System and method for firmware based anti-malware security

US 9,317,690 B2
Filed: 03/28/2011
Issued: 04/19/2016
Est. Priority Date: 03/28/2011
Status: Active Grant

First Claim

Patent Images

1. A system for securing an electronic device, comprising:

one or more operating systems;

a non-volatile memory;

a processor coupled to the non-volatile memory;

a resource of the electronic device;

firmware residing in the non-volatile memory and executed by the processor, the firmware communicatively coupled to the resource of an electronic device; and

a firmware security agent residing in the firmware, the firmware security agent configured to, at a higher priority than all of the operating systems of the electronic device accessing the resource;

intercept a request from one of the operating systems for the resource resident on the electronic device; and

determine whether the request is indicative of malware.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for securing an electronic device includes a non-volatile memory, a processor coupled to the non-volatile memory, a resource of the electronic device, firmware residing in the non-volatile memory and executed by the processor, and a firmware security agent residing in the firmware. The firmware is communicatively coupled to the resource of an electronic device. The firmware security agent is configured to, at a level below all of the operating systems of the electronic device accessing the resource, intercept a request for the resource and determine whether the request is indicative of malware.

173 Citations

53 Claims

1. A system for securing an electronic device, comprising:
- one or more operating systems;
  
  a non-volatile memory;
  
  a processor coupled to the non-volatile memory;
  
  a resource of the electronic device;
  
  firmware residing in the non-volatile memory and executed by the processor, the firmware communicatively coupled to the resource of an electronic device; and
  
  a firmware security agent residing in the firmware, the firmware security agent configured to, at a higher priority than all of the operating systems of the electronic device accessing the resource;
  
  intercept a request from one of the operating systems for the resource resident on the electronic device; and
  
  determine whether the request is indicative of malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 53)
- - 2. The system of claim 1, wherein if the request is indicative of malware, the firmware security agent is configured to deny the request.
  - 3. The system of claim 1, further comprising a server communicatively coupled to the firmware security agent, the server configured to provide security rules to be used by the firmware security agent to determine whether to intercept the request for the resource.
  - 4. The system of claim 1, further comprising a protection server is configured to:
    - receive information about a behavior on the electronic device observed by the firmware security agent, the behavior comprising the request; and
      
      determine whether the behavior indicates malware.
  - 5. The system of claim 1, wherein the firmware resides in a controller of a peripheral of the electronic device.
  - 6. The system of claim 1, wherein the resource comprises an input/output component of the electronic device.
  - 7. The system of claim 1, wherein the resource comprises a keyboard.
  - 8. The system of claim 1, wherein the resource comprises a display device.
  - 9. The system of claim 1, wherein the resource comprises a disk.
  - 10. The system of claim 1, wherein the request comprises an input or output command.
  - 11. The system of claim 1, wherein determining whether the request is indicative of malware comprises evaluating whether the value of the input or output command is indicative of malware.
  - 12. The system of claim 1, further comprising:
    - an input and/or output (I/O) device comprising the memory and processor, the I/O device communicatively coupled to an operating system of the electronic device;
      
      a security agent resident in the electronic device and communicatively coupled to the firmware security agent, wherein;
      
      configuring the firmware security agent to determine whether the request indicates malware comprises configuring the firmware security agent to send information to the security agent, the information comprising the request; and
      
      the security agent is configured to access one or more security rules to determine whether the information indicates malware.
  - 13. The system of claim 12, wherein the security agent operates within a bare metal layer of the electronic device.
  - 14. The system of claim 12, further comprising an operating system security agent running in the operating system and communicatively coupled to the security agent, wherein the security agent is configured to provide information to security agent, the information regarding one or more elements in the operating system that made the request of the resource.
  - 15. The system of claim 12, wherein the firmware security agent is configured to validate the security agent.
  - 16. The system of claim 12, wherein the security agent is configured to:
    - execute at a level below all operating systems of the electronic device accessing the resource; and
      
      receive the request from a level above the security agent.
  - 17. The system of claim 12, wherein the security agent is configured to:
    - execute at a higher priority than all operating systems of the electronic device accessing the resource, such priority defined by the processor; and
      
      receive the request is from an entity with less priority than the security agent.
  - 18. The system of claim 12, wherein the security agent is configured to:
    - execute on a more privileged ring of execution than all operating systems of the electronic device accessing the resource; and
      
      receive the request from a less privileged ring of execution than the security agent.
  - 53. The system of claim 1, wherein the firmware security agent is further configured to be inaccessible to all of the operating systems of the electronic device accessing the resource.

