System and method for securing an input/output path of an application against malware with a below-operating system security agent
First Claim
1. A method for securing an electronic device, the electronic device including one or more operating systems and an input/output (I/O) device, comprising:
- trapping, at a level below all of the operating systems of the electronic device, an I/O operation to the I/O device by an application;
in response to trapping the I/O operation, intercepting, at a level below all of the operating systems of the electronic device, original content of the I/O operation;
modifying and replacing, at a level below all of the operating systems of the electronic device, the original content of the I/O operation with modified content for transmission via an application I/O path of the I/O operation;
intercepting, at a level below all of the operating systems of the electronic device, the modified content after transmission via the application I/O path; and
analyzing, at a level below all of the operating systems of the electronic device, the intercepted modified content to determine whether the modified content was affected by malware during transmission via the application I/O path, wherein determining whether the modified content was affected comprises;
transmitting the original content in a different path in parallel with the modified content; and
comparing the intercepted modified content with the modified content to determine whether any differences exist between the intercepted modified content and the modified content, such differences indicating that the modified content was affected by malware.
10 Assignments
0 Petitions
Accused Products
Abstract
A system for securing an electronic device may include a memory, a processor, one or more operating systems residing in the memory for execution by the processor, an input-output (I/O) device of the electronic device coupled to the operating system; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the I/O device. The security agent may be further configured to: (i) trap, at a level below all of the operating systems of the electronic device accessing an input/output (I/O) device, an attempted access of a facility for I/O operation with the I/O device; and (ii) using one or more security rules, analyze the attempted access to determine whether the attempted access is indicative of malware.
118 Citations
30 Claims
-
1. A method for securing an electronic device, the electronic device including one or more operating systems and an input/output (I/O) device, comprising:
-
trapping, at a level below all of the operating systems of the electronic device, an I/O operation to the I/O device by an application; in response to trapping the I/O operation, intercepting, at a level below all of the operating systems of the electronic device, original content of the I/O operation; modifying and replacing, at a level below all of the operating systems of the electronic device, the original content of the I/O operation with modified content for transmission via an application I/O path of the I/O operation; intercepting, at a level below all of the operating systems of the electronic device, the modified content after transmission via the application I/O path; and analyzing, at a level below all of the operating systems of the electronic device, the intercepted modified content to determine whether the modified content was affected by malware during transmission via the application I/O path, wherein determining whether the modified content was affected comprises; transmitting the original content in a different path in parallel with the modified content; and comparing the intercepted modified content with the modified content to determine whether any differences exist between the intercepted modified content and the modified content, such differences indicating that the modified content was affected by malware. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for securing an electronic device, comprising:
-
a memory; a processor; one or more operating systems residing in the memory for execution by the processor; an input-output (I/O) device of the electronic device coupled to the one or more operating systems; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device, the security agent further configured to; trap an I/O operation to a device by an application; in response to trapping the I/O operation, intercept original content of the I/O operation; modify and replace the original content of the I/O operation with modified content for transmission via an application I/O path of the I/O operation; intercept the modified content after transmission via the application I/O path; and analyze the intercepted modified content to determine whether the modified content was affected by malware during transmission via the application I/O path, wherein determining whether the modified content was affected comprises; transmitting the original content in a different path in parallel with the modified content; and comparing the intercepted modified content with the modified content to determine whether any differences exist between the intercepted modified content and the modified content, such differences indicating that the modified content was affected by malware. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. An article of manufacture, comprising:
-
a non-transitory computer readable medium; and computer-executable instructions carried on the non-transitory computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to, at a level below all operating systems of an electronic device, the electronic device including one or more operating systems and an input/output (I/O) device; trap an I/O operation to the I/O device by an application; in response to trapping the I/O operation, intercept original content of the I/O operation; modify and replace the original content of the I/O operation with modified content for transmission via an application I/O path of the I/O operation; intercept the modified content after transmission via the application I/O path; and analyze the intercepted modified content to determine whether the modified content was affected by malware during transmission via the application I/O path, wherein determining whether the modified content was affected comprises; transmitting the original content in a different path in parallel with the modified content; and comparing the intercepted modified content with the modified content to determine whether any differences exist between the intercepted modified content and the modified content such differences indicating that the modified content was affected by malware. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. A method for securing an electronic device, the electronic device including one or more operating systems and an input/output (I/O) device, comprising:
-
trapping, at a level below all of the operating systems of the electronic device, an attempted access of a facility for I/O operation with the I/O device; and using one or more security rules, analyzing, at a level below all of the operating systems of the electronic device, the attempted access to determine whether the attempted access is indicative of malware, wherein determining whether the attempted access is indicative of malware comprises; modifying original content of the attempted access with modified content for transmission via an application I/O path of the I/O operation; transmitting the original content in a different path in parallel with the modified content; intercepting the modified content after transmission via the application I/O path; and comparing the intercepted modified content with the modified content to determine whether any differences exist between the modified content and the intercepted modified content, such differences indicating that the modified content was affected by malware. - View Dependent Claims (23, 24)
-
-
25. An article of manufacture, comprising:
-
a non-transitory computer readable medium; and computer-executable instructions carried on the computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to, at a level below all operating systems of an electronic device, the electronic device including one or more operating systems and input/output (I/O) device; trap, at a level below all of the operating systems of the electronic device, an attempted access of a facility for I/O operation with the I/O device; and using one or more security rules, analyze, at a level below all of the operating systems of the electronic device, the attempted access to determine whether the attempted access is indicative of malware, wherein determining whether the attempted access is indicative of malware comprises; modifying original content of the attempted access with modified content for transmission via an application I/O path of the I/O operation; transmitting the original content in a different path in parallel with the modified content; intercepting the modified content after transmission via the application I/O path; and comparing the intercepted modified content with the modified content to determine whether any differences exist between the modified content and the intercepted modified content, such differences indicating that the modified content was affected by malware. - View Dependent Claims (26, 27)
-
-
28. A system for securing an electronic device, comprising:
-
a memory; a processor; one or more operating systems residing in the memory for execution by the processor; an input-output (I/O) device of the electronic device coupled to the one or more operating systems; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device, the security agent further configured to; trap, at a level below all of the operating systems of the electronic device, an attempted access of a facility for I/O operation with the I/O device; and using one or more security rules, analyze, at a level below all of the operating systems of the electronic device, the attempted access to determine whether the attempted access is indicative of malware, wherein determining whether the attempted access is indicative of malware comprises; modifying original content of the attempted access with modified content for transmission via an application I/O path of the I/O operation; transmitting the original content in a different path in parallel with the modified content; intercepting the modified content after transmission via the application I/O path; and comparing the intercepted modified content with the modified content to determine whether any differences exist between the modified content and the intercepted modified content, such differences indicating that the modified content was affected by malware. - View Dependent Claims (29, 30)
-
Specification