Cloud-based application whitelisting
DCFirst Claim
1. A computer-implemented method comprising:
- creating and maintaining, by a kernel mode driver executing on a computer system, an in-memory cache including a plurality of entries each of which contain execution authorization information regarding one of a plurality of code modules that have been most recently used by the computer system, said maintaining including adding execution authorization information regarding a newly identified authorized code module or unauthorized code module to an entry of the plurality of entries;
intercepting, by the kernel mode driver, file system or operating system activity relating to a code module;
generating, by the kernel mode driver, a cryptographic hash value of the code module;
determining, by the kernel mode driver, if the code module is authorized to be loaded and executed within the computer system by causing the code module to be authenticated with reference to a multi-level whitelist database architecture, the multi-level whitelist database architecture including a global whitelist database, a local whitelist database and the in-memory cache;
wherein the global whitelist database is stored remote from the computer system, maintained by a trusted third party service provider and contains cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code;
wherein the local whitelist database is created based on the global whitelist, stored local to the computer system and contains at least a subset of the cryptographic hash values contained in the global whitelist database;
wherein said causing the code module to be authenticated includes first consulting the in-memory cache and if execution authorization information for the code module is not present within the in-memory cache, then looking up the generated cryptographic hash value in the local whitelist database and if the generated cryptographic hash value is not found within the local whitelist database, then looking up the generated cryptographic hash value in the global whitelist database;
allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the global whitelist database by causing processing relating to the file system or operating system activity relating to the code module to proceed; and
wherein the kernel mode driver is implemented in one or more processors and one or more computer-readable storage media associated with the computer system, the one or more computer-readable storage media having instructions tangibly embodied therein representing the kernel mode driver that are executable by the one or more processors.
1 Assignment
Litigations
0 Petitions
Accused Products
Abstract
Systems and methods for allowing authorized code to execute on a computer system are provided. According to one embodiment, an in-memory cache is maintained having entries containing execution authorization information regarding recently used modules. After authenticating a module, its execution authorization information is added to the cache. Activity relating to a module is intercepted. A hash value of the module is generated. The module is authenticated with reference to a multi-level whitelist including a global whitelist, a local whitelist and the cache. The authentication includes first consulting the cache and if the module is not found, then looking up its hash value in the local whitelist and if it is not found, then looking it up in the global whitelist. Finally, the module is allowed to be loaded and executed if its hash value matches a hash value of an approved code modules within the global whitelist.
-
Citations
35 Claims
-
1. A computer-implemented method comprising:
-
creating and maintaining, by a kernel mode driver executing on a computer system, an in-memory cache including a plurality of entries each of which contain execution authorization information regarding one of a plurality of code modules that have been most recently used by the computer system, said maintaining including adding execution authorization information regarding a newly identified authorized code module or unauthorized code module to an entry of the plurality of entries; intercepting, by the kernel mode driver, file system or operating system activity relating to a code module; generating, by the kernel mode driver, a cryptographic hash value of the code module; determining, by the kernel mode driver, if the code module is authorized to be loaded and executed within the computer system by causing the code module to be authenticated with reference to a multi-level whitelist database architecture, the multi-level whitelist database architecture including a global whitelist database, a local whitelist database and the in-memory cache; wherein the global whitelist database is stored remote from the computer system, maintained by a trusted third party service provider and contains cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code; wherein the local whitelist database is created based on the global whitelist, stored local to the computer system and contains at least a subset of the cryptographic hash values contained in the global whitelist database; wherein said causing the code module to be authenticated includes first consulting the in-memory cache and if execution authorization information for the code module is not present within the in-memory cache, then looking up the generated cryptographic hash value in the local whitelist database and if the generated cryptographic hash value is not found within the local whitelist database, then looking up the generated cryptographic hash value in the global whitelist database; allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the global whitelist database by causing processing relating to the file system or operating system activity relating to the code module to proceed; and wherein the kernel mode driver is implemented in one or more processors and one or more computer-readable storage media associated with the computer system, the one or more computer-readable storage media having instructions tangibly embodied therein representing the kernel mode driver that are executable by the one or more processors. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A cloud-based application whitelisting system comprising
