Malware detection and prevention by monitoring and modifying a hardware pipeline

US 9,213,831 B2
Filed: 10/03/2013
Issued: 12/15/2015
Est. Priority Date: 10/03/2013
Status: Expired due to Fees

First Claim

Patent Images

1. The method of monitoring queued hardware instructions to protect operations of a wireless device that includes a hardware pipeline, the method comprising:

accessing instructions currently queued in the hardware pipeline (“

queued instructions”

);

determining whether executing the queued instructions could result in a malicious configuration based on information included in a malicious and pathway configuration database received from a network server;

determining whether the queued instructions have already been executed in response to determining that executing the queued instructions could result in the malicious configuration;

preventing execution of the queued instructions in response to determining that executing the queued instructions could result in the malicious configuration and that the queued instructions have not already been executed; and

implementing malicious behavior mitigation in response to determining that executing the queued instructions could result in the malicious configuration and that the queued instructions have already been executed.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The various aspects provide a method for recognizing and preventing malicious behavior on a mobile computing device before it occurs by monitoring and modifying instructions pending in the mobile computing device'"'"'s hardware pipeline (i.e., queued instructions). In the various aspects, a mobile computing device may preemptively determine whether executing a set of queued instructions will result in a malicious configuration given the mobile computing device'"'"'s current configuration. When the mobile computing device determines that executing the queued instructions will result in a malicious configuration, the mobile computing device may stop execution of the queued instructions or take other actions to preempt the malicious behavior before the queued instructions are executed.

Citations

28 Claims

1. The method of monitoring queued hardware instructions to protect operations of a wireless device that includes a hardware pipeline, the method comprising:
- accessing instructions currently queued in the hardware pipeline (“
  
  queued instructions”
  
  );
  
  determining whether executing the queued instructions could result in a malicious configuration based on information included in a malicious and pathway configuration database received from a network server;
  
  determining whether the queued instructions have already been executed in response to determining that executing the queued instructions could result in the malicious configuration;
  
  preventing execution of the queued instructions in response to determining that executing the queued instructions could result in the malicious configuration and that the queued instructions have not already been executed; and
  
  implementing malicious behavior mitigation in response to determining that executing the queued instructions could result in the malicious configuration and that the queued instructions have already been executed.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein determining whether executing the queued instructions could result in the malicious configuration based on the information included in the malicious and pathway configuration database received from the network server comprises:
    - applying the queued instructions to a current configuration of the wireless device to generate an expected configuration; and
      
      determining whether the expected configuration is included in a list of known malicious configurations.
  - 3. The method of claim 1, wherein preventing the execution of the queued instructions in response to determining that executing the queued instructions could result in the malicious configuration and that the queued instructions have not already been executed comprises one of:
    - purging the queued instructions from the hardware pipeline; and
      
      modifying the queued instructions to enable the wireless device to execute the queued instructions without causing malicious behavior.
  - 4. The method of claim 1, further comprising:
    - receiving the malicious and pathway configuration database from the network server, the malicious and pathway configuration database including a list of malicious pathway instructions,wherein determining whether executing the queued instructions could result in the malicious configuration based on the information included in the malicious and pathway configuration database received from the network server comprises determining whether the queued instructions are included in the list of malicious pathway instructions.
  - 5. The method of claim 1, further comprising:
    - receiving the malicious and pathway configuration database from the network server, the malicious and pathway configuration database including a list of potentially malicious pathway instructions and associated likelihood values, each likelihood value indicating a likelihood that executing its associated malicious pathway instruction will result in the malicious configuration, andwherein determining whether executing the queued instructions could result in the malicious configuration based on the information included in the malicious and pathway configuration database received from the network server comprises;
      
      determining a probability value that identifies a probability that executing the queued instructions will result in the malicious configuration based on the likelihood values associated with the queued instructions included in the list of potentially malicious pathway instructions; and
      
      determining whether the probability value exceeds a risk threshold value.
  - 6. The method of claim 1, further comprising:
    - receiving the malicious and pathway configuration database from the network server;
      
      determining a current configuration of the wireless device; and
      
      determining whether the current configuration of the wireless device could lead to the malicious configuration based on the information included in the malicious and pathway configuration database received from the network server,wherein accessing the instructions currently queued in the hardware pipeline comprises;
      
      slowing the execution of the queued instructions in response to determining that the current configuration of the wireless device could lead to the malicious configuration; and
      
      accessing the queued instructions after slowing the execution of the queued instructions, andwherein determining whether executing the queued instructions could result in the malicious configuration based on the information included in the malicious and pathway configuration database received from the network server comprises;
      
      determining whether executing the queued instructions could result in the malicious configuration in response to determining that the current configuration of the wireless device could lead to the malicious configuration.
  - 7. The method of claim 1, further comprising:
    - receiving the malicious and pathway configuration database from the network server;
      
      determining a current configuration of the wireless device; and
      
      determining whether the current configuration of the wireless device could lead to the malicious configuration based on the malicious and pathway configuration database received from the network server,wherein determining whether executing the queued instructions could result in the malicious configuration comprises determining whether executing the queued instructions could result in the malicious configuration in response to determining that the current configuration of the wireless device could lead to the malicious configuration.

