System and method for securing access to system calls

US 8,863,283 B2
Filed: 03/31/2011
Issued: 10/14/2014
Est. Priority Date: 03/31/2011
Status: Active Grant

First Claim

Patent Images

1. A system for securing access to system calls, comprising:

a memory;

a first operating system configured to execute on an electronic device, the first operating system included in one or more operating systems on the electronic device;

a below-operating-system security agent configured to;

identify one or more resources associated with a system call for which attempted accesses will be trapped;

trap, at a level below all operating systems of the electronic device, an attempted access of the one or more resources that originates from an operational level of the first operating system;

access one or more security rules to determine, at a level below all operating systems of the electronic device, whether the attempted access is authorized; and

operate at a level below all operating systems of the electronic device;

wherein;

the trapped attempt is an attempted execution of a system call function of the first operating system, the system call function indexed by a system call table;

the below-operating system security agent is further configured to;

determine that the attempted execution of the system call function was made without accessing the indexing of the system call table; and

based upon a determination that the attempted execution of the system call function was made without accessing the indexing of the system call table, deny the attempted execution.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a system for securing access to system calls includes a memory, an operating system configured to execute on an electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to identify one or more resources associated with a system call for which attempted accesses will be trapped, trap an attempted access of the one or more resources that originates from the operational level of the operating system, access one or more security rules to determine whether the attempted access is authorized, and operate at a level below all of the operating systems of the electronic device accessing the one or more resources associated with a system call.

Citations

30 Claims

1. A system for securing access to system calls, comprising:
- a memory;
  
  a first operating system configured to execute on an electronic device, the first operating system included in one or more operating systems on the electronic device;
  
  a below-operating-system security agent configured to;
  
  identify one or more resources associated with a system call for which attempted accesses will be trapped;
  
  trap, at a level below all operating systems of the electronic device, an attempted access of the one or more resources that originates from an operational level of the first operating system;
  
  access one or more security rules to determine, at a level below all operating systems of the electronic device, whether the attempted access is authorized; and
  
  operate at a level below all operating systems of the electronic device;
  
  wherein;
  
  the trapped attempt is an attempted execution of a system call function of the first operating system, the system call function indexed by a system call table;
  
  the below-operating system security agent is further configured to;
  
  determine that the attempted execution of the system call function was made without accessing the indexing of the system call table; and
  
  based upon a determination that the attempted execution of the system call function was made without accessing the indexing of the system call table, deny the attempted execution.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the attempted access is an attempt to access a system call table of the first operating system.
  - 3. The system of claim 2, wherein the attempted access is an attempt to read the system call table of the first operating system.
  - 4. The system of claim 2, wherein the attempted access is an attempt to write to the system call table of the first operating system.
  - 5. The system of claim 1, wherein the attempted access is an attempt to execute the system call.
  - 6. The system of claim 1, wherein the attempted access is an attempt to access an entry in a page table associated with the system call.
  - 7. The system of claim 6, wherein the attempted access is an attempt to modify access permissions associated with the entry in the page table.
  - 8. The system of claim 1, wherein the below-operating-system security agent is further configured to report the attempted access to one or more subscribers.
  - 9. The system of claim 1, wherein the below-operating-system security agent is further configured to determine if the attempted access is indicative of malware.
  - 10. The system of claim 1, wherein:
    - the trapped attempted access is an attempted execution of system call function through indexing of the system call table of the first operating system; and
      
      the below-operating system security agent is configured to allow the attempted access based on a determination that the attempted execution of the system call function was made through the indexing of the system call table of the first operating system.
  - 11. The system of claim 1, wherein the trapped attempted access is an attempted execution of an instruction configured to transfer control to the first operating system for execution of the system call.
  - 12. The system of claim 1, wherein:
    - the below-operating-system security agent is further configured to;
      
      determine that the attempted execution of the system call function was made by directly accessing code referenced by the system call table and without accessing the indexing of the system call table of the first operating system; and
      
      based upon a determination of the attempted execution was made by directly accessing code referenced by the system call table and without accessing the indexing of the system call table of the first operating system, deny the attempted execution.

