Restriction of program process capabilities
First Claim
1. A method of operating a computing device having an operating system defining kernel space and user space, comprising the acts of:
- causing a program to be operated by the computing device, the program having a plurality of intended functionalities, the program further having a security profile associated therewith, the security profile including a set of policies;
monitoring calls attempted by the program, the monitoring performed by monitoring operations in the kernel initiated in response to the calls, the monitoring comprising intercepting a kernel operation at a point at which one or more arguments associated with the call have been resolved in the kernel for the kernel operation;
determining whether at least one intercepted kernel operation initiated in response to the program is consistent with the policies associated with the program,wherein the security profile is directed to defer a permission decision to user space, and the determining comprises;
identifying a user space function referenced by a callback table in the kernel and located in user space to perform the permission decision, andperforming a procedure call to the user space function; and
allowing execution of the intercepted kernel operation when the call to the user space function indicates that the request is permitted.
0 Assignments
0 Petitions
Accused Products
Abstract
This document describes systems and methods for restricting program process capabilities. In some implementations, the capabilities are restricted by limiting the rights or privileges granted to an application. A plurality of rules may be established for a program, or for a group of programs, denying that program the right to take actions which are outside of the actions needed to implement its intended functionality. A security policy is implemented to test actions initiated in response to an application against the rules to enable decisions restricting the possible actions of the program. Embodiments are disclosed which process the majority of decisions regarding actions against a security profile through use of a virtual machine. In some embodiments, the majority of decisions are resolved within the kernel space of an operating system.
43 Citations
18 Claims
-
1. A method of operating a computing device having an operating system defining kernel space and user space, comprising the acts of:
-
causing a program to be operated by the computing device, the program having a plurality of intended functionalities, the program further having a security profile associated therewith, the security profile including a set of policies; monitoring calls attempted by the program, the monitoring performed by monitoring operations in the kernel initiated in response to the calls, the monitoring comprising intercepting a kernel operation at a point at which one or more arguments associated with the call have been resolved in the kernel for the kernel operation; determining whether at least one intercepted kernel operation initiated in response to the program is consistent with the policies associated with the program, wherein the security profile is directed to defer a permission decision to user space, and the determining comprises; identifying a user space function referenced by a callback table in the kernel and located in user space to perform the permission decision, and performing a procedure call to the user space function; and allowing execution of the intercepted kernel operation when the call to the user space function indicates that the request is permitted. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computing device, comprising:
-
a processing device configured to execute instructions, the instructions comprising; an operating system, the operating system defining a kernel space and a user space;
at least one application implementable by the computing device;a set of operational permissions accessible to the computing device and operatively associated with the application, the operational permissions comprising permissions representative of operations in the kernel space of the operating system that are permitted, so as to enable functions the application is allowed to perform; a monitoring system adapted to monitor operations in the kernel space initiated in response to at least some system calls initiated by the application by intercepting the kernel operations before execution, wherein at least some kernel operations have resolved arguments associated with the operations; a determination system configured to determine if the initiated kernel operations are to be permitted, the determination system adapted to make such determinations at least partially in response to the operational permissions for the application, wherein the determination system comprises; a virtual machine operating in the kernel space of the operating system, the virtual machine configured to test at least a portion of the initiated kernel operations against the operation permissions; and a decision module operating at least in part in the user space and configured to receive decision instructions referred from the virtual machine and to resolve the referred decision instructions. - View Dependent Claims (7, 8, 9)
-
-
10. A non-transitory machine readable medium containing instructions, which when executed by a processor machine, cause operations to be performed which comprise the following:
-
monitoring at least some actions attempted by an application running on the machine by intercepting kernel operations initiated in response to actions initiated by the application; functionally correlating at least one of the kernel operations initiated in response to the application to at least one of a plurality of predetermined policies for the application, the plurality of policies containing at least a first policy indicative of an operation which is necessary for the application to provide a predetermined functionality; gating at least one monitored action of the application at least partially in response to the functional correlation of the kernel operation with the first policy, wherein gating comprises; deferring a permission decision to user space, wherein a compiled security profile refers to a callback table, executing a procedure call to a function located in user space and found in the table to perform the permission decision for the kernel operation, and allowing execution of the monitored action if the permission decision is to allow the kernel operation. - View Dependent Claims (11)
-
-
12. A method of implementing security containment for at least one selected application operated on a computing device, the computing device having an operating system having a kernel space and having user space, comprising the acts of:
-
accessing a plurality of policies, the policies indicative of processes for determining whether the application may complete selected system calls, by determining the permissibility of selected operations in the kernel initiated in response to the system calls; identifying a system call initiated by the application, and trapping kernel operations initiated in response to the system call; comparing the initiated kernel operations with the policies, without executing the kernel operations; and in the operation that the initiated kernel operation is addressed by the policies, allowing or denying the execution of the kernel operation in accordance with the policies, wherein allowing or denying comprises; deferring a permission decision to user space, wherein a compiled security profile refers to a callback table, executing a remote procedure call to a function located in user space and found in the table to perform the permission decision for the kernel operation, and allowing execution of the monitored action if the permission decision is to allow the kernel operation. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A method of providing security for a computer having an operating system and operating at least one user application, the operating system having a kernel space and a user space, and having an system level application program interface layer between the kernel space and the user space, the method comprising:
-
opening the user application on the computer; communicating a notification to a monitoring module in the user space of the operating system that the program was opened; and in response to the notification, placing a first profile for the program in the kernel layer of the operating system, the profile containing machine language operations for determining if certain operations initiated in the kernel in response to actions initiated by the application are to be allowed or denied; using the profile to determine if the profile establishes a policy by which a first kernel operation is to be permitted or denied; if the profile establishes a policy by which the first kernel operation is to be permitted or denied, permitting or denying the operation in accordance with the policy, wherein the profile establishes that determination of a kernel operation referred to a decision process outside of the kernel to determine if the initiated kernel operation is to be permitted or denied. - View Dependent Claims (18)
-
Specification