Secure system for allowing the execution of authorized computer program code

US 9,075,984 B2
Filed: 09/16/2014
Issued: 07/07/2015
Est. Priority Date: 12/03/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

intercepting, by a kernel mode driver of a computer system, file system or operating system activity relating to a code module;

selectively authorizing, by the kernel mode driver, the code module by authenticating a content authenticator of the code module with reference to a multi-level whitelist, the multi-level whitelist comprising (i) a global whitelist database remote from the computer system, the global whitelist database containing content authenticators of approved code modules that are known not to contain viruses or malicious code and (ii) a local whitelist database containing content authenticators of at least a subset of the approved code modules;

allowing the file system or operating system activity relating to the code module when the content authenticator matches one of the content authenticators of approved code modules within the multi-level whitelist; and

blocking the file system or operating system activity relating to the code module when the content authenticator does not match any of the content authenticators of approved code modules within the multi-level whitelist.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for selective authorization of code modules are provided. According to one embodiment, file system or operating system activity relating to a code module is intercepted by a kernel mode driver of a computer system. The code module is selectively authorized by the kernel mode driver by authenticating a content authenticator of the code module with reference to a multi-level whitelist. The multi-level whitelist includes (i) a global whitelist database remote from the computer system that contains content authenticators of approved code modules that are known not to contain viruses or malicious code and (ii) a local whitelist database containing content authenticators of at least a subset of the approved code modules. The activity relating to the code module is allowed when the content authenticator matches one of the content authenticators of approved code modules within the multi-level whitelist.

109 Citations

20 Claims

1. A method comprising:
- intercepting, by a kernel mode driver of a computer system, file system or operating system activity relating to a code module;
  
  selectively authorizing, by the kernel mode driver, the code module by authenticating a content authenticator of the code module with reference to a multi-level whitelist, the multi-level whitelist comprising (i) a global whitelist database remote from the computer system, the global whitelist database containing content authenticators of approved code modules that are known not to contain viruses or malicious code and (ii) a local whitelist database containing content authenticators of at least a subset of the approved code modules;
  
  allowing the file system or operating system activity relating to the code module when the content authenticator matches one of the content authenticators of approved code modules within the multi-level whitelist; and
  
  blocking the file system or operating system activity relating to the code module when the content authenticator does not match any of the content authenticators of approved code modules within the multi-level whitelist.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the code module comprises any one of an executable code module, a dynamically-linked library file, a Java applet and a JavaScript.
  - 3. The method of claim 1 wherein the content authenticator comprises a cryptographic hash value.
  - 4. The method of claim 3 wherein the cryptographic hash value is computed using any one of Message Digest #5 (MD-5), Secure Hash Algorithm (SHA), SHA-1 and SHA-256.
  - 5. The method of claim 1, wherein said intercepting file system or operating system activity relating to a code module comprises monitoring operating system process creation or module load activity.
  - 6. The method of claim 5, wherein the kernel mode driver is configured for operation within a Microsoft Windows operating system.
  - 7. The method of claim 6, wherein said intercepting file system or operating system activity relating to a code module comprises an operating system module load activity monitor intercepting module load activity by running processes within the computer system by hooking to a Windows CreateSection API call and temporarily turning control over to the kernel mode driver.
  - 8. The method of claim 1, wherein the multi-level whitelist further comprises an in-memory whitelist containing content authenticators of at least a subset of the approved code modules.
  - 9. The method of claim 1, wherein the file system or operating system activity relating to the code module comprises creating a process for the code module.
  - 10. The method of claim 1, wherein the file system or operating system activity relating to the code module comprises loading the code module by a running process.

11. A non-transitory program storage device readable by a computer system, tangibly embodying a program of instructions executable by one or more computer processors of the computer system to perform method steps for authenticating dependent code modules comprising:
- intercepting, by a kernel mode driver of the computer system, file system or operating system activity relating to a code module;
  
  selectively authorizing, by the kernel mode driver, the code module by authenticating a content authenticator of the code module with reference to a multi-level whitelist, the multi-level whitelist comprising (i) a global whitelist database remote from the computer system and maintained by a trusted service provider, the global whitelist database containing content authenticators of approved code modules that are known not to contain viruses or malicious code and (ii) a local whitelist database containing content authenticators of at least a subset of the approved code modules;
  
  allowing the file system or operating system activity relating to the code module when the content authenticator matches one of the content authenticators of approved code modules within the multi-level whitelist; and
  
  blocking the file system or operating system activity relating to the code module when the content authenticator does not match any of the content authenticators of approved code modules within the multi-level whitelist.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The program storage device of claim 11, wherein the code module comprises any one of an executable code module, a dynamically-linked library file, a Java applet and a JavaScript.
  - 13. The program storage device of claim 11, wherein the content authenticator comprises a cryptographic hash value.
  - 14. The program storage device of claim 13, wherein the cryptographic hash value is computed using any one of Message Digest #5 (MD-5), Secure Hash Algorithm (SHA), SHA-1, SHA-256.
  - 15. The program storage device of claim 11, wherein said intercepting file system or operating system activity relating to a code module comprises monitoring operating system process creation or module load activity.
  - 16. The program storage device of claim 15, wherein the kernel mode driver is configured for operation within a Microsoft Windows operating system.
  - 17. The program storage device of claim 16, wherein said intercepting file system or operating system activity relating to a code module comprises an operating system module load activity monitor intercepting module load activity by running processes within the computer system by hooking to a Windows CreateSection API call and temporarily turning control over to the kernel mode driver.
  - 18. The program storage device of claim 11, wherein the multi-level whitelist further comprises an in-memory whitelist containing content authenticators of at least a subset of the approved code modules.
  - 19. The program storage device of claim 11, wherein the file system or operating system activity relating to the code module comprises creating a process for the code module.
  - 20. The program storage device of claim 11, wherein the file system or operating system activity relating to the code module comprises loading the code module by a running process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Fanton, Andrew F., Gandee, John J., Lutton, William H., Harper, Edwin L., Godwin, Kurt E., Rozga, Anthony A.
Primary Examiner(s)
Truong, Thanhnga B

Application Number

US14/487,348
Publication Number

US 20150026463A1
Time in Patent Office

294 Days
Field of Search

713/165, 726/9, 726/18
US Class Current

1/1
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/44   Program or device authentic...

G06F 21/51   at application loading time...

G06F 21/52   during program execution, e...

G06F 21/53   by executing in a restricte...

G06F 21/602   Providing cryptographic fac...

G06F 2221/033   Test or assess software

G06F 2221/2141   Access rights, e.g. capabil...

G06F 9/445   Program loading or initiati...

H04L 63/08   for authentication of entit...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

H04L 63/145   the attack involving the pr...

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/32   including means for verifyi...

H04L 9/3239   involving non-keyed hash fu...

Y10S 707/99934   Query formulation, input pr...

Y10S 707/99943   Generating database or data...

Y10S 707/99944   Object-oriented database st...

Secure system for allowing the execution of authorized computer program code

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

109 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure system for allowing the execution of authorized computer program code

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links