Generating security validation code automatically
First Claim
1. A method, performed by a computer having an operating system that executes code in a kernel mode and a user mode, for automatically generating validation code for validating parameter values of restricted function calls made by a component running in user mode, the method comprising:
- receiving, at a security validation code generator, one or more security input files that define;
(1) a set of restricted function calls of an operating system that only a component running in kernel mode is enabled to make;
(2) declarative call descriptions that define each parameter of each restricted function call as well as whether the parameter is an input or an output of the restricted function call; and
(3) declarative type descriptions that define the type of each parameter of the restricted function calls as well as logic for validating parameters of each type;
automatically generating, by the security validation code generator, a security check file that includes program code that implements a user mode and a kernel mode stub for validating each restricted function call that is configured to be made by a user mode component, wherein the code for validating each restricted function call within the user mode and kernel mode stubs is automatically generated from the declarative call descriptions by matching each parameter of a restricted function call to a corresponding type description and generating the code using the defined logic within the corresponding type description;
compiling the security check file to create the executable user mode and kernel mode stubs;
linking the user mode and kernel mode stubs into the operating system; and
upon a user mode component invoking one of the restricted function calls, executing the user mode and kernel mode stubs to validate the parameters of the restricted function call.
2 Assignments
0 Petitions
Accused Products
Abstract
A security program code generator is configured to automatically generate program code used to perform one or more validation checks of components operating in user mode. In one implementation, for example, the program code generator receives one or more files that include declarative values and parameters regarding one or more function calls made by any user mode component. The program code generator then takes the file of declarative call descriptions and automatically generates a user mode stub and a kernel mode stub for each function call of interest to be handled by a kernel mode component. The file(s) that include the user mode stub and the kernel mode stub can then be compiled and linked into the operating system components.
-
Citations
10 Claims
-
1. A method, performed by a computer having an operating system that executes code in a kernel mode and a user mode, for automatically generating validation code for validating parameter values of restricted function calls made by a component running in user mode, the method comprising:
-
receiving, at a security validation code generator, one or more security input files that define; (1) a set of restricted function calls of an operating system that only a component running in kernel mode is enabled to make; (2) declarative call descriptions that define each parameter of each restricted function call as well as whether the parameter is an input or an output of the restricted function call; and (3) declarative type descriptions that define the type of each parameter of the restricted function calls as well as logic for validating parameters of each type; automatically generating, by the security validation code generator, a security check file that includes program code that implements a user mode and a kernel mode stub for validating each restricted function call that is configured to be made by a user mode component, wherein the code for validating each restricted function call within the user mode and kernel mode stubs is automatically generated from the declarative call descriptions by matching each parameter of a restricted function call to a corresponding type description and generating the code using the defined logic within the corresponding type description; compiling the security check file to create the executable user mode and kernel mode stubs; linking the user mode and kernel mode stubs into the operating system; and upon a user mode component invoking one of the restricted function calls, executing the user mode and kernel mode stubs to validate the parameters of the restricted function call. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer storage device storing computer executable instructions which when executed, by a processor on a computer having an operating system that executes code in a kernel mode and a user mode, perform a method for automatically generating validation code for validating parameter values of restricted function calls made by a component running in user, made the method comprising:
-
receiving, at a security validation code generator, one or more security input files that define; (1) a set of restricted function calls of an operating system that only a component running in kernel mode is enabled to make; (2) declarative call descriptions that define each parameter of each restricted function call as well as whether the parameter is an input or an output of the restricted function call; and (3) declarative type descriptions that define the type of each parameter of the restricted function calls as well as logic for validating parameters of each type; automatically generating, by the security validation code generator, a security check file that includes program code that implements a user mode and a kernel mode stub for validating each restricted function call that is configured to be made by a user mode component, wherein the code for validating each restricted function call within the user mode and kernel mode stubs is automatically generated from the declarative call descriptions by matching each parameter of a restricted function call to a corresponding type description and generating the code using the defined logic within the corresponding type description; compiling the security check file to create the executable user mode and kernel mode stubs; linking the user mode and kernel mode stubs into the operating system; and upon a user mode component invoking one of the restricted function calls, executing the user mode and kernel mode stubs to validate the parameters of the restricted function call. - View Dependent Claims (7, 8, 9, 10)
-
Specification