Computer system lock-down
First Claim
1. A method of locking down a computer system to limit execution of computer program code to only that which can be verified to be approved to run on the computer system, the method comprising:
- identifying code modules expressly approved for execution by a computer system by taking an inventory of all code modules currently installed on the computer system at a particular point in time; and
limiting subsequent code module execution by the computer system to those code modules that are included in the inventory by;
calculating cryptographic hash values for each of the code modules that are included in the inventory;
storing within a memory of the computer system a customized, local whitelist database, the customized, local whitelist database forming part of an authentication system operable within the computer system and containing therein the cryptographic hash values of the code modules expressly approved for execution by the computer system;
intercepting, by a kernel mode driver of the authentication system, file system or operating system activity relating to a code module;
determining, by the authentication system, whether to authorize the request by causing a cryptographic hash value of the code module to be authenticated with reference to the customized, local whitelist database;
allowing by the authentication system, the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of code modules expressly approved for execution by the computer system that are contained within the customized, local whitelist database by causing processing relating to the file system or operating system activity relating to the code module to proceed; and
wherein the authentication system is implemented in one or more processors and one or more computer-readable storage media associated with the computer system, the one or more computer-readable storage media having instructions tangibly embodied therein representing the authentication system that are executable by the one or more processors.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for allowing authorized code to execute on a computer system are provided. According to one embodiment, a method is provided for locking down a computer system. A customized, local whitelist database is stored with a memory of the computer system. The whitelist database forms a part of an authentication system operable within the computer system and contains therein cryptographic hash values of code modules expressly approved for execution by the computer system. A kernel mode driver of the authentication system intercepts a request to create a process associated with a code module. The authentication system determines whether to authorize the request by causing a cryptographic hash value of the code module to be authenticated against the whitelist database. The authentication system allows the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values.
-
Citations
19 Claims
-
1. A method of locking down a computer system to limit execution of computer program code to only that which can be verified to be approved to run on the computer system, the method comprising:
-
identifying code modules expressly approved for execution by a computer system by taking an inventory of all code modules currently installed on the computer system at a particular point in time; and limiting subsequent code module execution by the computer system to those code modules that are included in the inventory by; calculating cryptographic hash values for each of the code modules that are included in the inventory; storing within a memory of the computer system a customized, local whitelist database, the customized, local whitelist database forming part of an authentication system operable within the computer system and containing therein the cryptographic hash values of the code modules expressly approved for execution by the computer system; intercepting, by a kernel mode driver of the authentication system, file system or operating system activity relating to a code module; determining, by the authentication system, whether to authorize the request by causing a cryptographic hash value of the code module to be authenticated with reference to the customized, local whitelist database; allowing by the authentication system, the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of code modules expressly approved for execution by the computer system that are contained within the customized, local whitelist database by causing processing relating to the file system or operating system activity relating to the code module to proceed; and wherein the authentication system is implemented in one or more processors and one or more computer-readable storage media associated with the computer system, the one or more computer-readable storage media having instructions tangibly embodied therein representing the authentication system that are executable by the one or more processors. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer system comprising:
-
a storage device having tangibly embodied thereon instructions associated with a code module authentication system; and one or more processors coupled to the storage device and operable to execute the instructions associated with the code module authentication system to perform a method comprising; identifying code modules expressly approved for execution by a computer system by taking an inventory of all code modules currently installed on the computer system at a particular point in time; and limiting subsequent code module execution by the computer system to those code modules that are included in the inventory by; calculating cryptographic hash values for each of the code modules that are included in the inventory; storing within a memory of the computer system a customized, local whitelist database, the customized, local whitelist database containing therein the cryptographic hash values of the code modules expressly approved for execution by the computer system; intercepting file system or operating system activity relating to a code module; determining whether to authorize the request by causing a cryptographic hash value of the code module to be authenticated with reference to the customized, local whitelist database; and allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of code modules expressly approved for execution by the computer system that are contained within the customized, local whitelist database by causing processing relating to the file system or operating system activity relating to the code module to proceed. - View Dependent Claims (15, 16, 17, 18)
-
-
19. A program storage device readable by a computer system, tangibly embodying a program of instructions executable by one or more computer processors of the computer system to perform method steps for allowing authorized code to execute on the computer system comprising:
-
identifying code modules expressly approved for execution by a computer system by taking an inventory of all code modules currently installed on the computer system at a particular point in time; limiting subsequent code module execution by the computer system to those code modules that are included in the inventory by; calculating cryptographic hash values for each of the code modules that are included in the inventory; storing within a memory of the computer system a customized, local whitelist database, the customized, local whitelist database containing therein the cryptographic hash values of the code modules expressly approved for execution by the computer system; intercepting a request file system or operating system activity relating to a code module; determining, by the authentication system, whether to authorize the request by causing a cryptographic hash value of the code module to be authenticated with reference to a customized, local whitelist database stored within a memory of the computer system and containing therein cryptographic hash values of code modules expressly approved for execution by the computer system; and allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of code modules expressly approved for execution by the computer system that are contained within the customized, local whitelist database by causing processing relating to the file system or operating system activity relating to the code module to proceed.
-
Specification