System and method for providing a secured operating system execution environment

US 9,087,199 B2
Filed: 03/31/2011
Issued: 07/21/2015
Est. Priority Date: 03/31/2011
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

an electronic device comprising a processor and one or more operating systems;

a security agent configured to;

execute at a higher priority than all operating systems of the electronic device;

intercept, at a higher priority than all operating systems of the electronic device, a request to access a resource of the electronic device, the resource including one or more files associated with the security agent;

determine, at a higher priority than all operating systems of the electronic device, whether the request is indicative of malware, including;

utilizing a disk mapping bitmap containing metadata corresponding to the one or more files associated with the security agent to determine that the request is for the one or more files associated with the security agent, the metadata specifying a plurality of sectors on a storage device where each of the one or more files are stored;

determining that the requestor is unauthorized; and

based upon a determination that the request is for the sectors on the storage device specified in the disk mapping bitmap and upon a determination that the requestor is unauthorized, determining that the request is indicative of malware and denying the request;

anda launching module comprising;

a secured launching agent configured to launch the security agent; and

a boot manager configured to boot the secured launching agent before booting the one or more operating systems.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a system for launching a security architecture includes an electronic device comprising a processor and one or more operating systems, a security agent, and a launching module. The launching module comprises a boot manager and a secured launching agent. The boot manager is configured to boot the secured launching agent before booting the operating systems, and the secured launching agent is configured to load a security agent. The security agent is configured to execute at a level below all operating systems of the electronic device, intercept a request to access a resource of the electronic device, the request originating from the operational level of one of one or more operating systems of the electronic device, and determine if a request is indicative of malware. In some embodiments, the secured launching agent may be configured to determine whether the security agent is infected with malware prior to loading the security agent.

Citations

54 Claims

1. A system, comprising:
- an electronic device comprising a processor and one or more operating systems;
  
  a security agent configured to;
  
  execute at a higher priority than all operating systems of the electronic device;
  
  intercept, at a higher priority than all operating systems of the electronic device, a request to access a resource of the electronic device, the resource including one or more files associated with the security agent;
  
  determine, at a higher priority than all operating systems of the electronic device, whether the request is indicative of malware, including;
  
  utilizing a disk mapping bitmap containing metadata corresponding to the one or more files associated with the security agent to determine that the request is for the one or more files associated with the security agent, the metadata specifying a plurality of sectors on a storage device where each of the one or more files are stored;
  
  determining that the requestor is unauthorized; and
  
  based upon a determination that the request is for the sectors on the storage device specified in the disk mapping bitmap and upon a determination that the requestor is unauthorized, determining that the request is indicative of malware and denying the request;
  
  anda launching module comprising;
  
  a secured launching agent configured to launch the security agent; and
  
  a boot manager configured to boot the secured launching agent before booting the one or more operating systems.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 33, 51)
- - 2. The system of claim 1, wherein the boot manager is further configured to replace an existing Master Boot Record with an alternate Master Boot Record prior to booting the secured launching agent, wherein the alternate Master Boot Record is configured to boot the secured launching agent.
  - 3. The system of claim 1, wherein the secured launching agent is further configured to determine whether the security agent is infected with malware prior to launching the security agent.
  - 4. The system of claim 3, wherein determining whether the security agent is infected with malware comprises determining whether one or more hash values associated with the security agent indicate that the security agent is infected with malware.
  - 5. The system of claim 3, wherein the secured launching agent is further configured to restore the security agent from a backup copy if the security agent is infected with malware.
  - 6. The system of claim 1, wherein the secured launching agent is further configured to determine whether any of the one or more operating systems are infected with malware.
  - 7. The system of claim 1, wherein the secured launching agent is further configured to determine whether the launching module is infected with malware.
  - 8. The system of claim 1, wherein the secured launching agent is further configured to create a backup copy of the security agent.
  - 9. The system of claim 8, wherein the security agent is further configured to update the backup copy of the security agent.
  - 10. The system of claim 1, wherein:
    - the resource is a storage device; and
      
