Secure system for allowing the execution of authorized computer program code
First Claim
1. A method comprising:
- monitoring, by a kernel mode driver of a computer system, a set of events occurring within one or more of a file system accessible by the computer system and an operating system that manages resources of the computer system;
in connection with said monitoring, responsive to observation, by the kernel mode driver, of an event of the set of events performed by or initiated by an active process running on the computer system, wherein the active process corresponds to a first code module stored within the file system and the event relates to a second code module stored within the file system, performing or bypassing a real-time authentication process on the second code module with reference to a whitelist containing content authenticators of approved code modules, which are known not to contain viruses or malicious code;
allowing, by the kernel mode driver, the active process to load the second code module into a memory of the computer system (i) when the real-time authentication process is bypassed or (ii) when the real-time authentication process is performed and determines a content authenticator of the code module matches one of the content authenticators of approved code modules within the whitelist; and
preventing, by the kernel mode driver, the active process from loading the second code module into the memory when the real-time authentication process is performed and determines the content authenticator does not match any of the content authenticators of approved code modules within the whitelist.
0 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for selective authorization of code modules are provided. According to one embodiment, a kernel mode driver monitors events occurring within a file system or an operating system. Responsive to observation of a trigger event performed by or initiated by an active process, in which the active process corresponds to a first code module within the file system and the event relates to a second code module within the file system, performing or bypassing a real-time authentication process on the second code module with reference to a whitelist containing content authenticators of approved code modules, which are known not to contain viruses or malicious code. The active process is allowed to load the second code module into memory when the real-time authentication process is bypassed or when it is performed and determines a content authenticator of the code module matches one of the content authenticators.
183 Citations
18 Claims
-
1. A method comprising:
-
monitoring, by a kernel mode driver of a computer system, a set of events occurring within one or more of a file system accessible by the computer system and an operating system that manages resources of the computer system; in connection with said monitoring, responsive to observation, by the kernel mode driver, of an event of the set of events performed by or initiated by an active process running on the computer system, wherein the active process corresponds to a first code module stored within the file system and the event relates to a second code module stored within the file system, performing or bypassing a real-time authentication process on the second code module with reference to a whitelist containing content authenticators of approved code modules, which are known not to contain viruses or malicious code; allowing, by the kernel mode driver, the active process to load the second code module into a memory of the computer system (i) when the real-time authentication process is bypassed or (ii) when the real-time authentication process is performed and determines a content authenticator of the code module matches one of the content authenticators of approved code modules within the whitelist; and preventing, by the kernel mode driver, the active process from loading the second code module into the memory when the real-time authentication process is performed and determines the content authenticator does not match any of the content authenticators of approved code modules within the whitelist. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory program storage device readable by a computer system, tangibly embodying a program of instructions executable by one or more computer processors of the computer system to perform a method for authenticating dependent code modules requested to be loaded by active processes running on the computer system, the method comprising:
-
monitoring, by a kernel mode driver of the computer system, a set of events occurring within one or more of a file system accessible by the computer system and an operating system that manages resources of the computer system; in connection with said monitoring, responsive to observation, by the kernel mode driver, of an event of the set of events performed by or initiated by an active process running on the computer system, wherein the active process corresponds to a first code module stored within the file system and the event relates to a second code module stored within the file system, performing or bypassing a real-time authentication process on the second code module with reference to a whitelist containing content authenticators of approved code modules, which are known not to contain viruses or malicious code; allowing, by the kernel mode driver, the active process to load the second code module into a memory of the computer system (i) when the real-time authentication process is bypassed or (ii) when the real-time authentication process is performed and determines a content authenticator of the code module matches one of the content authenticators of approved code modules within the whitelist; and preventing, by the kernel mode driver, the active process from loading the second code module into the memory when the real-time authentication process is performed and determines the content authenticator does not match any of the content authenticators of approved code modules within the whitelist. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification