Computer system lock-down

US 7,865,947 B2
Filed: 04/12/2010
Issued: 01/04/2011
Est. Priority Date: 12/03/2004
Status: Active Grant

First Claim

Patent Images

1. A method of locking down a computer system to limit execution of computer program code to only that which can be verified to be approved to run on the computer system, the method comprising:

identifying code modules expressly approved for execution by a computer system by taking an inventory of all code modules currently installed on the computer system at a particular point in time; and

limiting subsequent code module execution by the computer system to those code modules that are included in the inventory by;

calculating cryptographic hash values for each of the code modules that are included in the inventory;

storing within a memory of the computer system a customized, local whitelist database, the customized, local whitelist database forming part of an authentication system operable within the computer system and containing therein the cryptographic hash values of the code modules expressly approved for execution by the computer system;

intercepting, by a kernel mode driver of the authentication system, file system or operating system activity relating to a code module;

determining, by the authentication system, whether to authorize the request by causing a cryptographic hash value of the code module to be authenticated with reference to the customized, local whitelist database;

allowing by the authentication system, the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of code modules expressly approved for execution by the computer system that are contained within the customized, local whitelist database by causing processing relating to the file system or operating system activity relating to the code module to proceed; and

wherein the authentication system is implemented in one or more processors and one or more computer-readable storage media associated with the computer system, the one or more computer-readable storage media having instructions tangibly embodied therein representing the authentication system that are executable by the one or more processors.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for allowing authorized code to execute on a computer system are provided. According to one embodiment, a method is provided for locking down a computer system. A customized, local whitelist database is stored with a memory of the computer system. The whitelist database forms a part of an authentication system operable within the computer system and contains therein cryptographic hash values of code modules expressly approved for execution by the computer system. A kernel mode driver of the authentication system intercepts a request to create a process associated with a code module. The authentication system determines whether to authorize the request by causing a cryptographic hash value of the code module to be authenticated against the whitelist database. The authentication system allows the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values.

Citations

19 Claims

1. A method of locking down a computer system to limit execution of computer program code to only that which can be verified to be approved to run on the computer system, the method comprising:
- identifying code modules expressly approved for execution by a computer system by taking an inventory of all code modules currently installed on the computer system at a particular point in time; and
  
  limiting subsequent code module execution by the computer system to those code modules that are included in the inventory by;
  
  calculating cryptographic hash values for each of the code modules that are included in the inventory;
  
  storing within a memory of the computer system a customized, local whitelist database, the customized, local whitelist database forming part of an authentication system operable within the computer system and containing therein the cryptographic hash values of the code modules expressly approved for execution by the computer system;
  
  intercepting, by a kernel mode driver of the authentication system, file system or operating system activity relating to a code module;
  
  determining, by the authentication system, whether to authorize the request by causing a cryptographic hash value of the code module to be authenticated with reference to the customized, local whitelist database;
  
  allowing by the authentication system, the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of code modules expressly approved for execution by the computer system that are contained within the customized, local whitelist database by causing processing relating to the file system or operating system activity relating to the code module to proceed; and
  
  wherein the authentication system is implemented in one or more processors and one or more computer-readable storage media associated with the computer system, the one or more computer-readable storage media having instructions tangibly embodied therein representing the authentication system that are executable by the one or more processors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising disallowing, by the authentication system, the code module from being loaded and executed within the computer system if the cryptographic hash value does not match any of the cryptographic hash values of code modules expressly approved for execution by the computer system that are contained within the customized, local whitelist database by causing processing relating to the file system or operating system activity relating to the code module to stop.
  - 3. The method of claim 2, wherein the computer system comprises an end-user workstation within an enterprise.
  - 4. The method of claim 2, further comprising recording, by a user mode service layer of the authentication system, in a software activity database, information associated with the execution and utilization of code modules by the computer system.
  - 5. The method of claim 3, further comprising if the cryptographic hash value does not match any of the cryptographic hash values of code modules expressly approved for execution by the computer system that are contained within the customized, local whitelist database, then causing information regarding the code module to be provided to a system or network administrator via a centralized remote management console associated with the authentication system.
  - 6. The method of claim 3, wherein the customized, local whitelist database additionally contains therein information identifying a set of one or more code modules that are expressly not approved for execution.
  - 7. The method of claim 6, wherein the set of one or more code modules that are not approved for execution include one or more non-work-related software applications which may distract employees from working.
  - 8. The method of claim 6, wherein the set of one or more code modules that are not approved for execution include those associated with one or more of music player applications and gaming applications.
  - 9. The method of claim 1, further comprising receiving, by the authentication system, an update to the customized, local whitelist database from a centralized remote management console.
  - 10. The method of claim 1, wherein the customized, local whitelist database comprises an in-memory data structure and the memory comprises random access memory.
  - 11. The method of claim 1, wherein the memory comprises a mass storage device of the computer system.
  - 12. The method of claim 1, wherein said intercepting, by the kernel mode driver of the authentication system, file system or operating system activity relating to a code module comprises the kernel mode driver hooking low-level operating system application programming interfaces (APIs) to intercept one or more operating system operations of interest including one or more of process creation, module loading and file system input/output activity.
  - 13. The method of claim 1, further comprising verifying, by the authentication system, that the customized, local whitelist database has not been modified in an unauthorized manner by calculating a hash value of the contents of the customized, local whitelist database and comparing the hash value to a predetermined hash value.