      the security agent configured to determine if the request is indicative of malware is configured to;
      
      determine if the request involves a protected area of the storage device; and
      
      if the request involves a protected area of the storage device, determine if the request is authorized.
  - 11. The system of claim 10, wherein the protected area includes one or more files associated with the security agent.
  - 12. The system of claim 10, wherein the protected area includes one or more files associated with the one or more operating systems.
  - 13. The system of claim 10, wherein the protected area includes a Master Boot Record.
  - 14. The system of claim 10, wherein the protected area includes one or more files associated with the launching module.
  - 15. The system of claim 1, wherein the metadata specifies a hash value for each of the one or more files for verifying the integrity of each of the one or more files.
  - 16. The system of claim 1:
    - further comprising a virtual machine monitor; and
      
      wherein the security agent is executing in the virtual machine monitor.
  - 17. The system of claim 1, wherein:
    - the processor comprises microcode; and
      
      the security agent is executing in the microcode.
  - 18. The system of claim 1, further comprising:
    - a storage device memory;
      
      a storage device firmware residing in the storage device memory;
      
      a disk security agent executing in the storage device firmware, the disk security agent configured to trap access to one or more protected files associated with the launching module; and
      
      wherein the disk security agent is communicatively coupled to the security agent.
  - 33. The method of claim 1, wherein the metadata specifies a hash value for each of the one or more files for verifying the integrity of each of the one or more files.
  - 51. The computer-readable medium of claim 1, wherein the metadata specifies a hash value for each of the one or more files for verifying the integrity of each of the one or more files.

19. A method for electronic device security, comprising:
- booting a secured launching agent before booting one or more operating systems of an electronic device;
  
  launching a security agent, wherein the security agent is configured to execute at a higher priority than all of the one or more operating systems of the electronic device;
  
  intercepting, by the security agent at a higher priority than all operating systems of the electronic device, a request to access a resource of the electronic device, the resource including one or more files associated with the security agent; and
  
  determine, at a higher priority than all operating systems of the electronic device, whether the request is indicative of malware, including;
  
  utilizing a disk mapping bitmap containing metadata corresponding to the one or more files associated with the security agent to determine that the request is for the one or more files associated with the security agent, the metadata specifying a plurality of sectors on a storage device where each of the one or more files are stored;
  
  determining that the requestor is unauthorized; and
  
  based upon a determination that the request is for the sectors on the storage device specified in the disk mapping bitmap and upon a determination that the requestor is unauthorized, determining that the request is indicative of malware and denying the request.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 34, 35, 36)
- - 20. The method of claim 19, further comprising replacing an existing Master Boot Record with an alternate Master Boot Record prior to booting the secured launching agent, wherein the alternate Master Boot Record is configured to boot the secured launching agent.
  - 21. The method of claim 19, further comprising determining whether the security agent is infected with malware prior to launching the security agent.
  - 22. The method of claim 21, wherein determining whether the security agent is infected with malware comprises determining whether one or more hash values associated with the security agent indicate that the security agent is infected with malware.
  - 23. The method of claim 21, further comprising restoring the security agent from a backup copy if the security agent is infected with malware.
  - 24. The method of claim 19, further comprising determining whether any of the one or more operating systems are infected with malware prior to booting any of the one or more operating systems.
  - 25. The method of claim 19, further comprising determining whether the secured launching agent is infected with malware.
  - 26. The method of claim 19, further comprising creating a backup copy of the security agent.
  - 27. The method of claim 26, further comprising updating the backup copy of the security agent.
  - 28. The method of claim 19, further comprising:
    - determining if the request involves a protected area of a storage device; and
      
      if the request involves a protected area of the storage device, determining if the request is authorized.
  - 29. The method of claim 28, wherein the protected area includes one or more files associated with the security agent.
  - 30. The method of claim 28, wherein the protected area includes one or more files associated with the one or more operating systems.
  - 31. The method of claim 28, wherein the protected area includes a Master Boot Record.
  - 32. The method of claim 28, wherein the protected area includes one or more files associated with the secured launching agent.
  - 34. The method of claim 19, wherein the security agent is executing in a virtual machine monitor.
  - 35. The method of claim 19, wherein the security agent is executing in microcode of a processor of the electronic device.
  - 36. The method of claim 19, wherein the security agent is executing in firmware of a storage device.

