Systems and methods for authorizing attempts to access shared libraries

US 9,509,697 B1
Filed: 09/15/2014
Issued: 11/29/2016
Est. Priority Date: 09/15/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for authorizing attempts to access shared libraries, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

detecting an attempt by a process to access a shared library;

identifying a call stack of the process;

inspecting the call stack by;

identifying a subroutine of the process that initiated the attempt to access the shared library;

determining that at least one of;

the subroutine is used to perform inter-process communications;

the subroutine is used to perform task delegation; and

the subroutine is used to perform reflection;

determining that the subroutine is not authorized to access the shared library based at least in part on determining that the subroutine is being used to perform at least one of inter-process communications, task delegation, and reflection; and

causing the attempt to be blocked in response to determining that the subroutine is not authorized to access the shared library.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for authorizing attempts to access shared libraries may include (1) detecting an attempt by a process to access a shared library, (2) identifying a call stack of the process, (3) inspecting the call stack to determine whether a method that initiated the attempt is authorized to access the shared library, and (4) causing the attempt to be allowed if the method is authorized to access the shared library or blocked if the method is not authorized to access the shared library. Various other methods, systems, and computer-readable media are also disclosed.

29 Citations

View as Search Results

20 Claims

1. A computer-implemented method for authorizing attempts to access shared libraries, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- detecting an attempt by a process to access a shared library;
  
  identifying a call stack of the process;
  
  inspecting the call stack by;
  
  identifying a subroutine of the process that initiated the attempt to access the shared library;
  
  determining that at least one of;
  
  the subroutine is used to perform inter-process communications;
  
  the subroutine is used to perform task delegation; and
  
  the subroutine is used to perform reflection;
  
  determining that the subroutine is not authorized to access the shared library based at least in part on determining that the subroutine is being used to perform at least one of inter-process communications, task delegation, and reflection; and
  
  causing the attempt to be blocked in response to determining that the subroutine is not authorized to access the shared library.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-implemented method of claim 1, wherein identifying the subroutine that initiated the attempt comprises identifying a stack frame of the subroutine within the call stack.
  - 3. The computer-implemented method of claim 1, wherein identifying the call stack comprises identifying the call stack as part of an authorization system, which performs authorization functions for the shared library, in response to receiving a representation of the call stack from the shared library as part of an authorization request.
  - 4. The computer-implemented method of claim 1, wherein detecting the attempt by the process to access the shared library comprises detecting an attempt to access functionalities of the shared library exposed through an API method of the shared library.
  - 5. The computer-implemented method of claim 1, wherein the steps of the method are performed as part of an authorization system on a remote server.
  - 6. The computer-implemented method of claim 1, wherein identifying the call stack comprises identifying the call stack as part of a shared library using stack-introspection functionality provided by a platform on which the shared library is running.
  - 7. The computer-implemented method of claim 1, further comprising:
    - detecting an additional attempt by an additional process to access the shared library;
      
      identifying a call stack of the additional process;
      
      inspecting the call stack of the additional process by;
      
      identifying an additional subroutine that initiated the additional attempt to access the shared library;
      
      determining that the additional subroutine is not used to perform any one of inter-process communications, task delegation, or reflection;
      
      determining that the additional subroutine is authorized to access the shared library based at least in part on determining that the additional subroutine is not being used to perform any one of inter-process communications, task delegation, or reflection;
      
      causing the additional attempt to be allowed in response to determining that the additional subroutine is authorized to access the shared library.
  - 8. The computer-implemented method of claim 7, further comprising:
    - assigning a token to the additional process in response to determining that the additional subroutine is authorized to access the shared library;
      
      receiving the token as part of a subsequent attempt by the additional process to access the shared library;
      