14. A computer system comprising:
- a storage device having tangibly embodied thereon instructions associated with a code module authentication system; and
  
  one or more processors coupled to the storage device and operable to execute the instructions associated with the code module authentication system to perform a method comprising;
  
  identifying code modules expressly approved for execution by a computer system by taking an inventory of all code modules currently installed on the computer system at a particular point in time; and
  
  limiting subsequent code module execution by the computer system to those code modules that are included in the inventory by;
  
  calculating cryptographic hash values for each of the code modules that are included in the inventory;
  
  storing within a memory of the computer system a customized, local whitelist database, the customized, local whitelist database containing therein the cryptographic hash values of the code modules expressly approved for execution by the computer system;
  
  intercepting file system or operating system activity relating to a code module;
  
  determining whether to authorize the request by causing a cryptographic hash value of the code module to be authenticated with reference to the customized, local whitelist database; and
  
  allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of code modules expressly approved for execution by the computer system that are contained within the customized, local whitelist database by causing processing relating to the file system or operating system activity relating to the code module to proceed.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The computer system of claim 14, wherein the method further comprises disallowing the code module from being loaded and executed within the computer system if the cryptographic hash value does not match any of the cryptographic hash values of code modules expressly approved for execution by the computer system that are contained within the customized, local whitelist database by causing processing relating to the file system or operating system activity relating to the code module to stop.
  - 16. The computer system of claim 15, wherein the computer system comprises an end-user workstation within an enterprise.
  - 17. The computer system of claim 16, wherein the method further comprises if the cryptographic hash value does not match any of the cryptographic hash values of code modules expressly approved for execution by the computer system that are contained within the customized, local whitelist database, then causing information regarding the code module to be provided to a system or network administrator via a centralized remote management console associated with the code module authentication system.
  - 18. The computer system of claim 14, wherein the method further comprises verifying the customized, local whitelist database has not been modified in an unauthorized manner by calculating a hash value of the contents of the customized, local whitelist database and comparing the hash value to a predetermined hash value.

19. A program storage device readable by a computer system, tangibly embodying a program of instructions executable by one or more computer processors of the computer system to perform method steps for allowing authorized code to execute on the computer system comprising:
- identifying code modules expressly approved for execution by a computer system by taking an inventory of all code modules currently installed on the computer system at a particular point in time;
  
  limiting subsequent code module execution by the computer system to those code modules that are included in the inventory by;
  
  calculating cryptographic hash values for each of the code modules that are included in the inventory;
  
  storing within a memory of the computer system a customized, local whitelist database, the customized, local whitelist database containing therein the cryptographic hash values of the code modules expressly approved for execution by the computer system;
  
  intercepting a request file system or operating system activity relating to a code module;
  
  determining, by the authentication system, whether to authorize the request by causing a cryptographic hash value of the code module to be authenticated with reference to a customized, local whitelist database stored within a memory of the computer system and containing therein cryptographic hash values of code modules expressly approved for execution by the computer system; and
  
  allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of code modules expressly approved for execution by the computer system that are contained within the customized, local whitelist database by causing processing relating to the file system or operating system activity relating to the code module to proceed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
WhiteCell Software Incorporated
Inventors
Harper, Edwin L., Godwin, Kurt E., Rozga, Anthony A., Fanton, Andrew F., Gandee, John J., Lutton, William H.
Primary Examiner(s)
Truong; Thanhnga B

Application Number

US12/758,793
Publication Number

US 20100287620A1
Time in Patent Office

267 Days
Field of Search

726/16, 726/27, 713/150, 713/165, 713/166
US Class Current

726/16
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/44   Program or device authentic...

G06F 21/51   at application loading time...

G06F 21/52   during program execution, e...

G06F 21/53   by executing in a restricte...

G06F 21/602   Providing cryptographic fac...

G06F 2221/033   Test or assess software

G06F 2221/2141   Access rights, e.g. capabil...

G06F 9/445   Program loading or initiati...

H04L 63/08   for authentication of entit...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

H04L 63/145   the attack involving the pr...

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/32   including means for verifyi...

H04L 9/3239   involving non-keyed hash fu...

Y10S 707/99934   Query formulation, input pr...

Y10S 707/99943   Generating database or data...

Y10S 707/99944   Object-oriented database st...

Computer system lock-down

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Computer system lock-down

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links