a kernel mode driver of a computer system implemented in one or more computer processors of the computer system and one or more computer-readable storage media associated with the computer system, the one or more computer-readable storage media having instructions tangibly embodied therein representing the kernel mode driver that are executable by the one or more computer processors, the kernel mode driver operable to perform a method of authenticating code modules prior to allowing the code modules to be executed by the computer system; - and
a multi-level whitelist database architecture including a global whitelist database, a local whitelist database and an in-memory cache, the global whitelist database stored remote from the computer system, maintained by a trusted third party service provider and containing cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code, the local whitelist database created based on the global whitelist, stored local to the computer system and containing at least a subset of the cryptographic hash values contained in the global whitelist database; and wherein said method comprises; creating and maintaining the in-memory cache, the in-memory cache including a plurality of entries each of which contain execution authorization information regarding one of a plurality of code modules that have been most recently used by the computer system, said maintaining including adding execution authorization information regarding a newly identified authorized code module or unauthorized code module to an entry of the plurality of entries; intercepting file system or operating system activity relating to a code module; generating a cryptographic hash value of the code module; determining if the code module is authorized to be loaded and executed within the computer system by causing the code module to be authenticated with reference to the multi-level whitelist database architecture by first consulting the in-memory cache and if execution authorization information for the code module is not present within the in-memory cache, then looking up the generated cryptographic hash value in the local whitelist database and if the generated cryptographic hash value is not found within the local whitelist database, then looking up the generated cryptographic hash value in the global whitelist database; and allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the global whitelist database by causing processing relating to the file system or operating system activity relating to the code module to proceed. - View Dependent Claims (12, 13, 14, 15)
- and
-
16. A non-transitory program storage device readable by a computer system, tangibly embodying a program of instructions executable by one or more computer processors of the computer system to perform method steps for authenticating code modules prior to allowing the code modules to be executed by the computer system comprising:
- creating and maintaining an in-memory cache including a plurality of entries each of which contain execution authorization information regarding one of a plurality of code modules that have been most recently used by the computer system, said maintaining including adding execution authorization information regarding a newly identified authorized code module or unauthorized code module to an entry of the plurality of entries;
intercepting file system or operating system activity relating to a code module;
generating a cryptographic hash value of the code module;
determining if the code module is authorized to be loaded and executed within the computer system by causing the code module to be authenticated with reference to a multi-level whitelist database architecture, the multi-level whitelist database architecture including a global whitelist database, a local whitelist database and the in-memory cache;
wherein the global whitelist database is stored remote from the computer system, maintained by a trusted third party service provider and contains cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code;
wherein the local whitelist database is created based on the global whitelist, stored local to the computer system and contains at least a subset of the cryptographic hash values contained in the global whitelist database;
wherein said causing the code module to be authenticated includes first consulting the in-memory cache and if execution authorization information for the code module is not present within the in-memory cache, then looking up the generated cryptographic hash value in the local whitelist database and if the generated cryptographic hash value is not found within the local whitelist database, then looking up the generated cryptographic hash value in the global whitelist database; and
allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the global whitelist database by causing processing relating to the file system or operating system activity relating to the code module to proceed. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- creating and maintaining an in-memory cache including a plurality of entries each of which contain execution authorization information regarding one of a plurality of code modules that have been most recently used by the computer system, said maintaining including adding execution authorization information regarding a newly identified authorized code module or unauthorized code module to an entry of the plurality of entries;
-
24. A computer-implemented method comprising:
-
