Dynamic verification of validity of executable code
First Claim
1. A method for protecting a computer from unauthorized code, the computer including at least one processor that executes instructions stored in a memory that is organized into separately addressable pages of memory, the method comprising:
- executing a program, the program having a series of computer-executable instructions executed by the at least one processor, the at least one processor residing in a system hardware platform;
verifying that the program is valid using a verification engine including verification instructions for execution on the at least one processor residing in the system hardware platform, the program being valid when the program does not include the unauthorized code, wherein the verification engine resides in a system software layer, the system software layer performing hardware-interface and resource-allocating functions;
ensuring that the program is not executed without also dynamically performing the verifying; and
continuing execution of the program after dynamically performing the verifying by executing the next instruction as long as the verifying determines that the program is valid and generating a protective response when the verifying does not determine that the program is valid;
wherein the verifying that the program is valid comprises executing the verification instructions of the verification engine, the verification instructions causing the at least one processor to perform a method comprising;
identifying the next instruction to be executed in the program;
for the next instruction to be executed in the program, determining an identifying value for a page of memory that contains the next instruction;
determining whether the identifying value satisfies a validation condition, wherein the determining as to whether the identifying value satisfies the validation condition comprises comparing the identifying value of the page of memory with a set of reference values; and
determining that the program is valid only when the validation condition is satisfied.
2 Assignments
0 Petitions
Accused Products
Abstract
Computer-executable instructions in a computer are verified dynamically, after they have been identified for submission for execution, but before they are actually executed. In particular, for at least one current instruction that has been identified for submission to the processor for execution, an identifying value, for example, a hash value, is determined for a current memory block that contains the current instruction. The identifying value of the current memory block is then compared with a set of reference values. If the identifying value satisfies a validation condition, then execution of the current instruction by the processor is allowed. If the validation condition is not satisfied, then a response is generated: In the common case, execution of the current instruction is not allowed, or some other predetermined measure is taken.
234 Citations
71 Claims
-
1. A method for protecting a computer from unauthorized code, the computer including at least one processor that executes instructions stored in a memory that is organized into separately addressable pages of memory, the method comprising:
-
executing a program, the program having a series of computer-executable instructions executed by the at least one processor, the at least one processor residing in a system hardware platform; verifying that the program is valid using a verification engine including verification instructions for execution on the at least one processor residing in the system hardware platform, the program being valid when the program does not include the unauthorized code, wherein the verification engine resides in a system software layer, the system software layer performing hardware-interface and resource-allocating functions; ensuring that the program is not executed without also dynamically performing the verifying; and continuing execution of the program after dynamically performing the verifying by executing the next instruction as long as the verifying determines that the program is valid and generating a protective response when the verifying does not determine that the program is valid; wherein the verifying that the program is valid comprises executing the verification instructions of the verification engine, the verification instructions causing the at least one processor to perform a method comprising; identifying the next instruction to be executed in the program; for the next instruction to be executed in the program, determining an identifying value for a page of memory that contains the next instruction; determining whether the identifying value satisfies a validation condition, wherein the determining as to whether the identifying value satisfies the validation condition comprises comparing the identifying value of the page of memory with a set of reference values; and determining that the program is valid only when the validation condition is satisfied. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
-
34. A method for protecting a computer from unauthorized code, the computer including at least one processor that executes instructions stored in memory that is organized into separately addressable pages of memory, the method comprising:
-
executing a program, the program having a series of computer-executable instructions; verifying that the program is valid as the program executes, the program being valid when the program does not include the unauthorized code, the verifying based on a current instruction to be executed when executing the series of instructions in the program; generating a protective response when the verifying determines that the program is not valid; and executing the current instruction when the verifying determines that the program is valid; wherein the verifying that the program is valid comprises; identifying the current instruction to be executed when executing the series of instructions, the current instruction being one of the series of instructions being executed identified for submission to the processor for execution and not yet executed at a time of the identifying; for at least the current instruction, computing a hash value as a function of a subset of contents of a current page of memory that contains the current instruction; determining, during the executing of the series of instructions, whether the hash value satisfies a validation condition by comparing the hash value of the current page of memory with a set of reference values; and determining that the program is valid when the hash value satisfies the validation condition, and determining that the program is not valid when the hash value does not satisfy the validation condition; wherein the computing of the hash value comprises applying a mask to the current page of memory, the mask being a data structure that designates at least one byte of the current page of memory to be ignored in the computing of the hash value, the data structure designating less than an entire page of memory so that the hash value is based on only part of the contents of the current page of memory. - View Dependent Claims (35)
