Selective authorization of the loading of dependent code modules by running processes
First Claim
Patent Images
1. A method comprising:
- intercepting, by a kernel mode driver of a computer system, file system or operating system activity relating to a first code module initiated by a running process associated with a second code module;
selectively authorizing, by the kernel mode driver, loading of the first code module by the running process based at least in part on one or more attributes of the second code module, wherein said selectively authorizing comprises determining whether the second code module comprises a script interpreter;
if said determining whether the second code module comprises a script interpreter results in an affirmative determination, then authenticating a cryptographic hash value of the first code module with reference to a multi-level whitelist, the multi-level whitelist comprising (i) a global whitelist database remote from the computer system and maintained by a trusted service provider, the global whitelist database containing cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code and (ii) a local whitelist database containing cryptographic hash values of at least a subset of the approved code modules; and
wherein the kernel mode driver is implemented in one or more processors and one or more computer-readable storage media associated with the computer system, the one or more computer-readable storage media having instructions tangibly embodied therein representing the kernel mode driver that are executable by the one or more processors.
0 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for selective authorization of dependent code modules are provided. According to one embodiment, file system or operating system activity relating to a first code module is initiated by a running process associated with a second code module. The file system or operating system activity is intercepted by a kernel mode driver of a computer system. The kernel mode driver selectively authorizes loading of the first code module by the running process based at least in part on one or more attributes of the second code module.
-
Citations
40 Claims
-
1. A method comprising:
-
intercepting, by a kernel mode driver of a computer system, file system or operating system activity relating to a first code module initiated by a running process associated with a second code module; selectively authorizing, by the kernel mode driver, loading of the first code module by the running process based at least in part on one or more attributes of the second code module, wherein said selectively authorizing comprises determining whether the second code module comprises a script interpreter; if said determining whether the second code module comprises a script interpreter results in an affirmative determination, then authenticating a cryptographic hash value of the first code module with reference to a multi-level whitelist, the multi-level whitelist comprising (i) a global whitelist database remote from the computer system and maintained by a trusted service provider, the global whitelist database containing cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code and (ii) a local whitelist database containing cryptographic hash values of at least a subset of the approved code modules; and wherein the kernel mode driver is implemented in one or more processors and one or more computer-readable storage media associated with the computer system, the one or more computer-readable storage media having instructions tangibly embodied therein representing the kernel mode driver that are executable by the one or more processors. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A code execution authorization system comprising:
-
a kernel mode driver of a computer system implemented in one or more computer processors of the computer system and one or more computer-readable storage media associated with the computer system, the one or more computer-readable storage media having instructions tangibly embodied therein representing the kernel mode driver that are executable by the one or more computer processors, the kernel mode driver operable to perform a method of authenticating dependent code modules requested to be loaded by processes running on the computer system comprising; intercepting file system or operating system activity relating to a first code module initiated by a running process associated with a second code module; selectively authorizing loading of the first code module by the running process based at least in part on one or more attributes of the second code module, wherein said selectively authorizing comprises determining whether the second code module comprises a script interpreter; and if said determining whether the second code module comprises a script interpreter results in an affirmative determination, then authenticating a cryptographic hash value of the first code module with reference to a multi-level whitelist, the multi-level whitelist comprising (i) a global whitelist database remote from the computer system and maintained by a trusted service provider, the global whitelist database containing cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code and (ii) a local whitelist database containing cryptographic hash values of at least a subset of the approved code modules. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 33, 34, 35, 36)
-
-
25. A non-transitory program storage device readable by a computer system, tangibly embodying a program of instructions executable by one or more computer processors of the computer system to perform method steps for authenticating dependent code modules requested to be loaded by processes running on the computer system comprising:
-
intercepting file system or operating system activity relating to a first code module initiated by a running process associated with a second code module; selectively authorizing loading of the first code module by the running process based at least in part on one or more attributes of the second code module, wherein said selectively authorizing comprises determining whether the second code module comprises a script interpreter; and if said determining whether the second code module comprises a script interpreter results in an affirmative determination, then authenticating a cryptographic hash value of the first code module with reference to a multi-level whitelist, the multi-level whitelist comprising (i) a global whitelist database remote from the computer system and maintained by a trusted service provider, the global whitelist database containing cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code and (ii) a local whitelist database containing cryptographic hash values of at least a subset of the approved code modules. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 37, 38, 39, 40)
-
Specification