8. A wireless device, comprising:
- a memory;
  
  a hardware pipeline coupled to the memory;
  
  a control unit coupled to the hardware pipeline and the memory; and
  
  a processor coupled to the memory and the control unit,wherein the control unit is configured to perform operations comprising;
  
  accessing instructions currently queued in the hardware pipeline (“
  
  queued instructions”
  
  ); and
  
  preventing execution of the queued instructions in response to a determination by the processor that executing the queued instructions could result in a malicious configuration and that the queued instructions have not already been executed; and
  
  wherein the processor is configured with processor-executable instructions to perform operations comprising;
  
  determining whether executing the queued instructions could result in the malicious configuration based on information included in a malicious and pathway configuration database received from a network server;
  
  determining whether the queued instructions have already been executed in response to determining that executing the queued instructions could result in the malicious configuration; and
  
  implementing malicious behavior mitigation in response to determining that executing the queued instructions could result in the malicious configuration and that the queued instructions have already been executed.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The wireless device of claim 8, wherein the processor is configured with processor-executable instructions to perform operations such that determining whether executing the queued instructions could result in the malicious configuration based on the information included in the malicious and pathway configuration database received from the network server comprises:
    - applying the queued instructions to a current configuration of the wireless device to generate an expected configuration; and
      
      determining whether the expected configuration is included in a list of known malicious configurations.
  - 10. The wireless device of claim 8, wherein the control unit is configured to perform operations such that preventing the execution of the queued instructions in response to the determination by the processor that executing the queued instructions could result in the malicious configuration and that the queued instructions have not already been executed comprises one of:
    - purging the queued instructions from the hardware pipeline; and
      
      modifying the queued instructions to enable the processor to execute the queued instructions without causing malicious behavior.
  - 11. The wireless device of claim 8, wherein:
    - the processor is configured with processor-executable instructions to perform operations further comprising receiving the malicious and pathway configuration database from the network server, the malicious and pathway configuration database including a list of malicious pathway instructions; and
      
      the processor is configured with processor-executable instructions to perform operations such that determining whether executing the queued instructions could result in the malicious configuration based on the information included in the malicious and pathway configuration database received from the network server comprises determining whether the queued instructions are included in the list of malicious pathway instructions.
  - 12. The wireless device of claim 8, wherein:
    - the processor is configured with processor-executable instructions to perform operations further comprising;
      
      receiving the malicious and pathway configuration database from the network server, the malicious and pathway configuration database including a list of potentially malicious pathway instructions and associated likelihood values, each likelihood value indicating a likelihood that executing its associated malicious pathway instruction will result in the malicious configuration; and
      
      the processor is configured with processor-executable instructions to perform operations such that determining whether executing the queued instructions could result in the malicious configuration based on the information included in the malicious and pathway configuration database received from the network server comprises;
      
      determining a probability value that identifies a probability that executing the queued instructions will result in the malicious configuration based on the likelihood values associated with the queued instructions included in the list of potentially malicious pathway instructions; and
      
      determining whether the probability value exceeds a risk threshold value.
  - 13. The wireless device of claim 8, wherein:
    - the processor is configured with processor-executable instructions to perform operations further comprising;
      
      receiving the malicious and pathway configuration database from the network server;
      
      determining a current configuration of the wireless device; and
      
      determining whether the current configuration of the wireless device could lead to the malicious configuration based on the information included in the malicious and pathway configuration database received from the network server; and
      
      the processor is configured with processor-executable instructions to perform operations such that;
      
      accessing instructions currently queued in the hardware pipeline comprises;
      
      slowing the execution of the queued instructions in response to determining that the current configuration of the wireless device could lead to the malicious configuration; and
      
      accessing the queued instructions after slowing the execution of the queued instructions; and
      
      determining whether executing the queued instructions could result in the malicious configuration based on the information included in the malicious and pathway configuration database received from the network server comprises;
      
      determining whether executing the queued instructions could result in the malicious configuration in response to determining that the current configuration of the wireless device could lead to the malicious configuration.
  - 14. The wireless device of claim 8, wherein:
    - the processor is configured with processor-executable instructions to perform operations further comprising;
      
      receiving the malicious and pathway configuration database from the network server;
      
      determining a current configuration of the wireless device;
      
      determining whether the current configuration of the wireless device could lead to the malicious configuration based on the malicious and pathway configuration database received from the network server;
      
      the processor is configured with processor-executable instructions to perform operations such that determining whether executing the queued instructions could result in the malicious configuration comprises determining whether executing the queued instructions could result in the malicious configuration in response to determining that the current configuration of the wireless device could lead to the malicious configuration.