-
-
36. A non-transitory machine readable storage medium embodying executable code for protecting a computer from unauthorized code, the computer including at least one processor that executes instructions stored in a memory that is organized into separately addressable pages of memory, the executable code being a verification engine causing the computer to perform a method having operations of:
-
executing a program, the program having a series of computer-executable instructions executed by the at least one processor, the at least one processor residing in a system hardware platform; verifying that the program is valid using a verification engine including verification instructions for execution on the at least on processor residing in the system hardware platform, the program being valid when the program does not include the unauthorized code, wherein the verification engine resides in a system software layer, the system software layer performing hardware-interface and resource-allocating functions; ensuring that the program is not executed without also dynamically performing the verifying, the verifying based on a next instruction to be executed in the series of computer-executable instructions in the program; and continuing execution of the program as long as the verifying determines that the program is valid and generating a protective response when the verifying does not determine that the program is valid; wherein the verifying that the program is valid comprises executing the verification instructions of the verification engine, the verification instructions causing the at least one processor to perform a method comprising; identifying the next instruction of the series of computer-executable instructions to be executed when executing the program; for the next instruction, and during the execution of the program, determining an identifying value for a page of memory that contains the next instruction; determining whether the identifying value satisfies a validation condition, wherein the determining as to whether the identifying value satisfies the validation condition comprises comparing the identifying value of the page of memory with a set of reference values; and determining that the program is valid only when the validation condition is satisfied. - View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
-
-
48. A method for verifying the validity of instructions in a computer that includes at least one physical processor that executes instructions stored in a memory of the computer, the memory being organized into separately addressable pages of memory, the computer also including system software and verification software residing in a system software layer, the verification software including verification instructions for execution on the at least one physical processor residing in a system hardware platform, the method comprising:
-
monitoring instructions to be executed by the at least one physical processor under control of the system software layer, the system software layer performing hardware-interface and resource-allocating functions; as long as the instructions to be executed under control of the system software are stored in one or more pages of memory for which validation is deemed unnecessary, allowing the instructions to be executed under control of the system software on the at least one physical processor; and detecting that an unvalidated instruction is to be executed under control of the system software, the unvalidated instruction being stored in a page of memory that has not been validated, and, before allowing the unvalidated instruction to execute, attempting to validate the unvalidated by executing the verification instructions of the verification software in the system software layer, the verification instructions causing the at least one physical processor to perform a method comprising; determining an identifying value for the unvalidated page of memory; comparing the identifying value of the unvalidated page of memory with a set of reference values; if the identifying value satisfies a validation condition, allowing execution after satisfying the validation condition, under control of the system software layer, of instructions stored in the unvalidated page of memory; and if the identifying value does not satisfy the validation condition, generating a response. - View Dependent Claims (49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59)
-
-
60. A method for protecting a computer from unauthorized code, the computer including at least one processor that executes instructions stored in a memory, the memory being organized into separately addressable pages of memory, the method comprising:
-
setting execute permission indicators for the separately addressable pages of memory in a structure, wherein an execute permission indicator for a page of memory indicates whether the page of memory is valid; executing a program, the program having a series of computer-executable instructions being executed by the at least one processor; determining when the program attempts to execute an instruction on a page of memory in which an indicator for the page of memory does not indicate that the page of memory is valid; dynamically verifying that the page of memory is valid, the page of memory being valid when the page of memory does not include unauthorized code; and continuing execution of the program after dynamically performing the verifying by executing the instruction as long as the verifying determines that the page of memory is valid and generating a protective response when the verifying determines that the program is not valid. - View Dependent Claims (61, 62, 63, 64, 65, 66)
-
-
67. A method for protecting a computer from unauthorized code, the computer including at least one processor that executes instructions stored in a memory, the memory being organized into separately addressable pages of memory, the method comprising:
-
during execution of a program having a series of computer-executable instructions being executed by the at least one processor, determining one or more pages of memory from the separately addressable pages of memory to translate; verifying, before the one or more pages of memory are stored in a translation lookaside buffer, that the one or more pages of memory are valid, the one or more pages of memory being valid when the one or more pages of memory do not include unauthorized code; storing the one or more pages of memory in a translation lookaside buffer; determining an instruction for execution; determining if the instruction is found in a page of memory stored in the translation lookaside buffer; and if the instruction is found in a page of memory stored in the translation lookaside buffer, executing the instruction without verifying of the page of memory. - View Dependent Claims (68, 69, 70, 71)
-
Specification