Secure system for allowing the execution of authorized computer program code

US 8,813,231 B2
Filed: 11/19/2013
Issued: 08/19/2014
Est. Priority Date: 12/03/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

maintaining, by a kernel mode driver of a computer system, a whitelist containing cryptographic hash values of code modules that are approved for loading into memory of the computer system and execution on the computer system (“

approved code modules”

), wherein at least a subset of the cryptographic hash values has been included within the whitelist based upon results of application of one or more behavior analysis techniques to a corresponding subset of code modules;

monitoring, by the kernel mode driver, a set of events occurring within one or more of a file system accessible by the computer system and an operating system that manages resources of the computer system;

responsive to observation, by the kernel mode driver, of an event of the set of events relating to a code module, causing, by the kernel mode driver, a cryptographic hash value of the code module to be authenticated with reference to the whitelist; and

allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the whitelist.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for selective authorization of code modules are provided. According to one embodiment, a whitelist containing cryptographic hash values of code modules that are approved for loading into memory of a computer system and execution on the computer system is maintained by a kernel mode driver of the computer system. At least a subset of the cryptographic hash values has been included within the whitelist based upon results of application of one or more behavior analysis techniques to a corresponding subset of code modules. The kernel mode driver monitors a set of events occurring within one or more of a file system accessible by the computer system and an operating system that manages resources of the computer system. The kernel mode driver causes a cryptographic hash value of a code module relating to an observed event of the set of events to be authenticated with reference to the whitelist. When the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the whitelist, the code module is allowed to be loaded and executed within the computer system.

112 Citations

19 Claims

1. A method comprising:
- maintaining, by a kernel mode driver of a computer system, a whitelist containing cryptographic hash values of code modules that are approved for loading into memory of the computer system and execution on the computer system (“
  
  approved code modules”
  
  ), wherein at least a subset of the cryptographic hash values has been included within the whitelist based upon results of application of one or more behavior analysis techniques to a corresponding subset of code modules;
  
  monitoring, by the kernel mode driver, a set of events occurring within one or more of a file system accessible by the computer system and an operating system that manages resources of the computer system;
  
  responsive to observation, by the kernel mode driver, of an event of the set of events relating to a code module, causing, by the kernel mode driver, a cryptographic hash value of the code module to be authenticated with reference to the whitelist; and
  
  allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the whitelist.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein a behavior analysis technique of the one or more behavior analysis techniques comprises sandboxing.
  - 3. The method of claim 2, wherein the code module comprises an executable code module.
  - 4. The method of claim 2, wherein the code module comprises a dynamically-linked library file.
  - 5. The method of claim 2, wherein the code module comprises a Java applet.
  - 6. The method of claim 2, wherein the code module comprises JavaScript.
  - 7. The method of claim 1, wherein the whitelist comprises a multi-level whitelist including (i) a global whitelist database remote from the computer system and maintained by a trusted service provider and (ii) a local whitelist database containing at least a subset of the set of content of the global whitelist database.
  - 8. The method of claim 1, wherein the cryptographic hash value is computed using Message Digest #5 (MD-5).
  - 9. The method of claim 1, wherein the cryptographic hash value is computed using a Secure Hash Algorithm (SHA).
  - 10. The method of claim 1, wherein said monitoring a set of events occurring within one or more of a file system accessible by the computer system and an operating system that manages resources of the computer system comprises monitoring operating system process creation or module load activity.
  - 11. The method of claim 10, wherein said monitoring operating system process creation or module load activity comprises an operating system module load activity monitor intercepting module load activity by running processes within the computer system by hooking to an application programming interface (API) call of the operating system and temporarily turning control over to the kernel mode driver.

12. A non-transitory program storage device readable by a computer system, tangibly embodying a program of instructions executable by one or more computer processors of the computer system to perform a method for authenticating code modules, the method comprising:
- maintaining, by a kernel mode driver of the computer system, a whitelist containing cryptographic hash values of code modules that are approved for loading into memory of the computer system and execution on the computer system (“
  
  approved code modules”
  
  ), wherein at least a subset of the cryptographic hash values has been included within the whitelist based upon results of application of one or more behavior analysis techniques to a corresponding subset of code modules;
  
  monitoring, by the kernel mode driver, a set of events occurring within one or more of a file system accessible by the computer system and an operating system that manages resources of the computer system;
  
  responsive to observation, by the kernel mode driver, of an event of the set of events relating to a code module, causing, by the kernel mode driver, a cryptographic hash value of the code module to be authenticated with reference to the whitelist; and
  
  allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the whitelist.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The non-transitory program storage device of claim 12, wherein a behavior analysis technique of the one or more behavior analysis techniques comprises sandboxing.
  - 14. The non-transitory program storage device of claim 13, wherein the code module comprises an executable code module, a dynamically-linked library file, a Java applet or JavaScript.
  - 15. The non-transitory program storage device of claim 12, wherein the whitelist comprises a multi-level whitelist including (i) a global whitelist database remote from the computer system and maintained by a trusted service provider and (ii) a local whitelist database containing at least a subset of the set of content of the global whitelist database.
  - 16. The non-transitory program storage device of claim 12, wherein the cryptographic hash value is computed using Message Digest #5 (MD-5).
  - 17. The non-transitory program storage device of claim 12, wherein the cryptographic hash value is computed using a Secure Hash Algorithm (SHA).
  - 18. The non-transitory program storage device of claim 12, wherein said monitoring a set of events occurring within one or more of a file system accessible by the computer system and an operating system that manages resources of the computer system comprises monitoring operating system process creation or module load activity.
  - 19. The non-transitory program storage device of claim 18, wherein said monitoring operating system process creation or module load activity comprises an operating system module load activity monitor intercepting module load activity by running processes within the computer system by hooking to an application programming interface (API) call of the operating system and temporarily turning control over to the kernel mode driver.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Fanton, Andrew F., Gandee, John J., Lutton, William H., Harper, Edwin L., Godwin, Kurt E., Rozga, Anthony A.
Primary Examiner(s)
TRUONG, THANHNGA B

Application Number

US14/084,333
Publication Number

US 20140082355A1
Time in Patent Office

273 Days
Field of Search

726/16, 726 22- 27, 713/150, 713164-165, 709224-225, 707/769, 707/999.004, 707/999.102, 707/99.103
US Class Current

726/24
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/44   Program or device authentic...

G06F 21/51   at application loading time...

G06F 21/52   during program execution, e...

G06F 21/53   by executing in a restricte...

G06F 21/602   Providing cryptographic fac...

G06F 2221/033   Test or assess software

G06F 2221/2141   Access rights, e.g. capabil...

G06F 9/445   Program loading or initiati...

H04L 63/08   for authentication of entit...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

H04L 63/145   the attack involving the pr...

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/32   including means for verifyi...

H04L 9/3239   involving non-keyed hash fu...

Y10S 707/99934   Query formulation, input pr...

Y10S 707/99943   Generating database or data...

Y10S 707/99944   Object-oriented database st...

Secure system for allowing the execution of authorized computer program code

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

112 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Secure system for allowing the execution of authorized computer program code

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

112 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links