Analytical virtual machine

US 7,657,419 B2
Filed: 11/10/2006
Issued: 02/02/2010
Est. Priority Date: 06/19/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A system for computer code behavior analysis of a target program, the system comprising:

a physical processor of a host real computer system configured to create a behavior record in memory to store behavior flags representative of computer code behavior observed by virtually executing the computer code of the target program under analysis within a virtual machine system, the virtual machine system comprising computer code executed by the physical processor;

a sequencer comprising computer code executed by the physical processor that stores a sequence in which behavior flags are set and reset in the behavior record during virtual execution of the target program under analysis by the virtual machine system; and

computer code executed by the physical processor which simulates memory within the virtual machine system and automatically configured with a memory map of the virtual machine system comprising assigned areas for receiving predetermined types of data from the target program based on a file format of the target program;

computer code executed by the physical processor which simulates an operating system within the virtual machine system, the operating system comprising one or more layered operating system shells that correspond with the memory map so that the virtual machine system in conjunction with the physical processor is capable of executing DOS target programs, the target program under analysis interacting with the memory of the virtual machine system and the operating system of the virtual machine system to generate the behavior flags, the one or more layered operating system shells simulating values of the host real computer system;

execution of the computer code of the target program by the virtual machine system causing the physical processor to set and reset behavior flags in the sequencer that tracks behavior of the target program in response to the simulated values during execution of the target program by the virtual machine system;

wherein the virtual machine system passes data representative of the behavior record to the host real computer system prior to termination of the virtual machine system; and

the host real computer system evaluating the behavior flags and sequence in which the behavior flags are set and reset to determine if the target program contains malicious code.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An analytical virtual machine (AVM) analyzes computer code using a software processor including a register that stores behavior flags indicative of behaviors identified by virtually executing the code within the virtual machine. The AVM includes a sequencer that stores the sequence in which behavior flags are set in the behavior flags register. The AVM analyzes machine performance by emulating execution of the code being analyzed on a fully virtual machine and records the observed behavior. When emulation and analysis are complete, the AVM returns the behavior flags register and sequencer to the real machine and terminates.

Citations

17 Claims

1. A system for computer code behavior analysis of a target program, the system comprising:
- a physical processor of a host real computer system configured to create a behavior record in memory to store behavior flags representative of computer code behavior observed by virtually executing the computer code of the target program under analysis within a virtual machine system, the virtual machine system comprising computer code executed by the physical processor;
  
  a sequencer comprising computer code executed by the physical processor that stores a sequence in which behavior flags are set and reset in the behavior record during virtual execution of the target program under analysis by the virtual machine system; and
  
  computer code executed by the physical processor which simulates memory within the virtual machine system and automatically configured with a memory map of the virtual machine system comprising assigned areas for receiving predetermined types of data from the target program based on a file format of the target program;
  
  computer code executed by the physical processor which simulates an operating system within the virtual machine system, the operating system comprising one or more layered operating system shells that correspond with the memory map so that the virtual machine system in conjunction with the physical processor is capable of executing DOS target programs, the target program under analysis interacting with the memory of the virtual machine system and the operating system of the virtual machine system to generate the behavior flags, the one or more layered operating system shells simulating values of the host real computer system;
  
  execution of the computer code of the target program by the virtual machine system causing the physical processor to set and reset behavior flags in the sequencer that tracks behavior of the target program in response to the simulated values during execution of the target program by the virtual machine system;
  
  wherein the virtual machine system passes data representative of the behavior record to the host real computer system prior to termination of the virtual machine system; and
  
  the host real computer system evaluating the behavior flags and sequence in which the behavior flags are set and reset to determine if the target program contains malicious code.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein the physical processor through running the layered operating system shells identifies a type of operating system intended for the target program that is to be executed by the virtual machine system.
  - 3. The system of claim 1, wherein the physical processor through running the layered operating system shells executes the target program starting at each entry point defined within an entry point table.
  - 4. The system of claim 1, wherein the physical processor through running the layered operating system shells loads a language interpreter.
  - 5. The system of claim 1, wherein the host real computer system terminates the virtual machine system after execution of the target program, thereby removing the target program that was contained within the virtual machine system.

