translated into new safe instructions prior to executing the first block.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The computer storage medium of claim 15, wherein the safe instructions of the first and second blocks are stored in a separate location in memory from the executable.
  - 17. The computer storage medium of claim 15, wherein detecting that the safe instructions of the second block modify the instructions of the first block comprises processing an interrupt.
  - 18. The computer storage medium of claim 15, wherein the data structure further includes an indication of whether a particular block has been scanned for malware, the method further comprising:
    - prior to executing the first or second blocks, determining whether the block to be executed has been scanned for malware by accessing the properties of the data structure, such that if the properties indicate that the block to be executed has not been scanned, the block is scanned prior to execution and the properties are updated accordingly.
  - 19. The computer storage medium of claim 15, wherein the data structure further includes an indication of the flow of execution between blocks.
  - 20. The computer storage medium of claim 15, wherein safe instructions are generated by:
    - generating a set of instructions in an architecture-neutral format that are incapable of implementing malware functionality, the set of instructions providing the same functionality as the instructions from the block; and
      
      compiling the set of instructions composed in the architecture-neutral format into program code that is executable on at least one computing device.
  - 21. The computer storage medium of claim 15, wherein safe instructions include functionality to perform the following:
    - detect errors that occur during execution;
      
      interrupt execution and call an exception handler; and
      
      store information necessary to resume execution after the exception handler completes execution.
  - 22. The computer storage medium of claim 15, further comprising:
    - during the execution of the safe instructions of the first block, detecting that a safe instruction of the first block modifies one or more instructions of the first block that are after the current execution point;
      
      splitting the first block into two blocks, the first split block containing the safe instructions that had already been executed prior to the modification of the one or more instructions, the second split block containing the instructions of the first block after the current execution point including the modified one or more instructions; and
      
      translating the instructions of the second split block into new safe instructions prior to executing the second split block.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Stepan, Adrian E, Marinescu, Adrian M, Gheorghescu, Gheorghe Marius
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
SCHWARTZ, DARREN B

Application Number

US11/005,000
Publication Number

US 20060123244A1
Time in Patent Office

1,842 Days
Field of Search

726 22- 26, 714/25, 714/28, 714/29, 714 37- 39, 714 48- 56, 713187-188, 713193-194, 711163-164
US Class Current

713/188
CPC Class Codes

G06F 21/563 by source code analysis

G06F 21/566 Dynamic detection, i.e. det...

Proactive computer malware protection through dynamic translation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Proactive computer malware protection through dynamic translation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links