Selective authorization of the loading of dependent code modules by running processes

US 8,151,109 B2
Filed: 03/11/2011
Issued: 04/03/2012
Est. Priority Date: 12/03/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

intercepting, by a kernel mode driver of a computer system, file system or operating system activity relating to a first code module initiated by a running process associated with a second code module;

selectively authorizing, by the kernel mode driver, loading of the first code module by the running process based at least in part on one or more attributes of the second code module, wherein said selectively authorizing comprises determining whether the second code module comprises a script interpreter;

if said determining whether the second code module comprises a script interpreter results in an affirmative determination, then authenticating a cryptographic hash value of the first code module with reference to a multi-level whitelist, the multi-level whitelist comprising (i) a global whitelist database remote from the computer system and maintained by a trusted service provider, the global whitelist database containing cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code and (ii) a local whitelist database containing cryptographic hash values of at least a subset of the approved code modules; and

wherein the kernel mode driver is implemented in one or more processors and one or more computer-readable storage media associated with the computer system, the one or more computer-readable storage media having instructions tangibly embodied therein representing the kernel mode driver that are executable by the one or more processors.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for selective authorization of dependent code modules are provided. According to one embodiment, file system or operating system activity relating to a first code module is initiated by a running process associated with a second code module. The file system or operating system activity is intercepted by a kernel mode driver of a computer system. The kernel mode driver selectively authorizes loading of the first code module by the running process based at least in part on one or more attributes of the second code module.

Citations

40 Claims

1. A method comprising:
- intercepting, by a kernel mode driver of a computer system, file system or operating system activity relating to a first code module initiated by a running process associated with a second code module;
  
  selectively authorizing, by the kernel mode driver, loading of the first code module by the running process based at least in part on one or more attributes of the second code module, wherein said selectively authorizing comprises determining whether the second code module comprises a script interpreter;
  
  if said determining whether the second code module comprises a script interpreter results in an affirmative determination, then authenticating a cryptographic hash value of the first code module with reference to a multi-level whitelist, the multi-level whitelist comprising (i) a global whitelist database remote from the computer system and maintained by a trusted service provider, the global whitelist database containing cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code and (ii) a local whitelist database containing cryptographic hash values of at least a subset of the approved code modules; and
  
  wherein the kernel mode driver is implemented in one or more processors and one or more computer-readable storage media associated with the computer system, the one or more computer-readable storage media having instructions tangibly embodied therein representing the kernel mode driver that are executable by the one or more processors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising allowing the running process to read the first code module if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the multi-level whitelist.
  - 3. The method of claim 1, wherein the first code module comprises a non-executable code module.
  - 4. The method of claim 3, wherein the first code module comprises a script file.
  - 5. The method of claim 3, wherein the first code module comprises a Java applet.
  - 6. The method of claim 3, wherein the first code module comprises a visual basic script.
  - 7. The method of claim 3, wherein the first code module comprises a JavaScript.
  - 8. The method of claim 1, wherein the cryptographic hash value is computed using Message Digest #5 (MD-5).
  - 9. The method of claim 1, wherein the cryptographic hash value is computed using a Secure Hash Algorithm (SHA).
  - 10. The method of claim 9, wherein the cryptographic hash value is computed using SHA-1.
  - 11. The method of claim 9, wherein the cryptographic hash value is computed using SHA-256.
  - 12. The method of claim 1, wherein said intercepting file system or operating system activity relating to a first code module comprises monitoring operating system process creation or module load activity.
  - 13. The method of claim 12, wherein the kernel mode driver is configured for operation within a Microsoft Windows operating system.
  - 14. The method of claim 13, wherein said intercepting file system or operating system activity relating to a first code module comprises an operating system module load activity monitor intercepting module load activity by running processes within the computer system by hooking to a Windows CreateSection API call and temporarily turning control over to the kernel mode driver.
  - 15. The method of claim 14, wherein the first code module comprises an executable code module.
  - 16. The method of claim 15, wherein the first code module comprises a dynamically-linked library file.

17. A code execution authorization system comprising:
- a kernel mode driver of a computer system implemented in one or more computer processors of the computer system and one or more computer-readable storage media associated with the computer system, the one or more computer-readable storage media having instructions tangibly embodied therein representing the kernel mode driver that are executable by the one or more computer processors, the kernel mode driver operable to perform a method of authenticating dependent code modules requested to be loaded by processes running on the computer system comprising;
  
  intercepting file system or operating system activity relating to a first code module initiated by a running process associated with a second code module;
  
  selectively authorizing loading of the first code module by the running process based at least in part on one or more attributes of the second code module, wherein said selectively authorizing comprises determining whether the second code module comprises a script interpreter; and
  