6. A system for computer code behavior analysis of a target program, the system comprising:
- a flag tracker comprising computer code of a virtual machine system executed by a physical processor that stores behavior flags representative of computer code behavior observed by virtually executing the computer code of the target program under analysis within the virtual machine system, the virtual machine system comprising a plurality of computer code executed by the physical processor;
  
  a sequencer comprising computer code of the virtual machine system executed by the physical processor that stores a sequence in which behavior flags are set and reset during virtual execution of the computer code of the target program under analysis within the virtual machine system;
  
  an entry point table comprising computer code of the virtual machine system executed by the physical processor that stores all entry points of the target program under analysis within the virtual machine system;
  
  an interrupter comprising computer code of the virtual machine system executed by the physical processor that stores interrupt vector addresses, pointing at interrupt service routines loaded into physical memory reserved by the virtual machine system when the virtual machine system is initialized;
  
  an I/O simulator comprising computer code of the virtual machine system executed by the physical processor which simulates input and output ports;
  
  virtual memory comprising computer code of the virtual machine system executed by the physical processor which is automatically configured with a map of the virtual machine system comprising assigned areas for receiving predetermined types of data from the target program based on a file format of the target program;
  
  one or more layered operating system simulation shells comprising computer code of the virtual machine system executed by the physical processor that simulate values returned by a real operating system under which the computer code of the target program under analysis is intended to interact, the one or more layered operating system shells corresponding with the map so that the virtual machine system in conjunction with the physical processor is capable of executing DOS target programs;
  
  execution of the computer code of the target program by the virtual machine system causing the physical processor to set and reset behavior flags in the flag tracker which tracks behavior of the target program in response to the simulated values during execution of the target program by the virtual machine system; and
  
  a host real computer system evaluating the behavior flags and sequence in which the behavior flags are set and reset to determine if the target program contains malicious code.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
- - 7. The system of claim 6, wherein the physical processor through running the layered operating system simulation shells executes the computer code of the target program under analysis, or fragments of the computer code of the target program under analysis, starting at each of the entry points defined within the entry point table and produces a behavior pattern comprising a set of behavior flags.
  - 8. The system of claim 6, wherein the physical processor through running the layered operating system simulation shells executes the computer code of the target program under analysis, starting at each entry point defined within the entry point table and produces a sequence in which the behavior flags are set or reset.
  - 9. The system of claim 6, wherein the physical processor through running the operating system simulation shells interprets a high level language within the virtual machine system.
  - 10. The system of claim 9, wherein the physical processor through running the layered operating system simulation shells executes the computer code of the target program under analysis, or fragments of the computer code under analysis, staffing at each of the entry points defined within the entry point table and produces a behavior pattern comprising a set of behavior flags.
  - 11. The system of claim 9, wherein the physical processor through running the layered operating system simulation shells executes the computer code of the target program under analysis, starting at each entry point defined within the entry point table and produces a sequence in which the behavior flags are set or reset.
  - 12. The system of claim 6, wherein the physical processor through running the layered operating system simulation shells executes 32-bit or 64-bit program code and the layered operating system simulation shells respond to application program interface calls.
  - 13. The system of claim 12, wherein the physical processor through running the layered operating system simulation shells executes the computer code of the target program under analysis, or fragments of the computer code of the target program under analysis, starting at each of the entry points defined within the entry point table and produces a behavior pattern comprising a set of behavior flags.
  - 14. The system of claim 12, wherein the physical processor through running the layered operating system simulation shells executes the computer code of the target program under analysis, starting at each entry point defined within the entry point table and produces a sequence in which the behavior flags are set or reset.

15. A computerized method for identifying malicious code in a target program running in a virtual machine of a host computer system, the method comprising:
- automatically configuring a memory map of the virtual machine by assigning areas of the memory map to receive predetermined types of data from the target program based on a file format in order to execute the target program;
  
  constructing the virtual machine from one or more layered operating system shells that correspond with the memory map so that the virtual machine is capable of executing DOS target programs;
  
  simulating values of the virtual machine with the one or more layered operating system shells of the virtual machine;
  
  setting and resetting behavior flags in a register in order to track behavior of the target program in response to the simulated values during execution of the target program by the virtual machine;
  
  forming sequence flag data by storing a sequence in which the behavior flags are set and reset in the register by the target program during execution of the target program by the virtual machine;
  
  passing behavior flag data and sequence flag data from the virtual machine to the host computer system for evaluation after execution of the target program by the virtual machine; and
  
  evaluating the behavior flag data and sequence flag data with the host computer system to determine if the target program contains malicious code.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15, further comprising executing the target program by the virtual machine in one of at least three modes of operation based on the file format and control fields within a header of a file.
  - 17. The method of claim 16, wherein a first mode of operation comprises a real mode for executing programs comprising instructions based on DOS, a second mode of operation for executing target programs comprises a high level programming language, and a third mode of operation comprises a protected mode for executing target programs comprising thirty-two bit code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated (Kyndryl Holdings, Inc.)
Original Assignee
International Business Machines Corporation
Inventors
van der Made, Peter A. J.
Primary Examiner(s)
Rodriguez; Paul L
Assistant Examiner(s)
GUILL, RUSSELL L

Application Number

US11/595,805
Publication Number

US 20070118350A1
Time in Patent Office

1,180 Days
Field of Search

703/22, 726/24
US Class Current

703/22
CPC Class Codes

G06F 11/3612   by runtime analysis perform...

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

G06F 9/45537   Provision of facilities of ...

Analytical virtual machine

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Analytical virtual machine

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links