Method and system for enforcing a security policy via a security virtual machine
First Claim
Patent Images
1. A method in a computing device for enforcing a security policy, the computing device having a first instruction set, the method comprising:
- providing a security policy in a high-level language, the security policy indicating parameters of system calls that may lead to an undesirable behavior;
compiling the security policy in the high-level language into a security program based on a second instruction set of a security virtual machine, the second instruction set of the security virtual machine being different from the first instruction set of the computing device, the security virtual machine being implemented using instructions of the first instruction set of the computing device;
loading by the computing device the security program into an instruction store of the security virtual machine; and
under control of an operating system executing on the computing device in kernel mode,receiving by the operating system from an application executing on the computing device in user mode an indication of the invocation of a system call of the operating system with a parameter, the invocation being a security enforcement event that occurs during execution of the application outside of the security virtual machine; and
upon receiving the invocation and under control of the security virtual machine with its instructions of the first instruction set being executed by the computing device while in kernel mode,executing by the security virtual machine the security program of the instruction store based on data of the security enforcement event that includes an indication of the system call and the parameter to ensure that the security enforcement event complies with the security policy;
when the security enforcement event complies with the security policy, allowing invocation of the system call; and
when the security enforcement event does not comply with the security policy, blocking invocation of the system call.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system for enforcing a security policy encoded in an instruction set of a security virtual machine is provided. A security system provides a security virtual machine that executes security programs expressed in the instruction set of the security virtual machine. The security system stores the security program in an instruction store of the security virtual machine. When a security enforcement event occurs, the security virtual machine executes the instructions of its instruction store using data of the security enforcement event to enforce the security policy.
50 Citations
20 Claims
-
1. A method in a computing device for enforcing a security policy, the computing device having a first instruction set, the method comprising:
-
providing a security policy in a high-level language, the security policy indicating parameters of system calls that may lead to an undesirable behavior; compiling the security policy in the high-level language into a security program based on a second instruction set of a security virtual machine, the second instruction set of the security virtual machine being different from the first instruction set of the computing device, the security virtual machine being implemented using instructions of the first instruction set of the computing device; loading by the computing device the security program into an instruction store of the security virtual machine; and under control of an operating system executing on the computing device in kernel mode, receiving by the operating system from an application executing on the computing device in user mode an indication of the invocation of a system call of the operating system with a parameter, the invocation being a security enforcement event that occurs during execution of the application outside of the security virtual machine; and upon receiving the invocation and under control of the security virtual machine with its instructions of the first instruction set being executed by the computing device while in kernel mode, executing by the security virtual machine the security program of the instruction store based on data of the security enforcement event that includes an indication of the system call and the parameter to ensure that the security enforcement event complies with the security policy; when the security enforcement event complies with the security policy, allowing invocation of the system call; and when the security enforcement event does not comply with the security policy, blocking invocation of the system call. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method in a computing device for enforcing a security policy, the computing device having a first instruction set, the method comprising:
-
providing a security policy in a high-level language, the security policy indicating parameters of system calls that may lead to an undesirable behavior, the security policy being compiled from the high-level language into a security program based on a second instruction set of a security virtual machine, the second instruction set of the security virtual machine being different from the first instruction set of the computing device, the security virtual machine being implemented using instructions of the first instruction set of the computing device that are executed directly by a central processing unit of the computing device; loading by the computing device the security program into an instruction store of the security virtual machine; under control of an application executing on the computing device in user mode of the computing device and outside of the security virtual machine, invoking a system call of an operating system implemented using instructions of the first instruction set of the computing device that are executed directly by a central processing unit of the computing device executing on the computing device, the system call including a parameter; and while in kernel mode of the computing device and under control of the operating system, receiving by the operating system from the application executing on the computing device in user mode an indication of the invocation of the system call of the operating system with a parameter, the invocation being a security enforcement event that occurs during execution of the application, the application being implemented using instructions of the first instruction set of the computing device that are executed directly by a central processing unit of the computing device; and upon receiving the invocation of the system call of the operating system, launching execution of the security virtual machine in kernel mode; during execution of the security virtual machine in kernel mode, executing the instructions of the second instruction set of the instruction store based on data of the security enforcement event that includes a parameter to ensure that the security enforcement event complies with the security policy; and after execution of the security virtual machine is halted, when the security enforcement event complies with the security policy, performing of the system call; and when the security enforcement event does not comply with the security policy, blocking performance of the system call.
-
-
14. A computer-readable storage device storing computer-executable instructions for controlling a computing device to enforce a security policy, the computing device having a first instruction set, by a method comprising:
-
accessing a security policy in a high-level language, the security policy indicating parameters of system calls that may lead to an undesirable behavior; compiling the security policy in the high-level language into a security program based on a second instruction set of a security virtual machine, the second instruction set of the security virtual machine being different from the first instruction set of the computing device, the second instruction set including instructions with an operation code field, a first parameter field that references data associated with a system call, and a second parameter field that references data associated with the security program, the security virtual machine being implemented using instructions of the first instruction set of the computing device; loading the security program into an instruction store of the security virtual machine; and while in kernel mode of the computing device and under control of an operating system executing on the computing device, receiving from an application executing on the computing device in user mode an invocation of a system call of the operating system with parameters, the invocation being a security enforcement event that occurs during execution of the application outside of the security virtual machine; and upon receiving the invocation and under control of the security virtual machine with its instructions of the first instruction set being executed by the computing device while in kernel mode, executing the instructions of the second instruction set of the instruction store based on data of the security enforcement event that includes a parameter to ensure that the security enforcement event complies with the security policy; when the security enforcement event complies with the security policy, allowing invocation of the system call; and when the security enforcement event does not comply with the security policy, blocking invocation of the system call. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. A computer-readable storage device storing computer-executable instructions for controlling a computing device to enforce a security policy, the computing device having a first instruction set, by a method comprising:
-
storing a security program into an instruction store of a security virtual machine, the security virtual machine having a second instruction set that is different from the first instruction set and the security program having instructions of the second instruction set; intercepting issuance by an application of a system call for a system service of an operating system, the application executing in user mode of the computing device, the issuance being a security enforcement event that occurs during execution of the application in user mode and outside of the security virtual machine; and while in kernel mode of the computing device, receiving an indication of the security enforcement event; executing by the security virtual machine the instructions of the security program stored into the instruction store to determine whether the security enforcement event complies with the security policy; when the security enforcement event complies with the security policy, allowing the system call to proceed; and when the security enforcement event does not comply with the security policy, blocking the system call.
-
Specification