Secure system for allowing the execution of authorized computer program code
First Claim
1. A method comprising:
- maintaining, by a kernel mode driver of a computer system, a whitelist containing cryptographic hash values of code modules that are approved for loading into memory of the computer system and execution on the computer system (“
approved code modules”
), wherein at least a subset of the cryptographic hash values has been included within the whitelist based upon results of application of one or more behavior analysis techniques to a corresponding subset of code modules;
monitoring, by the kernel mode driver, a set of events occurring within one or more of a file system accessible by the computer system and an operating system that manages resources of the computer system;
responsive to observation, by the kernel mode driver, of an event of the set of events relating to a code module, causing, by the kernel mode driver, a cryptographic hash value of the code module to be authenticated with reference to the whitelist; and
allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the whitelist.
0 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for selective authorization of code modules are provided. According to one embodiment, a whitelist containing cryptographic hash values of code modules that are approved for loading into memory of a computer system and execution on the computer system is maintained by a kernel mode driver of the computer system. At least a subset of the cryptographic hash values has been included within the whitelist based upon results of application of one or more behavior analysis techniques to a corresponding subset of code modules. The kernel mode driver monitors a set of events occurring within one or more of a file system accessible by the computer system and an operating system that manages resources of the computer system. The kernel mode driver causes a cryptographic hash value of a code module relating to an observed event of the set of events to be authenticated with reference to the whitelist. When the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the whitelist, the code module is allowed to be loaded and executed within the computer system.
112 Citations
19 Claims
-
1. A method comprising:
-
maintaining, by a kernel mode driver of a computer system, a whitelist containing cryptographic hash values of code modules that are approved for loading into memory of the computer system and execution on the computer system (“
approved code modules”
), wherein at least a subset of the cryptographic hash values has been included within the whitelist based upon results of application of one or more behavior analysis techniques to a corresponding subset of code modules;monitoring, by the kernel mode driver, a set of events occurring within one or more of a file system accessible by the computer system and an operating system that manages resources of the computer system; responsive to observation, by the kernel mode driver, of an event of the set of events relating to a code module, causing, by the kernel mode driver, a cryptographic hash value of the code module to be authenticated with reference to the whitelist; and allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the whitelist. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A non-transitory program storage device readable by a computer system, tangibly embodying a program of instructions executable by one or more computer processors of the computer system to perform a method for authenticating code modules, the method comprising:
-
maintaining, by a kernel mode driver of the computer system, a whitelist containing cryptographic hash values of code modules that are approved for loading into memory of the computer system and execution on the computer system (“
approved code modules”
), wherein at least a subset of the cryptographic hash values has been included within the whitelist based upon results of application of one or more behavior analysis techniques to a corresponding subset of code modules;monitoring, by the kernel mode driver, a set of events occurring within one or more of a file system accessible by the computer system and an operating system that manages resources of the computer system; responsive to observation, by the kernel mode driver, of an event of the set of events relating to a code module, causing, by the kernel mode driver, a cryptographic hash value of the code module to be authenticated with reference to the whitelist; and allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the whitelist. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
Specification