Portion-level in-memory module authentication
First Claim
1. A method of verifying the integrity of a software module, comprising:
- accessing a software module to be executed, said software module comprising a plurality of specific verifiable portions, and portion-level verification data corresponding to each of the specific verifiable portions, wherein said portion-level verification data is pre-computed and pre-stored in association with said software module and said portion level verification data comprises a plurality of hashes of said specific portion, each of said plurality of hashes being based on an anticipated change to a loaded portion of said software module;
loading into memory a subset of specific verifiable portions from among the plurality of specific verifiable portions of the software module, wherein verification of said subset is required to begin execution of the software module;
retrieving corresponding portion-level verification data for each specific verifiable portion in the subsetusing said corresponding portion-level verification data to verify each specific verifiable portion in the subset of said software module as loaded into memory;
executing, when said subset is verified, a specific verifiable portion of the software module loaded in memory which has not been verified;
modifying at least one specific verifiable portion to reverse any loading changes implemented by a loader in loading said specific verifiable portion;
hashing said modified specific verifiable portion; and
comparing the result of said hash of said modified specific verifiable portion to said corresponding portion-level verification data.
2 Assignments
0 Petitions
Accused Products
Abstract
Dynamic run-time verification of a module which is loaded in memory (in whole or in part) for execution is enabled by using pre-computed portion-level verification data for portions of the module smaller than the whole (e.g. at the page-level). A portion of the module as loaded into memory for execution can be verified. Pre-computed portion-level verification data is retrieved from storage and used to verify the loaded portions of the executable. Verification data may be, for example, a digitally signed hash of the portion. Where the operating system loader has modified the portion for execution, the modifications are reversed, removing any changes performed by the operating system. If the portion has not been tampered, this will return the portion to its original pre-loaded state. This version is then used to determine validity using the pre-computed portion-level verification. Additionally, during execution of the module, new portions/pages of the module which are loaded can be verified to ensure that they have not been changed, and a list of hot pages of the module can be made, including pages to be continually reverified, in order to ensure that no malicious changes have been made in the module.
-
Citations
24 Claims
-
1. A method of verifying the integrity of a software module, comprising:
-
accessing a software module to be executed, said software module comprising a plurality of specific verifiable portions, and portion-level verification data corresponding to each of the specific verifiable portions, wherein said portion-level verification data is pre-computed and pre-stored in association with said software module and said portion level verification data comprises a plurality of hashes of said specific portion, each of said plurality of hashes being based on an anticipated change to a loaded portion of said software module; loading into memory a subset of specific verifiable portions from among the plurality of specific verifiable portions of the software module, wherein verification of said subset is required to begin execution of the software module; retrieving corresponding portion-level verification data for each specific verifiable portion in the subset using said corresponding portion-level verification data to verify each specific verifiable portion in the subset of said software module as loaded into memory; executing, when said subset is verified, a specific verifiable portion of the software module loaded in memory which has not been verified; modifying at least one specific verifiable portion to reverse any loading changes implemented by a loader in loading said specific verifiable portion; hashing said modified specific verifiable portion; and
comparing the result of said hash of said modified specific verifiable portion to said corresponding portion-level verification data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 22)
-
-
11. A computing system, comprising:
-
a processor unit; and a memory system having stored therein (i) a software module comprising a plurality of specific verifiable portions, and portion-level verification data corresponding to each of the specific verifiable portions, wherein said portion-level verification data is pre-computed and pre-stored in association with said software module, and (ii) program instructions that are executable by the processor unit to perform acts for verifying the integrity of the software module, the acts comprising; loading into memory a subset of specific verifiable portions from among the plurality of specific verifiable portions of the software module, wherein verification of said subset is required to begin execution of the software module and portion level verification data comprises a plurality of hashes of said specific portion, each of said plurality of hashes being based on an anticipated change to a loaded portion of said software module; retrieving corresponding portion-level verification data for each specific verifiable portion in the subset; using said corresponding portion-level verification data to verify each specific verifiable portion in the subset of said software module as loaded into memory; and executing, when said subset is verified, a specific verifiable portion of the software module loaded in memory which has not been verified; modifying at least one specific verifiable portion to reverse any loading changes implemented by a loader in loading said specific verifiable portion; hashing said modified specific verifiable portion; and comparing the result of said hash of said modified specific verifiable portion to said corresponding portion-level verification data. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 23, 24)
-
Specification