System self integrity and health validation for policy enforcement

US 9,495,521 B2
Filed: 02/07/2011
Issued: 11/15/2016
Est. Priority Date: 02/05/2010
Status: Active Grant

First Claim

Patent Images

1. A method of enforcing system self-integrity validation policies, the method comprising:

installing a policy enforcer on a client device;

using the policy enforcer to examine the policy enforcer itself to determine whether the policy enforcer itself has been compromised;

in response to a determination that the policy enforcer has been compromised, prohibiting access of the client device to the services provided by the service provider;

installing, on the client device, a plurality of policies configured to enforce system integrity of the client device;

monitoring, using the policy enforcer, system performance of the client device to determine actual system performance of the client device;

based on a first policy in the plurality of policies, comparing the actual system performance of the client device with system performance required by the first policy, wherein the first policy restricts the use of operating systems (O/S) that circumvent digital rights management (DRM) protections;

determining, by the policy enforcer, that the actual system performance of the client device does not match the system performance required by the first policy;

identifying one or more software processes responsible for the actual system performance of the client device not matching the system performance required by the first policy including identifying that an O/S running on the client device is circumventing the DRM protections;

identifying first services from the service provider that are related to the one or more software processes including identifying services that provide DRM-protected files; and

denying the client device access to the first services from the service provider while continuing to allow the client device access to other services from the service provider, wherein the client device is denied access to the DRM-protected files provided by the identified services.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention provide methods and systems for enforcing system self integrity validation policies. The method includes accessing, by a policy enforcer, a plurality of policies configured to enforce system integrity, monitoring system performance to determine actions executed by the system, and based on at least one of the plurality of policies, comparing the system performance with system performance required by the at least one or the plurality of policies. The method further includes, based on the comparison, determining that the system has performed in a manner contrary to the requirements of the at least one policy, and in response, prohibiting access of the system to services provided by a service provider.

Citations

18 Claims

1. A method of enforcing system self-integrity validation policies, the method comprising:
- installing a policy enforcer on a client device;
  
  using the policy enforcer to examine the policy enforcer itself to determine whether the policy enforcer itself has been compromised;
  
  in response to a determination that the policy enforcer has been compromised, prohibiting access of the client device to the services provided by the service provider;
  
  installing, on the client device, a plurality of policies configured to enforce system integrity of the client device;
  
  monitoring, using the policy enforcer, system performance of the client device to determine actual system performance of the client device;
  
  based on a first policy in the plurality of policies, comparing the actual system performance of the client device with system performance required by the first policy, wherein the first policy restricts the use of operating systems (O/S) that circumvent digital rights management (DRM) protections;
  
  determining, by the policy enforcer, that the actual system performance of the client device does not match the system performance required by the first policy;
  
  identifying one or more software processes responsible for the actual system performance of the client device not matching the system performance required by the first policy including identifying that an O/S running on the client device is circumventing the DRM protections;
  
  identifying first services from the service provider that are related to the one or more software processes including identifying services that provide DRM-protected files; and
  
  denying the client device access to the first services from the service provider while continuing to allow the client device access to other services from the service provider, wherein the client device is denied access to the DRM-protected files provided by the identified services.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 15, 16, 17, 18)
- - 2. The method of claim 1, further comprising:
    - based on the comparison, determining that the client device has performed consistently with a second policy in the plurality of policies; and
      
      in response, continuing to allow the system to access services provided by the service provider that are associated with the second policy.
  - 3. The method of claim 1, further comprising:
    - determining that the policy enforcer has not been compromised; and
      
      continuing to allow the client device to access services provided by the service provider.
  - 4. The method of claim 1, wherein the policy enforcer is compromised based in part on one or more of the following situations:
    - hardware associated with the policy enforcer has been modified, software of the policy enforcer has been modified and/or deleted, files associated with the policy enforcer have been modified and/or deleted, software and/or hardware has been added to the system to circumvent operation of the policy enforcer, programs, services, O/S, firmware, drivers, or the peripherals.
  - 5. The method of claim 1, further comprising:
    - in response to determining that the actual system performance of the client device does not match the system performance required by the first policy, implementing a mitigation process for repairing the one or more software processes.
  - 6. The method of claim 5, wherein the mitigation process comprises:
    - determining if invalid hardware is present within the client device;
      
