Generating security validation code automatically

US 8,479,283 B2
Filed: 11/28/2006
Issued: 07/02/2013
Est. Priority Date: 11/28/2006
Status: Active Grant

First Claim

Patent Images

1. A method, performed by a computer having an operating system that executes code in a kernel mode and a user mode, for automatically generating validation code for validating parameter values of restricted function calls made by a component running in user mode, the method comprising:

receiving, at a security validation code generator, one or more security input files that define;

(1) a set of restricted function calls of an operating system that only a component running in kernel mode is enabled to make;

(2) declarative call descriptions that define each parameter of each restricted function call as well as whether the parameter is an input or an output of the restricted function call; and

(3) declarative type descriptions that define the type of each parameter of the restricted function calls as well as logic for validating parameters of each type;

automatically generating, by the security validation code generator, a security check file that includes program code that implements a user mode and a kernel mode stub for validating each restricted function call that is configured to be made by a user mode component, wherein the code for validating each restricted function call within the user mode and kernel mode stubs is automatically generated from the declarative call descriptions by matching each parameter of a restricted function call to a corresponding type description and generating the code using the defined logic within the corresponding type description;

compiling the security check file to create the executable user mode and kernel mode stubs;

linking the user mode and kernel mode stubs into the operating system; and

upon a user mode component invoking one of the restricted function calls, executing the user mode and kernel mode stubs to validate the parameters of the restricted function call.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security program code generator is configured to automatically generate program code used to perform one or more validation checks of components operating in user mode. In one implementation, for example, the program code generator receives one or more files that include declarative values and parameters regarding one or more function calls made by any user mode component. The program code generator then takes the file of declarative call descriptions and automatically generates a user mode stub and a kernel mode stub for each function call of interest to be handled by a kernel mode component. The file(s) that include the user mode stub and the kernel mode stub can then be compiled and linked into the operating system components.

Citations

10 Claims

1. A method, performed by a computer having an operating system that executes code in a kernel mode and a user mode, for automatically generating validation code for validating parameter values of restricted function calls made by a component running in user mode, the method comprising:
- receiving, at a security validation code generator, one or more security input files that define;
  
  (1) a set of restricted function calls of an operating system that only a component running in kernel mode is enabled to make;
  
  (2) declarative call descriptions that define each parameter of each restricted function call as well as whether the parameter is an input or an output of the restricted function call; and
  
  (3) declarative type descriptions that define the type of each parameter of the restricted function calls as well as logic for validating parameters of each type;
  
  automatically generating, by the security validation code generator, a security check file that includes program code that implements a user mode and a kernel mode stub for validating each restricted function call that is configured to be made by a user mode component, wherein the code for validating each restricted function call within the user mode and kernel mode stubs is automatically generated from the declarative call descriptions by matching each parameter of a restricted function call to a corresponding type description and generating the code using the defined logic within the corresponding type description;
  
  compiling the security check file to create the executable user mode and kernel mode stubs;
  
  linking the user mode and kernel mode stubs into the operating system; and
  
  upon a user mode component invoking one of the restricted function calls, executing the user mode and kernel mode stubs to validate the parameters of the restricted function call.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the declarative call descriptions corresponding to at least one of the function calls further describe a set of states that the computer must have for the corresponding function call to be valid.
  - 3. The method of claim 1, wherein executing the user mode stub comprises converting the parameters of the restricted function call into appropriate parameters to be passed to the kernel mode stub which validates the translated parameters.
  - 4. The method of claim 2, wherein executing the kernel mode stub further comprises evaluating the state of the computer to determine whether it meets the set of states specified in the declarative call descriptions corresponding to the invoked restricted function call.
  - 5. The method of claim 1, wherein executing the kernel mode stub further comprises executing pre-call validation logic for one or more input parameters of the restricted function call prior to performing the restricted function call, and executing post-call logic to validate one or more output parameters of the restricted function call that are returned by the restricted function call.

6. A computer storage device storing computer executable instructions which when executed, by a processor on a computer having an operating system that executes code in a kernel mode and a user mode, perform a method for automatically generating validation code for validating parameter values of restricted function calls made by a component running in user, made the method comprising:
- receiving, at a security validation code generator, one or more security input files that define;
  
  (1) a set of restricted function calls of an operating system that only a component running in kernel mode is enabled to make;
  
  (2) declarative call descriptions that define each parameter of each restricted function call as well as whether the parameter is an input or an output of the restricted function call; and
  
  (3) declarative type descriptions that define the type of each parameter of the restricted function calls as well as logic for validating parameters of each type;
  
  automatically generating, by the security validation code generator, a security check file that includes program code that implements a user mode and a kernel mode stub for validating each restricted function call that is configured to be made by a user mode component, wherein the code for validating each restricted function call within the user mode and kernel mode stubs is automatically generated from the declarative call descriptions by matching each parameter of a restricted function call to a corresponding type description and generating the code using the defined logic within the corresponding type description;
  
  compiling the security check file to create the executable user mode and kernel mode stubs;
  
  linking the user mode and kernel mode stubs into the operating system; and
  
  upon a user mode component invoking one of the restricted function calls, executing the user mode and kernel mode stubs to validate the parameters of the restricted function call.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer storage device of claim 6, wherein the declarative call descriptions corresponding to at least one of the function calls further describe a set of states that the computer must have for the corresponding function call to be valid.
  - 8. The computer storage device of claim 6, wherein executing the user mode stub comprises converting the parameters of the restricted function call into appropriate parameters to be passed to the kernel mode stub which validates the translated parameters.
  - 9. The computer storage device of claim 7, wherein executing the kernel mode stub further comprises evaluating the state of the computer to determine whether it meets the set of states specified in the declarative call descriptions corresponding to the invoked restricted function call.
  - 10. The computer storage device of claim 6, wherein executing the kernel mode stub further comprises executing pre-call validation logic for one or more input parameters of the restricted function call prior to performing the restricted function call, and executing post-call logic to validate one or more output parameters of the restricted function call that are returned by the restricted function call.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Wrighton, David Charles, Unoki, Robert Sadao
Primary Examiner(s)
Poltorak, Peter

Application Number

US11/564,204
Publication Number

US 20080127303A1
Time in Patent Office

2,408 Days
Field of Search

713/164, 726 22- 24
US Class Current

726/22
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 8/315   Object-oriented languages

Generating security validation code automatically

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Generating security validation code automatically

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links