Restriction of program process capabilities
First Claim
1. A method of operating a computing device having an operating system defining a kernel space and user space, comprising the acts of:
- causing the computing device to operate a program, the program having a plurality of intended functionalities, the program further having a set of one or more security profiles associated with the program;
monitoring calls attempted by the program, the monitoring performed by monitoring operations in the kernel initiated in response to the attempted calls, the monitoring comprising intercepting a kernel operation at a point at which one or more arguments associated with the attempted calls have been resolved in the kernel for the kernel operation;
determining whether the intercepted kernel operation initiated in response to the program is consistent with the security profiles associated with the program; and
after determining that the intercepted kernel operation initiated in response to the program is consistent with the security profiles associated with the program, allowing execution of the intercepted kernel operation;
wherein the act of determining whether the operation initiated in response to a program call is consistent with the security profiles associated with the program comprises correlating the intercepted kernel operation with the security profiles and determining if the attempted call operation is allowed by the security profiles.
2 Assignments
0 Petitions
Accused Products
Abstract
This document describes systems and methods for restricting program process capabilities. In some implementations, the capabilities are restricted by limiting the rights or privileges granted to an application. A plurality of rules may be established for a program, or for a group of programs, denying that program the right to take actions which are outside of the actions needed to implement its intended functionality. A security policy is implemented to test actions initiated in response to an application against the rules to enable decisions restricting the possible actions of the program. Embodiments are disclosed which process the majority of decisions regarding actions against a security profile through use of a virtual machine. In some embodiments, the majority of decisions are resolved within the kernel space of an operating system.
-
Citations
18 Claims
-
1. A method of operating a computing device having an operating system defining a kernel space and user space, comprising the acts of:
-
causing the computing device to operate a program, the program having a plurality of intended functionalities, the program further having a set of one or more security profiles associated with the program; monitoring calls attempted by the program, the monitoring performed by monitoring operations in the kernel initiated in response to the attempted calls, the monitoring comprising intercepting a kernel operation at a point at which one or more arguments associated with the attempted calls have been resolved in the kernel for the kernel operation; determining whether the intercepted kernel operation initiated in response to the program is consistent with the security profiles associated with the program; and after determining that the intercepted kernel operation initiated in response to the program is consistent with the security profiles associated with the program, allowing execution of the intercepted kernel operation; wherein the act of determining whether the operation initiated in response to a program call is consistent with the security profiles associated with the program comprises correlating the intercepted kernel operation with the security profiles and determining if the attempted call operation is allowed by the security profiles. - View Dependent Claims (2, 3, 4)
-
-
5. A computing device, comprising:
-
an electronic processor and memory; an operating system, the operating system defining a kernel space and a user space; at least one application implementable by the computing device; a set of operational permissions accessible to the computing device and operatively associated with the application, the operational permissions comprising permissions representative of operations in the kernel space of the operating system that are permitted, so as to enable functions in the application is allowed to perform; a monitoring system adapted to monitor operations in the kernel space initiated in response to system calls initiated by the application by intercepting the kernel operations before execution, wherein the kernel operations have resolved arguments associated with the operations; and a determination system configured to determine if the initiated kernel operations are permitted, the determination system adapted to make such determinations at least partially in response to the operational permissions for the application; a security policy virtual machine operating in the kernel space of the operating system, the virtual machine configured to test at least a portion of the intercepted kernel operations against the operation permissions based on compiled security profiles; and a decision module operating at least in part in the user space and configured to receive decision instructions referred from the security policy virtual machine, and to resolve the referred decision instructions. - View Dependent Claims (6, 7, 8)
-
-
9. A non-transitory machine readable storage medium containing instructions, which when implemented by a machine, cause operations to be performed which comprise the following:
-
monitoring actions attempted by an application running on the machine by intercepting kernel operations initiated in response to actions initiated by the application; functionally correlating at least one of the kernel operations initiated in response to the application to at least one of a plurality of predetermined policies for the application, the plurality of policies containing at least a first policy indicative of an operation which is necessary for the application to provide a predetermined functionality; and gating at least one monitored action of the application at least partially in response to the functional correlation of the kernel operation with the first policy; implementing a security policy virtual machine operating in the kernel space of the operating system, the virtual machine configured to execute a compiled security profile representing the predetermined policies.
