System and Method for mitigating TOC/TOU attacks in a cloud computing enviroment

US 9,654,499 B2
Filed: 06/18/2015
Issued: 05/16/2017
Est. Priority Date: 06/20/2014
Status: Expired due to Fees

First Claim

Patent Images

1. A method for mitigating TOCTOU attacks comprising:

performing, by a processor of a trusted host communicatively coupled to an untrusted host via a communications connection, a run-time integrity verification of a first process executed by the processor of the untrusted host to determine that a first process executed on the untrusted host was launched from a pre-defined location and executed from beginning to end, wherein the untrusted host comprises multiple processors, the performing comprising;

requesting, by the processor of the trusted host, from a first processor of the multiple processors of the untrusted host, measurements representing operation of a first process on an untrusted host;

based on the requesting, obtaining, by the processor of the trusted host, the measurements, wherein the measurements comprise a checksum that is a result of a second process executing checksum code on the untrusted host to verify, during run-time of the first process, at least one pseudo-randomly chosen last branch record on the untrusted host; and

determining, by the processor, based on the measurements, whether the first process was compromised by utilizing the pseudo-randomly chosen last branch record to verify that the first process was launched from a pre-defined location and executed from beginning to end by the untrusted host.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system, method, and computer program product for mitigating TOCTOU attacks, which includes: as processor requesting measurements representing operation of a first process on a host that is untrusted and based on the requesting, obtaining the measurements, which include a checksum that is a result of a second process executing checksum code to verify at least one last branch record on the host. A processor also determined, based on the measurements, whether the first process was compromised.

Citations

20 Claims

1. A method for mitigating TOCTOU attacks comprising:
- performing, by a processor of a trusted host communicatively coupled to an untrusted host via a communications connection, a run-time integrity verification of a first process executed by the processor of the untrusted host to determine that a first process executed on the untrusted host was launched from a pre-defined location and executed from beginning to end, wherein the untrusted host comprises multiple processors, the performing comprising;
  
  requesting, by the processor of the trusted host, from a first processor of the multiple processors of the untrusted host, measurements representing operation of a first process on an untrusted host;
  
  based on the requesting, obtaining, by the processor of the trusted host, the measurements, wherein the measurements comprise a checksum that is a result of a second process executing checksum code on the untrusted host to verify, during run-time of the first process, at least one pseudo-randomly chosen last branch record on the untrusted host; and
  
  determining, by the processor, based on the measurements, whether the first process was compromised by utilizing the pseudo-randomly chosen last branch record to verify that the first process was launched from a pre-defined location and executed from beginning to end by the untrusted host.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - determining, by the processor, at least one of;
      
      whether the requesting was intercepted before the measurements were conducted, or whether the second process was compromised.
  - 3. The method of claim 1, further comprising:
    - halting, by the processor of the trusted environment, execution of instructions by a portion of the multiple processors, wherein the portion does not include the first processor; and
      
      based on determining that the first process was not compromised, resuming, by the processor of the trusted environment, the halted processors.
  - 4. The method of claim 3, further comprisinginstructing, by the processor of the trusted environment, the halted processors to remain halted when instructed by another host to re-start during the determining whether the first process was compromised.
  - 5. The method of claim 1, wherein the requesting comprises sending a random number to the second process and wherein the checksum is a self checksum of the random number and the measurements further comprise a secure hash algorithm hash of a hypervisor running on the untrusted host, wherein the self checksum and the secure hash algorithm hash were computed by the second process.
  - 6. The method of claim 1, wherein the at least one last branch record comprises an LBR From IP pointer.
  - 7. The method of claim 1, the determining further comprises determining that the checksum is invalid, and based on the invalid checksum, determining that the first process was compromised.
  - 8. The method of claim 7, wherein executing checksum code to verify at least one last branch record comprises obtaining an invalid jump in a last branch record table on the untrusted host.
  - 9. The method of claim 7, wherein executing checksum code to verify at least one last branch record comprises obtaining a last branch record without a respective block jump.
  - 10. The method of claim 7, wherein the checksum is invalid based on an increase in verification time.
  - 11. The method of claim 1, further comprising:
    - halting, by the processor, an activity on a second host until completing the determining.

