Portion-level in-memory module authentication

US 7,831,838 B2
Filed: 03/05/2004
Issued: 11/09/2010
Est. Priority Date: 03/05/2004
Status: Active Grant

First Claim

Patent Images

1. A method implemented in a computing system of verifying integrity of a software module partially or fully loaded into memory of a computing environment for execution, comprising:

a computing system verifying that said software module to be loaded has not been tampered with by using module-level verification; and

upon verifying that the software module has not been tampered with, the computing systemcreating at least two portion-level verifications, each of said portion-level verifications allowing verification of a portion of said software module as loaded into memory, andusing each of said portion-level verifications to verify a portion of said software module as loaded into memory,wherein said verifying that said software module to be loaded has not been tampered with by using module-level verification comprises taking a hash of the software module not incorporating changes made by an operating system loader and comparing the hash to a previously stored hash of the software module,wherein said creating at least two portion-level verifications comprises identifying two portions of the software module not incorporating changes made by an operating system loader and for each of at least two portions of the software module, modifying the portion to comprise loading changes implemented by an operating system loader in loading the portion, hashing the modified portion, and preserving the hash of the modified portion,wherein a first of the identified two portions of the software module contains secure functionality and a second of the identified two portions of the software module does not contain secure functionality, and wherein said using each of said portion-level verifications to verify a portion of said software module comprises;

for the first of the identified two portions of the software module, prior to beginning executing the software module, the operating system loader loading the portion of said software module, hashing the loaded portion of said software module, comparing a result of hashing the loaded portion of said software module with the preserved hash of the modified portion, andfor the second of the identified two portions of the software module, after beginning execution of the software module, the operating system loader loading the portion of said software module, hashing the loaded portion of said software module, comparing a result of hashing the loaded portion of said software module with the preserved hash of the modified portion; and

for one of the first of the identified two portions and the second of the identified two portions that is identified in a hot list, continually re-verifying.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Dynamic run-time verification of a module which is loaded in memory (in whole or in part) for execution is enabled by storing hashes of smaller portions of the module (e.g. page-level hashes) as they should look when loaded into memory for execution. After an initial authentication is completed, hashes of smaller portions of the module are stored. These hashes consist of the portion of memory as modified by changes which would be made by the operating system loader operating normally. Thus, the hashes can be used to verify that the portion as loaded into memory for execution is 1) a correct copy of the portion of the software module, 2) correctly modified for execution by the processor, and 3) not tampered with since loading. Additionally, during execution of the module, new portions/pages of the module which are loaded can be verified to ensure that they have not been changed, and a list of hot pages of the module can be made, including pages to be continually re-verified, in order to ensure that no changes have been made in the module.

55 Citations

View as Search Results

21 Claims

1. A method implemented in a computing system of verifying integrity of a software module partially or fully loaded into memory of a computing environment for execution, comprising:
- a computing system verifying that said software module to be loaded has not been tampered with by using module-level verification; and
  
  upon verifying that the software module has not been tampered with, the computing systemcreating at least two portion-level verifications, each of said portion-level verifications allowing verification of a portion of said software module as loaded into memory, andusing each of said portion-level verifications to verify a portion of said software module as loaded into memory,wherein said verifying that said software module to be loaded has not been tampered with by using module-level verification comprises taking a hash of the software module not incorporating changes made by an operating system loader and comparing the hash to a previously stored hash of the software module,wherein said creating at least two portion-level verifications comprises identifying two portions of the software module not incorporating changes made by an operating system loader and for each of at least two portions of the software module, modifying the portion to comprise loading changes implemented by an operating system loader in loading the portion, hashing the modified portion, and preserving the hash of the modified portion,wherein a first of the identified two portions of the software module contains secure functionality and a second of the identified two portions of the software module does not contain secure functionality, and wherein said using each of said portion-level verifications to verify a portion of said software module comprises;
  
  for the first of the identified two portions of the software module, prior to beginning executing the software module, the operating system loader loading the portion of said software module, hashing the loaded portion of said software module, comparing a result of hashing the loaded portion of said software module with the preserved hash of the modified portion, andfor the second of the identified two portions of the software module, after beginning execution of the software module, the operating system loader loading the portion of said software module, hashing the loaded portion of said software module, comparing a result of hashing the loaded portion of said software module with the preserved hash of the modified portion; and
  
  for one of the first of the identified two portions and the second of the identified two portions that is identified in a hot list, continually re-verifying.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 11)
- - 2. The method of claim 1, where said portion-level verifications are page-level verifications.
  - 3. The method of claim 1, where said step of using each of said portion-level verifications to verify a portion of said software module as loaded into memory comprises:
    - loading at least part of said software module into memory for execution; and
      