15. A wireless device, comprising:
- means for accessing instructions currently queued in a hardware pipeline (“
  
  queued instructions”
  
  );
  
  means for determining whether executing the queued instructions could result in a malicious configuration based on information included in a malicious and pathway configuration database received from a network server;
  
  means for determining whether the queued instructions have already been executed in response to determining that executing the queued instructions could result in the malicious configuration;
  
  means for preventing execution of the queued instructions in response to determining that executing the queued instructions could result in the malicious configuration and that the queued instructions have not already been executed; and
  
  implementing malicious behavior mitigation in response to determining that executing the queued instructions could result in the malicious configuration and that the queued instructions have already been executed.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The wireless device of claim 15, wherein means for determining whether executing the queued instructions could result in the malicious configuration based on the information included in the malicious and pathway configuration database received from the network server comprises:
    - means for applying the queued instructions to a current configuration of the wireless device to generate an expected configuration; and
      
      means for determining whether the expected configuration is included in a list of known malicious configurations.
  - 17. The wireless device of claim 15, wherein means for preventing the execution of the queued instructions in response to determining that executing the queued instructions could result in the malicious configuration and that the queued instructions have not already been executed comprises one of:
    - means for purging the queued instructions from the hardware pipeline; and
      
      means for modifying the queued instructions to enable the wireless device to execute the queued instructions without causing malicious behavior.
  - 18. The wireless device of claim 15, further comprising means for receiving the malicious and pathway configuration database from the network server, the malicious and pathway configuration database including a list of malicious pathway instructions, wherein means for determining whether executing the queued instructions could result in the malicious configuration based on the information included in the malicious and pathway configuration database received from the network server comprises means for determining whether the queued instructions are included in the list of malicious pathway instructions.
  - 19. The wireless device of claim 15, further comprising:
    - means for receiving the malicious and pathway configuration database from the network server, the malicious and pathway configuration database including a list of potentially malicious pathway instructions and associated likelihood values, each likelihood value indicating a likelihood that executing its associated malicious pathway instruction will result in the malicious configuration; and
      
      wherein means for determining whether executing the queued instructions could result in the malicious configuration based on the information included in the malicious and pathway configuration database received from the network server comprises;
      
      means for determining a probability value that identifies a probability that executing the queued instructions will result in the malicious configuration based on the likelihood values associated with the queued instructions included in the list of potentially malicious pathway instructions; and
      
      means for determining whether the probability value exceeds a risk threshold value.
  - 20. The wireless device of claim 15, further comprising:
    - means for receiving the malicious and pathway configuration database from the network server;
      
      means for determining a current configuration of the wireless device; and
      
      means for determining whether the current configuration of the wireless device could lead to the malicious configuration based on the information included in the malicious and pathway configuration database received from the network server,wherein;
      
      means for accessing the instructions currently queued in the hardware pipeline comprises;
      
      means for slowing the execution of the queued instructions in response to determining that the current configuration of the wireless device could lead to the malicious configuration; and
      
      means for accessing the queued instructions after slowing the execution of the queued instructions, andmeans for determining whether executing the queued instructions could result in the malicious configuration based on the information included in the malicious and pathway configuration database received from the network server comprises means for determining whether executing the queued instructions could result in the malicious configuration in response to determining that the current configuration of the wireless device could lead to the malicious configuration.
  - 21. The wireless device of claim 15,means for receiving the malicious and pathway configuration database from the network server;
    - means for determining a current configuration of the wireless device; and
      
      means for determining whether the current configuration of the wireless device could lead to the malicious configuration based on the malicious and pathway configuration database received from the network server,wherein means for determining whether executing the queued instructions could result in the malicious configuration comprises means for determining whether executing the queued instructions could result in the malicious configuration in response to determining that the current configuration of the wireless device could lead to the malicious configuration.

22. A non-transitory processor-readable storage medium having stored thereon processor-executable instructions, wherein:
- the stored processor-executable instructions are configured to cause a control unit to perform operations comprising;
  
  accessing instructions currently queued in a hardware pipeline (“
  
  queued instructions”
  