  if said determining whether the second code module comprises a script interpreter results in an affirmative determination, then authenticating a cryptographic hash value of the first code module with reference to a multi-level whitelist, the multi-level whitelist comprising (i) a global whitelist database remote from the computer system and maintained by a trusted service provider, the global whitelist database containing cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code and (ii) a local whitelist database containing cryptographic hash values of at least a subset of the approved code modules.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 33, 34, 35, 36)
- - 18. The code execution authorization system of claim 17, further comprising allowing the running process to read the first code module if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the multi-level whitelist.
  - 19. The code execution authorization system of claim 17, wherein the first code module comprises a non-executable code module.
  - 20. The code execution authorization system of claim 17, wherein the cryptographic hash value is computed using Message Digest #5 (MD-5) or a Secure Hash Algorithm (SHA).
  - 21. The code execution authorization system of claim 17, wherein the kernel mode driver is configured for operation within a Microsoft Windows operating system.
  - 22. The code execution authorization system of claim 21, wherein said intercepting file system or operating system activity relating to a first code module comprises an operating system module load activity monitor intercepting module load activity by running processes within the computer system by hooking to a Windows CreateSection API call and temporarily turning control over to the kernel mode driver.
  - 23. The code execution authorization system of claim 22, wherein the first code module comprises an executable code module.
  - 24. The code execution authorization system of claim 23, wherein the first code module comprises a dynamically-linked library file.
  - 33. The code execution authorization system of claim 19, wherein the first code module comprises a script file.
  - 34. The code execution authorization system of claim 19, wherein the first code module comprises a Java applet.
  - 35. The code execution authorization system of claim 19, wherein the first code module comprises a visual basic script.
  - 36. The code execution authorization system of claim 19, wherein the first code module comprises a JavaScript.

25. A non-transitory program storage device readable by a computer system, tangibly embodying a program of instructions executable by one or more computer processors of the computer system to perform method steps for authenticating dependent code modules requested to be loaded by processes running on the computer system comprising:
- intercepting file system or operating system activity relating to a first code module initiated by a running process associated with a second code module;
  
  selectively authorizing loading of the first code module by the running process based at least in part on one or more attributes of the second code module, wherein said selectively authorizing comprises determining whether the second code module comprises a script interpreter; and
  
  if said determining whether the second code module comprises a script interpreter results in an affirmative determination, then authenticating a cryptographic hash value of the first code module with reference to a multi-level whitelist, the multi-level whitelist comprising (i) a global whitelist database remote from the computer system and maintained by a trusted service provider, the global whitelist database containing cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code and (ii) a local whitelist database containing cryptographic hash values of at least a subset of the approved code modules.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 37, 38, 39, 40)
- - 26. The non-transitory program storage device of claim 25, further comprising allowing the running process to read the first code module if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the multi-level whitelist.
  - 27. The non-transitory program storage device of claim 25, wherein the first code module comprises a non-executable code module.
  - 28. The non-transitory program storage device of claim 25, wherein the cryptographic hash value is computed using Message Digest #5 (MD-5) or a Secure Hash Algorithm (SHA).
  - 29. The non-transitory program storage device of claim 25, wherein the kernel mode driver is configured for operation within a Microsoft Windows operating system.
  - 30. The non-transitory program storage device of claim 29, wherein said intercepting file system or operating system activity relating to a first code module comprises an operating system module load activity monitor intercepting module load activity by running processes within the computer system by hooking to a Windows CreateSection API call and temporarily turning control over to the kernel mode driver.
  - 31. The non-transitory program storage device of claim 30, wherein the first code module comprises an executable code module.
  - 32. The non-transitory program storage device of claim 31, wherein the first code module comprises a dynamically-linked library file.
  - 37. The non-transitory program storage device of claim 27, wherein the first code module comprises a script file.
  - 38. The non-transitory program storage device of claim 27, wherein the first code module comprises a Java applet.
  - 39. The non-transitory program storage device of claim 27, wherein the first code module comprises a visual basic script.
  - 40. The non-transitory program storage device of claim 27, wherein the first code module comprises a JavaScript.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Fanton, Andrew F., Gandee, John J., Lutton, William H., Harper, Edwin L., Godwin, Kurt E., Rozga, Anthony A.
Primary Examiner(s)
Truong, Thanhnga B

Application Number

US13/045,781
Publication Number

US 20110167261A1
Time in Patent Office

389 Days
Field of Search

713/150, 713164-165, 380/270, 705/26.1, 726/16, 726 22- 27, 709224-225, 707/769, 707/999.004, 707/999.102, 707/999.103
US Class Current

713/165
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/44   Program or device authentic...

G06F 21/51   at application loading time...

G06F 21/52   during program execution, e...

G06F 21/53   by executing in a restricte...

G06F 21/602   Providing cryptographic fac...

G06F 2221/033   Test or assess software

G06F 2221/2141   Access rights, e.g. capabil...

G06F 9/445   Program loading or initiati...

H04L 63/08   for authentication of entit...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

H04L 63/145   the attack involving the pr...

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/32   including means for verifyi...

H04L 9/3239   involving non-keyed hash fu...

Y10S 707/99934   Query formulation, input pr...

Y10S 707/99943   Generating database or data...

Y10S 707/99944   Object-oriented database st...

Selective authorization of the loading of dependent code modules by running processes

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Selective authorization of the loading of dependent code modules by running processes

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links