System and method for inspecting dynamically generated executable code
DCFirst Claim
1. A method for protecting a computer from dynamically generated malicious content, comprising:
- receiving at a gateway computer content being sent to a client computer for processing, the content including a call to an original function, and the call including an input;
modifying the content at the gateway computer, comprising replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input to a security computer for inspection;
transmitting the modified content from the gateway computer to the client computer;
processing the modified content at the client computer;
transmitting the input to the security computer for inspection when the substitute function is invoked;
modifying the input at the security computer if the input itself includes a call to a second original function with a second input by replacing the call to the second original function with a corresponding call to a second substitute function, the second substitute function being operational to send the second input to the security computer for inspections;
determining at the security computer whether it is safe for the client computer to invoke the original function;
transmitting the modified input from the security computer to the client computer, if the input was modified;
transmitting an indicator of whether it is safe for the client computer to invoke the original function, from the security computer to the client computer; and
invoking the original function at the client computer, only if the indicator received from the security computer indicates that such invocation is safe.
7 Assignments
Litigations
1 Petition
Accused Products
Abstract
A method for protecting a client computer from dynamically generated malicious content, including receiving at a gateway computer content being sent to a client computer for processing, the content including a call to an original function, and the call including an input, modifying the content at the gateway computer, including replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input to a security computer for inspection, transmitting the modified content from the gateway computer to the client computer, processing the modified content at the client computer, transmitting the input to the security computer for inspection when the substitute function is invoked, determining at the security computer whether it is safe for the client computer to invoke the original function with the input, transmitting an indicator of whether it is safe for the client computer to invoke the original function with the input, from the security computer to the client computer, and invoking the original function at the client computer with the input, only if the indicator received from the security computer indicates that such invocation is safe. A system and a computer-readable storage medium are also described and claimed.
-
Citations
46 Claims
-
1. A method for protecting a computer from dynamically generated malicious content, comprising:
-
receiving at a gateway computer content being sent to a client computer for processing, the content including a call to an original function, and the call including an input; modifying the content at the gateway computer, comprising replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input to a security computer for inspection; transmitting the modified content from the gateway computer to the client computer; processing the modified content at the client computer; transmitting the input to the security computer for inspection when the substitute function is invoked; modifying the input at the security computer if the input itself includes a call to a second original function with a second input by replacing the call to the second original function with a corresponding call to a second substitute function, the second substitute function being operational to send the second input to the security computer for inspections; determining at the security computer whether it is safe for the client computer to invoke the original function; transmitting the modified input from the security computer to the client computer, if the input was modified; transmitting an indicator of whether it is safe for the client computer to invoke the original function, from the security computer to the client computer; and invoking the original function at the client computer, only if the indicator received from the security computer indicates that such invocation is safe. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for protecting a computer from dynamically generated malicious content, comprising:
-
a gateway computer, comprising; a gateway receiver for receiving content being sent to a client computer for processing, the content including a call to an original function, and the call including an input; a content modifier for modifying the received content by replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input to a security computer for inspection; and a gateway transmitter for transmitting the modified content from the gateway computer to the client computer; the security computer, comprising; a security receiver for receiving the input from the client computer; an input modifier for modifying the input if the input itself includes a call to a second original function with a second input by replacing the call to the second original function with a corresponding call to a second substitute function, the second substitute function being operational to send the second input to the security computer for inspections; an input inspector for determining whether it is safe for the client computer to invoke the original function; and a security transmitter for transmitting the modified input to the client computer, if the input was modified by said input modifier, and for transmitting an indicator of the determining to the client computer; and a client computer communicating with said gateway computer and with said security computer, comprising; a client receiver for receiving the modified content from said gateway computer, for receiving the modified input, if the input was modified by said input modifier, and for receiving the indicator from said security computer; a content processor for processing the modified content, and for invoking the original function only if the indicator indicates that such invocation is safe; and a client transmitter for transmitting the input to said security computer for inspection, when the substitute function is invoked. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A method for protecting a computer from dynamically generated malicious content, comprising:
-
receiving content being sent to the computer for processing, the content including a call to an original function, and the call including an input; modifying the content, comprising replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspection; modifying the input if the input itself includes a call to a second original function with a second input by replacing the call to the second original function with a corresponding call to a second substitute function, the second substitute function being operational to send the second input to the security computer for inspections; transmitting the modified content to the computer for processing; and transmitting the modified input to the computer, if the input was modified. - View Dependent Claims (20, 21)
-
-
22. A system for protecting a computer from dynamically generated malicious content, comprising:
-
a receiver for receiving content being sent to the computer for processing, the content including a call to an original function, and the call including an input; a content modifier for modifying the received content by replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspection; an input modifier for modifying the input if the input itself includes a call to a second original function with a second input by replacing the call to the second original function with a corresponding call to a second substitute function, the second substitute function being operational to send the second input to the security computer for inspections; a transmitter for transmitting the modified content and the modified input, if modified by said input modifier, to the computer. - View Dependent Claims (23, 24)
-
-
25. A method for protecting a computer from dynamically generated malicious content, comprising:
-
receiving content being sent to the computer for processing, the content including a call to an original function, and the call including an input; modifying the content, comprising replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspection; transmitting the modified content to the computer for processing; receiving the input from the computer; modifying the input if the input itself includes a call to a second original function with a second input by replacing the call to the second original function with a corresponding call to a second substitute function, the second substitute function being operational to send the second input to the security computer for inspections; determining whether it is safe for the computer to invoke the original function; transmitting the modified input to the computer, if the input was modified; and transmitting to the computer an indicator of whether it is safe for the computer to invoke the original function. - View Dependent Claims (26, 27, 28, 29)
-
-
30. A system for protecting a computer from dynamically generated malicious content, comprising:
-
a receiver (i) for receiving content being sent to the computer for processing, the content including a call to an original function, and the call including an input, and (ii) for receiving the input from the computer; a content modifier for modifying the received content by replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspection; an input modifier for modifying the input if the input itself includes a call to a second original function with a second input, by replacing the call to the second original function with a corresponding call to a second substitute function, the second substitute function being operational to send the second input for inspection; an input inspector for determining whether it is safe for the computer to invoke the original function; and a transmitter (i) for transmitting the modified content to the computer, (ii) for transmitting the modified input to the computer, if the input was modified by said input modifier, and (iii) for transmitting an indicator of the determining to the computer. - View Dependent Claims (31, 32, 33, 34)
-
-
35. A method for protecting a computer from dynamically generated malicious content, comprising:
-
receiving an input from the computer; modifying the input if the input includes a call to an original function, the call having an input by replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspections; determining whether it is safe for the computer to invoke a function with the input; transmitting the modified input to the computer, if the input was modified; and transmitting an indicator of said determining to the computer. - View Dependent Claims (36, 37, 38, 39, 40)
-
-
41. A system for protecting a computer from dynamically generated malicious content, comprising:
-
a receiver for receiving an input from the computer; an input modifier for modifying the input if the input includes a call to an original function, the call having an input, by replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspection; an input inspector for determining whether it is safe for the computer to invoke a function with the input; and a transmitter for transmitting the modified input, if modified by said input modifier, and an indicator of the determining to the computer. - View Dependent Claims (42, 43, 44, 45, 46)
-
Specification