-
-
10. A method of implementing security containment for at least one selected application operated on a computing device, the computing device comprising a processor;
- a memory and an operating system having a kernel space and a user space, the method comprising;
using the processor to access a plurality of security policies, the policies indicative of processes for determining whether the application completes selected system calls, by determining the permissibility of selected operations in the kernel initiated in response to the system calls; using the processor to identify a system call initiated by the application, and trap kernel operations initiated in response to the system call; comparing the initiated kernel operations with the security policies, without executing the kernel operations; and in the operation that the initiated kernel operation is addressed by the security policies, allowing or denying the execution of the kernel operation in accordance with the security policies; wherein the act of comparing initiated kernel operations with the security policies comprises; testing a first group of initiated kernel operations against the security policies within the kernel space; and testing a second group of initiated kernel operations against the security policies by an extension module operating in user space, wherein the second group of initiated kernel operations comprise operations requiring user input to resolve. - View Dependent Claims (11, 12, 13)
- a memory and an operating system having a kernel space and a user space, the method comprising;
-
14. A method of providing security for a computer comprising a processor a memory and having an operating system and operating at least one user application, the operating system having a kernel space and a user space, and having a system level application program interface layer between the kernel space and the user space, the method comprising the steps of:
-
opening the user application on the computer; using the processor to communicate a notification to a monitoring module in the user space of the operating system that the program was opened; and in response to the notification, using the processor to replace a first security profile for the program in the kernel layer of the operating system, the security profile containing machine language operations for determining if certain operations initiated in the kernel in response to actions initiated by the application are to be allowed or denied; using the security profile to determine if the security profile establishes a policy by which a first kernel operation is to be permitted or denied; and if the security profile establishes the policy by which the first kernel operation is to be permitted or denied, permitting or denying the operation in accordance with the established policy; wherein the security profile establishes that determination of a kernel operation is identified as a decision process outside of the kernel to determine if the initiated kernel operation is to be permitted or denied. - View Dependent Claims (15)
-
-
16. A computing device, comprising:
-
an electronic processor and memory; at least one application implementable by the computing device; a set of operational permissions accessible to the computing device and operatively associated with the application, the operational permissions comprising permissions representative of actions the application is permitted to perform; a monitoring system adapted to monitor actions initiated by the application when it is implemented by the computer, the monitoring system located within kernel space of an operating system on the computing device, the monitoring system operating by intercepting kernel operations initiated in response to actions initiated by the application; and a determination system configured to determine if actions attempted by the application allowed by correlating the intercepted kernel operations with one or more security profiles defining operational permissions for the application.
-
-
17. A method of providing security for a computing device comprising a processor a memory and having an operating system and operating at least one user application, the operating system having a kernel level and a user level, and having a system level application program interface layer between the kernel level and the user level, the method comprising the steps of:
-
opening the user application on the computer; recognizing in the user level of the operating system that the program was opened; in response to the recognition of the opening of the user application, placing a security profile for operation of the program in the kernel level of the operating system, the security profile containing machine language operations for determining if operations initiated in the kernel in response to a call by the application is allowed or denied; intercepting at least selected kernel operations initiated in response to system calls at the system level application program interface layer initiated by the application, the intercepting performed at a level within the kernel and outside the system level application program interface layer; correlating at least a first set of the intercepted kernel operations to the security profile to determine if the security profile establishes a privilege by which each kernel operation is to be permitted or denied, the correlating performed within the kernel level of the operating system; and permitting or denying a kernel operation in accordance with the correlation of the operation to the security profile; wherein the security profile contains instructions that at least one kernel operation is to be evaluated outside the kernel, and wherein such an operation and a privilege related to that operation are referred to a decision module in user space. - View Dependent Claims (18)
-
Specification