19. A method for securing an electronic device, comprising:
- in firmware communicatively coupled to a resource, the resource coupled to the electronic device and the firmware residing in a non-volatile memory at a higher priority than all of one or more operating systems of the electronic device;
  
  intercepting a request from one of the operating systems for the resource resident on the electronic device;
  
  consulting one or more security rules; and
  
  based on the one or more security rules, determining whether the request is indicative of malware.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 20. The method of claim 19, further comprising if the request is indicative of malware, denying the request.
  - 21. The method of claim 19, wherein determining whether the request is indicative of malware comprises:
    - sending information about the request to a protection server; and
      
      receiving a determination about the request from the protection server.
  - 22. The method of claim 19, wherein the request is intercepted in firmware resident in a controller of a peripheral of the electronic device.
  - 23. The method of claim 19, wherein the resource comprises an input/output component of the electronic device.
  - 24. The method of claim 19, wherein the resource comprises a keyboard.
  - 25. The method of claim 19, wherein the resource comprises a display device.
  - 26. The method of claim 19, wherein the resource comprises a disk.
  - 27. The method of claim 19, wherein the request comprises an input or output command.
  - 28. The method of claim 19, further comprising communicating with a security agent resident in the electronic device to receive one or more security rules.
  - 29. The method of claim 28, further comprising:
    - intercepting the request in the firmware of an input and/or output (I/O) device;
      
      wherein determining whether the request whether the request indicates malware comprises;
      
      sending information to the security agent, the information comprising the request; and
      
      accessing one or more security rules from the security agent to determine whether the request indicates malware.
  - 30. The method of claim 28, wherein accessing one or more security rules from the security agent is accomplished within a bare metal layer of the electronic device.
  - 31. The method of claim 28, further comprising:
    - communicating with an operating system security agent running in an operating system of the electronic device; and
      
      receiving information regarding one or more elements in the operating system that made the request of the resource.
  - 32. The method of claim 28, further comprising validating the security agent.
  - 33. The method of claim 28:
    - wherein the security agent is executing at a level below all operating methods of the electronic device; and
      
      further comprising receiving the request from a level above the security agent.
  - 34. The method of claim 28:
    - wherein the security agent is executing at a higher priority than all operating systems of the electronic device accessing the resource, such priority defined by the processor; and
      
      further comprising receiving the request from an entity with less priority than the security agent.
  - 35. The method of claim 28:
    - wherein the security agent is executing on a more privileged ring of execution than all operating systems of the electronic device accessing the resource; and
      
      further comprising receiving the request from a less privileged ring of execution than the security agent.

36. An article of manufacture comprising:
- a non-transitory computer readable medium; and
  
  computer-executable instructions carried on the computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to;
  
  in firmware communicatively coupled to a resource, the resource attached to the electronic device and the firmware residing in a non-volatile memory at a higher priority than all of one or more operating systems of the electronic device;
  
  intercept a request from one of the operating systems for the resource attached to the electronic device;
  
  consult one or more security rules; and
  
  based on the one or more security rules, determine whether the request is indicative of malware.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
- - 37. The article of claim 36, wherein the processor is further caused to:
    - if the request is indicative of malware, deny the request.
  - 38. The article of claim 36, wherein determining whether the request is indicative of malware comprises causing the processor to:
    - send information about the request to a protection server; and
      
      receive a determination about the request from the protection server.
  - 39. The article of claim 36, wherein the processor is caused to intercept the request in firmware residing in a controller of a peripheral of the electronic device.
  - 40. The article of claim 36, wherein the resource comprises an input/output component of the electronic device.
  - 41. The article of claim 36, wherein the resource comprises a keyboard.
  - 42. The article of claim 36, wherein the resource comprises a display device.
  - 43. The article of claim 36, wherein the resource comprises a disk.
  - 44. The article of claim 36, wherein the request comprises an input or output command.
  - 45. The article of claim 36, further comprising causing the processor to communicate with a security agent resident in the electronic device to receive one or more security rules.
  - 46. The article of claim 45, further comprising causing the processor to:
    - intercept the request in the firmware of an input and/or output (I/O) device;
      
      wherein determining whether the request whether the request indicates malware comprises causing the processor to;
      
      send information to the security agent, the information comprising the request; and
      
      access one or more security rules from the security agent to determine whether the request indicates malware.
  - 47. The article of claim 45, wherein accessing one or more security rules from the security agent comprises is accomplished within a bare metal layer of the electronic device.
  - 48. The article of claim 45, wherein the processor is further caused to:
    - communicate with an operating system security agent running in an operating system of the electronic device; and
      
      receive information regarding one or more elements in the operating system that made the request of the resource.
  - 49. The article of claim 45, wherein the processor is further caused to validate the security agent.
  - 50. The article of claim 45, wherein:
    - the security agent is configured to execute at a level below all operating articles of the electronic device; and
      
      the processor is further caused to receive the request from a level above the security agent.
  - 51. The article of claim 45, wherein:
    - the security agent is configured to execute at a higher priority than all operating systems of the electronic device accessing the resource, such priority defined by the processor; and
      
      the processor is further caused to receive the request from an entity with less priority than the security agent.
  - 52. The article of claim 45, wherein:
    - the security agent is configured to execute on a more privileged ring of execution than all operating systems of the electronic device accessing the resource; and
      
      the processor is further caused to receive the request the request from a less privileged ring of execution than the security agent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Sallam, Ahmed Said
Primary Examiner(s)
BROWN, ANTHONY D

Application Number

US13/073,810
Publication Number

US 20120255010A1
Time in Patent Office

1,849 Days
Field of Search

726 22- 25
US Class Current

1/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/572   Secure firmware programming...

G06F 21/6218   to a system of files or obj...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

System and method for firmware based anti-malware security

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

173 Citations

53 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for firmware based anti-malware security

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

173 Citations

53 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links