      causing, in response to receiving the token, the subsequent attempt to be allowed without inspecting a call stack associated with the subsequent attempt.
  - 9. The computer-implemented method of claim 1, wherein inspecting the call stack further comprises inspecting the call stack to identify a call order of a plurality of subroutines that initiated the attempt.
  - 10. The computer-implemented method of claim 9, wherein determining that the subroutine is not authorized to access the shared library comprises determining that the subroutine is not authorized to access the shared library based additionally on the call order of the plurality of subroutines that initiated the attempt.
  - 11. The computer-implemented method of claim 9, wherein:
    - inspecting the call stack further comprises determining that the call order of the plurality of subroutines is different than a previous call order of the plurality of subroutines;
      
      determining that the subroutine is not authorized to access the shared library comprises determining that the subroutine is not authorized to access the shared library based additional on determining that the call order of the plurality of subroutines is different than the previous call order of the plurality of subroutines.

12. A system for authorizing attempts to access shared libraries, the system comprising:
- a detection module, stored in memory, that detects an attempt by a process to access a shared library;
  
  an identification module, stored in memory, that identifies a call stack of the process;
  
  an inspection module, stored in memory, that inspects the call stack by;
  
  identifying a subroutine of the process that initiated the attempt to access the shared library;
  
  determining that at least one of;
  
  the subroutine is used to perform inter-process communications;
  
  the subroutine is used to perform task delegation;
  
  orthe subroutine is used to perform reflection;
  
  determining that the subroutine is not authorized to access the shared library based at least in part on determining that the subroutine is being used to perform at least one of inter-process communications, task delegation, or reflection;
  
  an access module, stored in memory, that causes the attempt to be blocked in response to determining that the subroutine is not authorized to access the shared library; and
  
  at least one physical processor configured to execute the detection module, the identification module, the inspection module, and the access module.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12, wherein the inspection module identifies the subroutine that initiated the attempt by identifying a stack frame of the subroutine within the call stack.
  - 14. The system of claim 12, wherein the identification module identifies the call stack by identifying the call stack as part of an authorization system, which performs authorization functions for the shared library, in response to receiving a representation of the call stack from the shared library as part of an authorization request.
  - 15. The system of claim 12, wherein the detection module detects the attempt by the process to access the shared library by detecting an attempt to access functionalities of the shared library exposed through an API method of the shared library.
  - 16. The system of claim 12, wherein the identification module identifies the call stack by identifying the call stack as part of a shared library using stack-introspection functionality provided by a platform on which the shared library is running.
  - 17. The system of claim 12, wherein the inspection module further inspects the call stack by inspecting the call stack to identify a call order of a plurality of subroutines that initiated the attempt.
  - 18. The system of claim 17, wherein the inspection module determines that the subroutine is not authorized to access the shared library by determining that the subroutine is not authorized to access the shared library based additionally on the call order of the plurality of subroutines that initiated the attempt.
  - 19. The system of claim 17, wherein:
    - the inspection module further inspects the call stack by determining that the call order of the plurality of subroutines is different than a previous call order of the plurality of subroutines;
      
      the inspection module determines that the subroutine is not authorized to access the shared library based additionally on determining that the call order of the plurality of subroutines is different than the previous call order of the plurality of subroutines.

20. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- detect an attempt by a process to access a shared library;
  
  identify a call stack of the process;
  
  inspect the call stack by;
  
  identifying a subroutine of the process that initiated the attempt to access the shared library;
  
  determining that at least one of;
  
  the subroutine is used to perform inter-process communications;
  
  the subroutine is used to perform task delegation;
  
  the subroutine is used to perform reflection;
  
  determine that the subroutine is not authorized to access the shared library based at least in part on determining that the subroutine is being used to perform at least one of inter-process communications, task delegation, or reflection; and
  
  cause the attempt to be blocked in response to determining that the subroutine is not authorized to access the shared library.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Salehpour, Jonathon
Primary Examiner(s)
Lipman, Jacob

Application Number

US14/486,323
Time in Patent Office

806 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

G06F 21/52 during program execution, e...

Systems and methods for authorizing attempts to access shared libraries

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for authorizing attempts to access shared libraries

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links