12. A computer system for mitigating TOCTOU attacks, the computer system comprising:
- a memory; and
  
  a processor in communication with the memory, wherein the computer system is configured to perform a method, the method comprising;
  
  performing, by a processor of a trusted host communicatively coupled to an untrusted host via a communications connection, a run-time integrity verification of a first process executed by the processor of the untrusted host to determine that a first process executed on the untrusted host was launched from a pre-defined location and executed from beginning to end, wherein the untrusted host comprises multiple processors, the performing comprising;
  
  requesting, by the processor of the trusted host, from a first processor of the multiple processors of the untrusted host, measurements representing operation of a first process on an untrusted host;
  
  based on the requesting, obtaining, by the processor of the trusted host, the measurements, wherein the measurements comprise a checksum that is a result of a second process executing checksum code on the untrusted host to verify, during run-time of the first process, at least one pseudo-randomly chosen last branch record on the untrusted host; and
  
  determining, by the processor, based on the measurements, whether the first process was compromised by utilizing the pseudo-randomly chosen last branch record to verify that the first process was launched from a pre-defined location and executed from beginning to end by the untrusted host.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The computer system of claim 12, further comprising:
    - determining, by the processor, at least one of;
      
      whether the requesting was intercepted before the measurements were conducted, or whether the second process was compromised.
  - 14. The computer system of claim 12, further comprising:
    - halting, by the processor of the trusted environment, execution of instructions by a portion of the multiple processors, wherein the portion does not include the first processor; and
      
      based on determining that the first process was not compromised, resuming, by the processor of the trusted environment, the halted processors.
  - 15. The computer system of claim 14, further comprisinginstructing, by the processor of the trusted environment, the halted processors to remain halted when instructed by another host to re-start during the determining whether the first process was compromised.
  - 16. The computer system of claim 12, wherein the requesting comprises sending a random number to the second process and wherein the checksum is a self checksum of the random number and the measurements further comprise a secure hash algorithm hash of a hypervisor running on the host, wherein the self checksum and the secure hash algorithm hash were computed by the second process.
  - 17. The computer system of claim 12, wherein the at least one last branch record comprises an LBR From IP pointer.
  - 18. The computer system of claim 12, the determining further comprises determining that the checksum is invalid, and based on the invalid checksum, determining that the first process was compromised.
  - 19. The computer system of claim 12, wherein executing checksum code to verify at least one last verify at least one last branch record comprises at least one of:
    - obtaining an invalid jump in a last brand record table on the host, obtaining a last branch record without a block jump, or recording an increase in verification time.

20. A non-transitory computer readable storage medium readable by one or more processors and storing instructions for execution by the one or more processors for performing a method of mitigating TOCTOU attacks comprising:
- performing, by a processor of a trusted host communicatively coupled to an untrusted host via a communications connection, a run-time integrity verification of a first process executed by the processor of the untrusted host to determine that a first process executed on the untrusted host was launched from a pre-defined location and executed from beginning to end, wherein the untrusted host comprises multiple processors, the performing comprising;
  
  requesting, by the processor of the trusted host, from a first processor of the multiple processors of the untrusted host, measurements representing operation of a first process on an untrusted host;
  
  based on the requesting, obtaining, by the processor of the trusted host, the measurements, wherein the measurements comprise a checksum that is a result of a second process executing checksum code on the untrusted host to verify, during run-time of the first process, at least one pseudo-randomly chosen last branch record on the untrusted host; and
  
  determining, by the processor, based on the measurements, whether the first process was compromised by utilizing the pseudo-randomly chosen last branch record to verify that the first process was launched from a pre-defined location and executed from beginning to end by the untrusted host.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vencore Labs, Inc.
Original Assignee
Vencore Labs, Inc.
Inventors
Sapello, Angelo, Ghosh, Abhrajit, Poylisher, Alexander, Chiang, C. Jason, Matsunaka, Takashi, Kubota, Ayumu
Primary Examiner(s)
Hailu, Teshome

Application Number

US14/743,774
Publication Number

US 20150373046A1
Time in Patent Office

698 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/575   Secure boot

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

System and Method for mitigating TOC/TOU attacks in a cloud computing enviroment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for mitigating TOC/TOU attacks in a cloud computing enviroment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links