37. A non-transitory computer-readable medium encoded with logic, the logic, when executed by a processor, configured to:
- boot a secured launching agent before booting one or more operating systems of an electronic device;
  
  launch a security agent, wherein the security agent is configured to execute at a higher priority than all of the one or more operating systems of the electronic device;
  
  intercept, by the security agent at a higher priority than all operating systems of the electronic device, a request to access the resource of the electronic device, the resource including one or more files associated with the security agent; and
  
  determine, at a higher priority than all operating systems of the electronic device, whether the request is indicative of malware, including;
  
  utilizing a disk mapping bitmap containing metadata corresponding to one or more files associated with the security agent to determine that the request is for the one or more files associated with the security agent, the metadata specifying one or more sectors on a storage device where each of the one or more files are stored;
  
  determining that the requestor is unauthorized; and
  
  based upon a determination that the request is for the sectors on the storage device specified in the disk mapping bitmap and upon a determination that the requestor is unauthorized, determining that the request is indicative of malware and denying the request.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 52, 53, 54)
- - 38. The computer-readable medium of claim 37, wherein the logic is further configured to replace an existing Master Boot Record with an alternate Master Boot Record prior to booting the secured launching agent, wherein the alternate Master Boot Record is configured to boot the secured launching agent.
  - 39. The computer-readable medium of claim 37, wherein the logic is further configured to determine whether the security agent is infected with malware prior to launching the security agent.
  - 40. The computer-readable medium of claim 39, wherein determining whether the security agent is infected with malware comprises determining whether one or more hash values associated with the security agent indicate that the security agent is infected with malware.
  - 41. The computer-readable medium of claim 39, wherein the logic is further configured to restore the security agent from a backup copy if the security agent is infected with malware.
  - 42. The computer-readable medium of claim 37, wherein the logic is further configured to determine whether any of the one or more operating systems are infected with malware prior to booting any of the one or more operating systems.
  - 43. The computer-readable medium of claim 37, wherein the logic is further configured to determine whether the secured launching agent is infected with malware.
  - 44. The computer-readable medium of claim 37, wherein the logic is further configured to create a backup copy of the security agent.
  - 45. The computer-readable medium of claim 44, wherein the logic is further configured to update the backup copy of the security agent.
  - 46. The computer-readable medium of claim 37, wherein the logic is further configured to:
    - determine if the request involves a protected area of a storage device; and
      
      if the request involves a protected area of the storage device, determine if the request is authorized.
  - 47. The computer-readable medium of claim 46, wherein the protected area includes one or more files associated with the security agent.
  - 48. The computer-readable medium of claim 46, wherein the protected area includes one or more files associated with the one or more operating systems.
  - 49. The computer-readable medium of claim 46, wherein the protected area includes a Master Boot Record.
  - 50. The computer-readable medium of claim 46, wherein the protected area includes one or more files associated with the secured launching agent.
  - 52. The computer-readable medium of claim 37, wherein the security agent is executing in a virtual machine monitor.
  - 53. The computer-readable medium of claim 37, wherein the security agent is executing in microcode of a processor of the electronic device.
  - 54. The computer-readable medium of claim 37, wherein the security agent is executing in firmware of a storage device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Sallam, Ahmed Said
Primary Examiner(s)
KIM, TAE K

Application Number

US13/077,227
Publication Number

US 20120255017A1
Time in Patent Office

1,573 Days
Field of Search

713/1, 713/2, 713/188, 726/1, 726/4, 726/16, 726/23, 726/24, 718/1
US Class Current

1/1
CPC Class Codes

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/575   Secure boot

G06F 9/45558   Hypervisor-specific managem...

System and method for providing a secured operating system execution environment

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing a secured operating system execution environment

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links