      in response to invalid hardware being present, gathering information about the hardware;
      
      implementing a corrective strategy; and
      
      propagating the corrective strategy to the client device.
  - 7. The method of claim 5, wherein the mitigation process further comprises:
    - determining if invalid files and/or software are present within the client device; and
      
      in response to invalid files and/or software being present, identifying and reporting information about the invalid files and/or software.
  - 8. The method of claim 5, wherein the mitigation process further comprises:
    - determining if required files and/or software has been removed or modified within the client device; and
      
      in response to required files and/or software being removed or modified, identifying and reporting which required files and/or software have been removed and/or how the required files and/or software have been modified.
  - 9. The method of claim 5, wherein the mitigation process comprises:
    - checking the validity of the operating system (O/S) present on the client device; and
      
      in response to the O/S being invalid, denying service to the client device.
  - 15. The method of claim 1, wherein the policy enforcer is configured to check its own integrity at random intervals.
  - 16. The method of claim 1, further comprising receiving a reinstallation of the one or more software processes from the service provider.
  - 17. The method of claim 1, wherein:
    - the first policy specifies testing of circuits on the client device; and
      
      determining that the actual system performance of the client device does not match the system performance required by the first policy comprises determining that additional hardware chips are present on the client device.
  - 18. The method of claim 1, wherein:
    - the policy enforcer comprises a plurality of key modules;
      
      the client device runs a plurality of applications that send messages to each other and to the service provider;
      
      the plurality of key modules electronically sign the messages sent between applications and to the service provider; and
      
      the policy enforcer is further configured to use a sequence of keys used in the signatures to determine whether the messages were correctly processed.

10. A non-transitory computer-readable medium comprising instruction which, when executed by one or more processors, cause the one or more processors to perform operations comprising:
- installing a policy enforcer on a client device;
  
  using the policy enforcer to examine the policy enforcer itself to determine whether the policy enforcer itself has been compromised;
  
  in response to a determination that the policy enforcer has been compromised, prohibiting access of the client device to the services provided by the service provider;
  
  installing, on the client device, a plurality of policies configured to enforce system integrity of the client device;
  
  monitoring, using the policy enforcer, system performance of the client device to determine actual system performance of the client device;
  
  based on a first policy in the plurality of policies, comparing the actual system performance of the client device with system performance required by the first policy, wherein the first policy restricts the use of operating systems (O/S) that circumvent digital rights management (DRM) protections;
  
  determining, by the policy enforcer, that the actual system performance of the client device does not match the system performance required by the first policy;
  
  identifying one or more software processes responsible for the actual system performance of the client device not matching the system performance required by the first policy including identifying that an O/S running on the client device is circumventing the DRM protections;
  
  identifying first services from the service provider that are related to the one or more software processes including identifying services that provide DRM-protected files; and
  
  denying the client device access to the first services from the service provider while continuing to allow the client device access to other services from the service provider, wherein the client device is denied access to the DRM-protected files provided by the identified services.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The medium of claim 10, wherein the instructions cause the one or more processors to perform further operations comprising:
    - determining that the first policy has not been breached; and
      
      continuing to detect and report software running on the client device and the copying, distributing, and modifying of the software and/or files on the client device.
  - 12. The medium of claim 10, wherein the client device comprises one or more of the following:
    - a wireless device, a personal digital assistant (PDA), a personal computer, and a mobile device.
  - 13. The medium of claim 10, wherein the service provider comprises one or more of the following:
    - a cellular service provider, an Internet service provider (ISP), a digital media service provider, and a software service provider.
  - 14. The medium of claim 10, wherein the first policy comprises requirements related to one or more of the following:
    - digital media rights (DRM) enforcement, software license enforcement, corporate spyware enforcement, security setting enforcement, and file rights enforcement.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Maes, Stephane H.
Primary Examiner(s)
WILLIAMS, JEFFERY L

Application Number

US13/022,367
Publication Number

US 20110197260A1
Time in Patent Office

2,108 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/10 Protecting distributed prog...

G06F 21/554 involving event detection a...

System self integrity and health validation for policy enforcement

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System self integrity and health validation for policy enforcement

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links