13. A method for securing access to system calls, comprising:
- identifying one or more resources associated with a system call for which attempted accesses will be trapped;
  
  trapping an attempted access of the one or more resources that originates from an operational level of a first operating system executing on an electronic device, the first operating system included in one or more operating systems on the electronic device; and
  
  accessing one or more security rules to determine whether the attempted access is authorized;
  
  wherein;
  
  the trapping of the attempted access and determining whether the attempted access is authorized is conducted at a level below all operating systems of the electronic device;
  
  the trapped attempt is an attempted execution of a system call function of the first operating system, the system call function indexed by a system call table;
  
  the method further comprises;
  
  determining that the attempted execution of the system call function was made without accessing the indexing of the system call table; and
  
  based upon a determination that the attempted execution of the system call function was made without accessing the indexing of the system call table, denying the attempted execution.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The method of claim 13, wherein the attempted access is an attempt to access a system call table of the first operating system.
  - 15. The method of claim 14, wherein the attempted access is an attempt to read the system call table of the first operating system.
  - 16. The method of claim 14, wherein the attempted access is an attempt to write to the system call table of the first operating system.
  - 17. The method of claim 13, wherein the attempted access is an attempt to execute the system call.
  - 18. The method of claim 13, wherein the attempted access is an attempt to access an entry in a page table associated with the system call.
  - 19. The method of claim 18, wherein the attempted access is an attempt to modify access permissions associated with the entry in the page table.
  - 20. The method of claim 13, further comprising reporting the attempted access to one or more subscribers.
  - 21. The method of claim 13, further comprising determining if the attempted access is indicative of malware.

22. An article of manufacture, comprising:
- a non-transitory computer readable medium; and
  
  computer-executable instructions carried on the non-transitory computer readable medium, the instructions readable by a processor, the instructions, when read and executed, cause the processor to;
  
  identify one or more resources associated with a system call for which attempted accesses will be trapped;
  
  trap an attempted access of the one or more resources that originates from an operational level of a first operating system executing on an electronic device, the first operating system included in one or more operating systems on the electronic device; and
  
  access one or more security rules to determine whether the attempted access is authorized;
  
  wherein;
  
  the trapped attempt is an attempted execution of a system call function of the first operating system, the system call function indexed by a system call table;
  
  the processor is configured to;
  
  conduct the trapping of the attempted access and determining whether the attempted access is authorized at a level below all operating systems of the electronic device;
  
  determine that the attempted execution of the system call function was made without accessing the indexing of the system call table; and
  
  based upon a determination that the attempted execution of the system call function was made without accessing the indexing of the system call table, deny the attempted execution.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
- - 23. The article of claim 22, wherein the attempted access is an attempt to access a system call table of the first operating system.
  - 24. The article of claim 23, wherein the attempted access is an attempt to read the system call table of the first operating system.
  - 25. The article of claim 23, wherein the attempted access is an attempt to write to the system call table of the first operating system.
  - 26. The article of claim 22, wherein the attempted access is an attempt to execute the system call.
  - 27. The article of claim 22, wherein the attempted access is an attempt to access an entry in a page table associated with the system call.
  - 28. The article of claim 27, wherein the attempted access is an attempt to modify access permissions associated with the entry in the page table.
  - 29. The article of claim 22, wherein the instructions further cause the processor to report the attempted access to one or more subscribers.
  - 30. The article of claim 22, wherein the instructions further cause the processor to determine if the attempted access is indicative of malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Sallam, Ahmed Said
Primary Examiner(s)
Schwartz, Darren B

Application Number

US13/077,305
Publication Number

US 20120255004A1
Time in Patent Office

1,293 Days
Field of Search

726/16, 726 22- 23, 726 26- 30, 713187-189, 713192-193
US Class Current

726/23
CPC Class Codes

G06F 21/52 during program execution, e...

G06F 21/554 involving event detection a...

System and method for securing access to system calls

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for securing access to system calls

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links