  ); and
  
  preventing execution of the queued instructions in response to a determination by a device processor that executing the queued instructions could result in a malicious configuration and that the queued instructions have not already been executed, andthe stored processor-executable instructions are configured to cause the device processor to perform operations comprising;
  
  determining whether executing the queued instructions could result in the malicious configuration based on information included in a malicious and pathway configuration database received from a network server;
  
  determining whether the queued instructions have already been executed in response to determining that executing the queued instructions could result in the malicious configuration; and
  
  implementing malicious behavior mitigation in response to determining that executing the queued instructions could result in the malicious configuration and that the queued instructions have already been executed.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The non-transitory processor-readable storage medium of claim 22, wherein the stored processor-executable instructions are configured to cause the device processor to perform operations such that determining whether executing the queued instructions could result in the malicious configuration based on the information included in the malicious and pathway configuration database received from the network server comprises:
    - applying the queued instructions to a current configuration of the wireless device to generate an expected configuration; and
      
      determining whether the expected configuration is included in a list of known malicious configurations.
  - 24. The non-transitory processor-readable storage medium of claim 22, wherein the stored processor-executable instructions are configured to cause the control unit to perform operations such that preventing the execution of the queued instructions in response to the determination by the device processor that executing the queued instructions could result in the malicious configuration and that the queued instructions have not already been executed comprises one of:
    - purging the queued instructions from the hardware pipeline; and
      
      modifying the queued instructions to enable the wireless device to execute the queued instructions without causing malicious behavior.
  - 25. The non-transitory processor-readable storage medium of claim 22, wherein:
    - the stored processor-executable instructions are configured to cause the device processor to perform operations further comprising receiving the malicious and pathway configuration database from the network server, the malicious and pathway configuration database including a list of malicious pathway instructions, andthe stored processor-executable instructions are configured to cause the device processor to perform operations such that determining whether executing the queued instructions could result in the malicious configuration based on the information included in the malicious and pathway configuration database received from the network server comprises determining whether the queued instructions are included in the list of malicious pathway instructions.
  - 26. The non-transitory processor-readable storage medium of claim 22, wherein:
    - the stored processor-executable instructions are configured to cause the device processor to perform operations further comprising;
      
      receiving the malicious and pathway configuration database from the network server, the malicious and pathway configuration database including a list of potentially malicious pathway instructions and associated likelihood values, each likelihood value indicating a likelihood that executing its associated malicious pathway instruction will result in the malicious configuration; and
      
      the stored processor-executable instructions are configured to cause the device processor to perform operations such that determining whether executing the queued instructions could result in the malicious configuration based on the information included in the malicious and pathway configuration database received from the network server comprises;
      
      determining a probability value that identifies a probability that executing the queued instructions will result in the malicious configuration based on the likelihood values associated with the queued instructions included in the list of potentially malicious pathway instructions; and
      
      determining whether the probability value exceeds a risk threshold value.
  - 27. The non-transitory processor-readable storage medium of claim 22, wherein:
    - the stored processor-executable instructions are configured to cause the device processor to perform operations further comprising;
      
      receiving the malicious and pathway configuration database from the network server;
      
      determining a current configuration of the wireless device; and
      
      determining whether the current configuration of the wireless device could lead to the malicious configuration based on the information included in the malicious and pathway configuration database received from the network server;
      
      the stored processor-executable instructions are configured to cause the device processor to perform operations such that;
      
      accessing instructions currently queued in the hardware pipeline comprises;
      
      slowing the execution of the queued instructions in response to determining that the current configuration of the wireless device could lead to the malicious configuration; and
      
      accessing the queued instructions after slowing the execution of the queued instructions; and
      
      determining whether executing the queued instructions could result in the malicious configuration based on the information included in the malicious and pathway configuration database received from the network server comprises;
      
      determining whether executing the queued instructions could result in the malicious configuration in response to determining that the current configuration of the wireless device could lead to the malicious configuration.
  - 28. The non-transitory processor-readable storage medium of claim 22, wherein:
    - the stored processor-executable instructions are configured to cause the device processor to perform operations further comprising;
      
      receiving the malicious and pathway configuration database from the network server;
      
      determining a current configuration of the wireless device;
      
      determining whether the current configuration of the wireless device could lead to the malicious configuration based on the malicious and pathway configuration database received from the network server; and
      
      the stored processor-executable instructions are configured to cause the device processor to perform operations such that determining whether executing the queued instructions could result in the malicious configuration comprises determining whether executing the queued instructions could result in the malicious configuration in response to determining that the current configuration of the wireless device could lead to the malicious configuration.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Sridhara, Vinay, Patne, Satyajit Prabhakar, Gupta, Rajarshi
Primary Examiner(s)
Chao, Michael

Application Number

US14/044,956
Publication Number

US 20150101048A1
Time in Patent Office

803 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/3612   by runtime analysis perform...

G06F 21/125   by manipulating the program...

G06F 21/52   during program execution, e...

G06F 21/54   by adding security routines...

G06F 21/55   Detecting local intrusion o...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 9/30145   Instruction analysis, e.g. ...

G06F 9/3861   Recovery, e.g. branch miss-...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04W 12/082   using revocation of authori...

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

Malware detection and prevention by monitoring and modifying a hardware pipeline

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Malware detection and prevention by monitoring and modifying a hardware pipeline

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links