      verifying at least two portions of said software module as loaded into memory using said portion-level verifications.
  - 4. The method of claim 3, where said step of verifying at least two portions of said software module occurs before said software module is executed.
  - 5. The method of claim 1, where said step of using one of said portion-level verifications to verify a portion of said software module as loaded into memory comprises:
    - maintaining a hot list of specific portions of said software module which have been loaded into memory; and
      
      verifying each portion on said hot list using said portion-level verifications.
  - 6. The method of claim 1, where said step of using each of said portion-level verifications to verify a portion of said software module as loaded into memory comprises:
    - verifying at least one portion of said software module containing code related to security functionality before said security functionality is utilized.
  - 7. The method of claim 1, where said step of using each of said portion-level verifications to verify a portion of said software module as loaded into memory comprises:
    - periodically verifying a selected portion from among said at least two portions of said software module.
  - 8. The method of claim 7, where said selected portion is selected randomly from said at least two portions.
  - 9. An article, comprising:
    - at least one of an operating system, a computing memory having stored thereon a plurality of computer-executable instructions, a co-processing device, and a computing device carrying the computer executable instructions for performing the method of claim 1.
  - 11. An article, comprising:
    - at least one of an operating system, a computing memory having stored thereon a plurality of computer-executable instructions, a co-processing device, and a computing device carrying the computer executable instructions for performing the method of claim 1.

10. A computing system adapted to verify integrity of a software module partially or fully loaded into memory of a computing environment for execution, comprising:
- at least one computing processor;
  
  memory communicatively coupled with said at least one computing processor, said memory comprising instructions executable by said at least one computing processor for performing the following;
  
  verifying that said software module being loaded has not been tampered with by using said module-level verification; and
  
  upon verifying that the software has not been tampered with,creating at least two portion-level verifications, each of said portion-level verifications allowing verification of a portion of said software module as loaded into memory, andusing each of said portion-level verifications to verify a portion of said software module as loaded into memory;
  
  wherein said verifying that said software module to be loaded has not been tampered with by using module-level verification comprises taking a hash of the software module not incorporating changes made by an operating system loader and comparing the hash to a previously stored hash of the software module,wherein said creating at least two portion-level verifications comprises identifying two portions of the software module not incorporating changes made by an operating system loader and for each of at least two portions of the software module, modifying the portion to comprise loading changes implemented by a loader in loading the portion, hashing the modified portion, and preserving the hash of the modified portion,wherein a first of the identified two portions of the software module contains secure functionality and a second of the identified two portions of the software module does not contain secure functionality, and wherein using each of said portion-level verifications to verify a portion of said software module as loaded into memory comprises;
  
  for a first of the identified two portions of the software module, prior to beginning executing the software module, the operating system loader loading the portion of said software module, hashing the loaded portion of said software module, comparing a result of hashing the loaded portion of said software module with the preserved hash of the modified portion,andfor the second of the identified two portions of the software module, after beginning execution of the software module, the operating system loader loading the portion of said software module, hashing the loaded portion of said software module, comparing a result of hashing the loaded portion of said software module with the preserved hash of the modified portion; and
  
  for one of the first of the identified two portions and the second of the identified two portions that is identified in a hot list, continually re-verifying;
  
  further wherein said using each of said portion-level verifications to verify a portion of said software module comprises amortizing verifying the at least two-level portion verifications over an application session, andfurther wherein amortizing verifying the at least two-level portion verifications over an application session comprises managing verifying the at least two-level portion verification using a tunable parameter.

12. A computing system adapted to verify integrity of a software module partially or fully loaded into memory of a computing environment for execution, comprising:
- at least one computing processor;
  
  memory communicatively coupled with said at least one computing processor, said memory comprising instructions executable by said at least one computing processor for performing the following;
  
  verifying that said software module being loaded has not been tampered with by using said module-level verification; and
  
  upon verifying that the software has not been tampered with,creating at least two portion-level verifications, each of said portion-level verifications allowing verification of a portion of said software module as loaded into memory, andusing each of said portion-level verifications to verify a portion of said software module as loaded into memory;
  
  wherein said verifying that said software module to be loaded has not been tampered with by using module-level verification comprises taking a hash of the software module not incorporating changes made by an operating system loader and comparing the hash to a previously stored hash of the software module,wherein said creating at least two portion-level verifications comprises identifying two portions of the software module not incorporating changes made by an operating system loader and for each of at least two portions of the software module, modifying the portion to comprise loading changes implemented by a loader in loading the portion, hashing the modified portion, and preserving the hash of the modified portion,wherein a first of the identified two portions of the software module contains secure functionality and a second of the identified two portions of the software module does not contain secure functionality, and wherein using each of said portion-level verifications to verify a portion of said software module as loaded into memory comprises;
  
