×

Method and system for enforcing a security policy via a security virtual machine

  • US 8,607,299 B2
  • Filed: 04/27/2004
  • Issued: 12/10/2013
  • Est. Priority Date: 04/27/2004
  • Status: Active Grant
First Claim
Patent Images

1. A method in a computing device for enforcing a security policy, the computing device having a first instruction set, the method comprising:

  • providing a security policy in a high-level language, the security policy indicating parameters of system calls that may lead to an undesirable behavior;

    compiling the security policy in the high-level language into a security program based on a second instruction set of a security virtual machine, the second instruction set of the security virtual machine being different from the first instruction set of the computing device, the security virtual machine being implemented using instructions of the first instruction set of the computing device;

    loading by the computing device the security program into an instruction store of the security virtual machine; and

    under control of an operating system executing on the computing device in kernel mode,receiving by the operating system from an application executing on the computing device in user mode an indication of the invocation of a system call of the operating system with a parameter, the invocation being a security enforcement event that occurs during execution of the application outside of the security virtual machine; and

    upon receiving the invocation and under control of the security virtual machine with its instructions of the first instruction set being executed by the computing device while in kernel mode,executing by the security virtual machine the security program of the instruction store based on data of the security enforcement event that includes an indication of the system call and the parameter to ensure that the security enforcement event complies with the security policy;

    when the security enforcement event complies with the security policy, allowing invocation of the system call; and

    when the security enforcement event does not comply with the security policy, blocking invocation of the system call.

View all claims
  • 2 Assignments
Timeline View
Assignment View
    ×
    ×