intercepting, by a kernel mode driver of the computer system, a first file system or operating system activity relating to a code module; responsive to determining, by the kernel mode driver, the code module is not represented within an in-memory cache, which includes a plurality of entries each of which contain execution authorization information regarding one of a plurality of code modules that have been previously authenticated by the kernel mode driver, calculating, by the kernel mode driver, a cryptographic hash value of the code module; and determining if the code module is authorized to be loaded and executed within the computer system by causing the code module to be authenticated with reference to one or both of a global whitelist database and a local whitelist database based on the calculated cryptographic hash value, wherein the global whitelist database is stored remote from the computer system, maintained by a trusted third party service provider and contains cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code and wherein the local whitelist database is created based on the global whitelist, stored local to the computer system and contains at least a subset of the cryptographic hash values contained in the global whitelist database; if said determining if the code module is authorized results in an affirmative determination, then causing the code module to be loaded and executed within the computer system by allowing processing relating to the file system or operating system activity relating to the code module to proceed; if said determining if the code module is authorized results in a negative determination, then preventing the code module from being loaded and executed within the computer system by causing further processing relating to the file system or operating system activity relating to the code module to stop; adding appropriate execution authorization information regarding the code module to an entry of the plurality of entries of the in-memory cache; intercepting, by the kernel mode driver, a second file system or operating system activity relating to the code module; responsive to locating the entry of the in-memory cache containing execution authorization information regarding the code module, foregoing re-calculation, by the kernel mode driver, of the cryptographic hash value of the code module; and determining whether the code module is authorized to be loaded and executed within the computer system based upon the execution authorization information regarding the code module stored in the in-memory cache responsive to intercepting the first file system or operating system activity relating to the code module; and wherein the kernel mode driver is implemented in one or more processors and one or more computer-readable storage media associated with the computer system, the one or more computer-readable storage media having instructions tangibly embodied therein representing the kernel mode driver that are executable by the one or more processors. - View Dependent Claims (25, 26, 27, 28, 29)
-
-
30. A non-transitory program storage device readable by a computer system, tangibly embodying a program of instructions executable by one or more computer processors of the computer system to perform a method of authenticating code modules prior to allowing the code modules to be executed by the computer system, the method comprising:
-
intercepting, by a kernel mode driver of the computer system, a first file system or operating system activity relating to a code module; responsive to determining, by the kernel mode driver, the code module is not represented within an in-memory cache, which includes a plurality of entries each of which contain execution authorization information regarding one of a plurality of code modules that have been previously authenticated by the kernel mode driver, calculating, by the kernel mode driver, a cryptographic hash value of the code module; and determining if the code module is authorized to be loaded and executed within the computer system by causing the code module to be authenticated with reference to one or both of a global whitelist database and a local whitelist database based on the calculated cryptographic hash value, wherein the global whitelist database is stored remote from the computer system, maintained by a trusted third party service provider and contains cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code and wherein the local whitelist database is created based on the global whitelist, stored local to the computer system and contains at least a subset of the cryptographic hash values contained in the global whitelist database; if said determining if the code module is authorized results in an affirmative determination, then causing the code module to be loaded and executed within the computer system by allowing processing relating to the file system or operating system activity relating to the code module to proceed; if said determining if the code module is authorized results in a negative determination, then preventing the code module from being loaded and executed within the computer system by causing further processing relating to the file system or operating system activity relating to the code module to stop; adding appropriate execution authorization information regarding the code module to an entry of the plurality of entries of the in-memory cache; intercepting, by the kernel mode driver, a second file system or operating system activity relating to the code module; and responsive to locating the entry of the in-memory cache containing execution authorization information regarding the code module, foregoing re-calculation, by the kernel mode driver, of the cryptographic hash value of the code module; and determining whether the code module is authorized to be loaded and executed within the computer system based upon the execution authorization information regarding the code module stored in the in-memory cache responsive to intercepting the first file system or operating system activity relating to the code module. - View Dependent Claims (31, 32, 33, 34, 35)
-
Specification