  for a first of the identified two portions of the software module, prior to beginning executing the software module, the operating system loader loading the portion of said software module, hashing the loaded portion of said software module, comparing a result of hashing the loaded portion of said software module with the preserved hash of the modified portion, andfor the second of the identified two portions of the software module, after beginning execution of the software module, the operating system loader loading the portion of said software module, hashing the loaded portion of said software module, comparing a result of hashing the loaded portion of said software module with the preserved hash of the modified portion; and
  
  for one of the first of the identified two portions and the second of the identified two portions that is identified in a hot list, continually re-verifying;
  
  further wherein said using each of said portion-level verifications to verify a portion of said software module comprises amortizing verifying the at least two-level portion verifications over an application session, andfurther wherein amortizing verifying the at least two-level portion verifications over an application session comprises managing verifying the at least two-level portion verification using a tunable parameter.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The computing system of claim 12, where said portion-level verifications are page-level verifications.
  - 14. The computing system of claim 12, where portion level-verification comprises:
    - loading at least part of said software module into memory for execution; and
      
      verifying at least two portions of said software module as loaded into memory using said portion-level verifications.
  - 15. The computing system of claim 14, where verifying at least two portions of said portions of said software module occurs before said software module is executed.
  - 16. The computing system of claim 12, where using each of the portion-level verifications to verify a portion of said software module as loaded into memory comprises:
    - storing a hot list of specific portions of said software module which have been loaded into memory; and
      
      verifying each portion on said hot list using said portion-level verifications.
  - 17. The computing system of claim 12, where using each of said portion-level verifications to verify a portion of said software module as loaded into memory comprises:
    - verifying at least one portion of said software module containing code related to security functionality before said security functionality is utilized.
  - 18. The computing system of claim 12, where using each of said at least one of said portion-level verifications to verify a portion of said software module comprises:
    - periodically verifying a selected portion from among said at least two portions of said software module.
  - 19. The computing system of claim 18, where said selected portion is selected randomly from said at least two portions.
  - 20. The computing system of claim 18, where said selected portion is selected based on a factor selected from among the following:
    - inclusion of said selected portion on a hot list;
      
      the time elapsed since the portion was last verified; and
      
      whether the portion had previously been verified.

21. An article, comprising:
- a computing memory having stored thereon executable instructions that cause a computing system to perform operations comprising;
  
  verifying that said software module to be loaded has not been tampered with by using module-level verification;
  
  upon verifying that the software module has not been tampered with,creating at least two portion-level verifications, each of said portion-level verifications allowing verification of a portion of said software module as loaded into memory,using each of said portion-level verifications to verify a portion of said software module as loaded into memory,wherein said verifying that said software module to be loaded has not been tampered with by using module-level verification comprises taking a hash of the software module not incorporating changes made by an operating system loader and comparing the hash to a previously stored hash of the software module,wherein said creating at least two portion-level verifications comprises identifying two portions of the software module not incorporating changes made by an operating system loader and for each of at least two portions of the software module, modifying the portion to comprise loading changes implemented by an operating system loader in loading the portion, hashing the modified portion, and preserving the hash of the modified portion,wherein a first of the identified two portions of the software module contains secure functionality and a second of the identified two portions of the software module does not contain secure functionality, and wherein said using each of said portion-level verifications to verify a portion of said software module comprises;
  
  for the first of the identified two portions of the software module, prior to beginning executing the software module, the operating system loader loading the portion of said software module, hashing the loaded portion of said software module, comparing a result of hashing the loaded portion of said software module with the preserved hash of the modified portion, andfor the second of the identified two portions of the software module, after beginning execution of the software module, the operating system loader loading the portion of said software module, hashing the loaded portion of said software module, comparing a result of hashing the loaded portion of said software module with the preserved hash of the modified portion; and
  
  for one of the first of the identified two portions and the second of the identified two portions that is identified in a hot list, continually re-verifying,said using each of said portion-level verifications to verify a portion of said software module comprises amortizing verifying the at least two-level portion verifications over an application session, andsaid portion-level verifications being page-level verifications and including a scheduling arrangement controlling the verification of some or all of the pages in memory using page-level hashes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Marr, Michael David, Brender, Scott A.
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
SHAN, APRIL YING

Application Number

US10/795,068
Publication Number

US 20050198051A1
Time in Patent Office

2,440 Days
Field of Search

713/176, 713/187, 713/191, 717168-178, 726/22, 726/24, 726/25
US Class Current

713/187
CPC Class Codes

G06F 21/52 during program execution, e...

G06F 2221/2125 Just-in-time application of...

Portion-level in-memory module authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

55 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Portion-level in-memory module authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others