Inter-module authentication for securing application execution integrity within a computing device
First Claim
1. A method of monitoring and analyzing behaviors in a computing device having a high level operating system and a secure computing environment, comprising:
- executing a first process via one or more hardware processors of the computing device in a privileged-normal portion of the secure computing environment of the computing device, the first process monitoring device behaviors over a period of time to collect behavior information and using the behavior information to generate a behavior vector;
executing a second process via the one or more hardware processors of the computing device in an unprivileged-normal portion of the secure computing environment of the computing device;
executing a secure authentication process via the one or more hardware processors in a privileged-secure portion of the secure computing environment of the computing device;
the first process providing a communication request message to the secure authentication process executing in the privileged-secure portion at the same or higher privilege level and at a higher security level than the first process;
the secure authentication process using the information included in the communication request message to authenticate the first process in the privileged-secure portion of the computing device;
the secure authentication process performing an integrity check of the first process in the privileged-secure portion of the computing device, the integrity check including the secure authentication process accessing a portion of a memory of the computing device allocated to the first process by the high level operating system to generate a cryptographic measurement in the privileged-secure portion;
the secure authentication process generating a key that includes the generated cryptographic measurement in response to the secure authentication process successfully authenticating the first process and the secure authentication process successfully performing the integrity check of the first process;
the secure authentication process in the privileged-secure portion providing the generated key to the first process in the privileged-normal portion;
the first process in the privileged-normal portion providing a second communication request message that includes the generated behavior vector and the generated key to the second process executing in the unprivileged-normal portion of the secure computing environment of the computing device;
the second process authenticating the first process based on the key and the cryptographic measurement included in the key to determine whether the first process can be trusted; and
the second process analyzing the behavior vector included in the second communication request message received from the first process to determine whether a behavior is benign in response to the second process determining, based on the key and the cryptographic measurement included in the key, that the first process can be trusted.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for recognizing and reacting to malicious or performance-degrading behaviors in a mobile device include observing mobile device behaviors in an observer module within a privileged-normal portion of a secure operating environment to identify a suspicious mobile device behavior. The observer module may generate a concise behavior vector based on the observations, and provide the vector to an analyzer module in an unprivileged-secure portion of the secure operating environment. The vector may be analyzed in the unprivileged-secure portion to determine whether the mobile device behavior is benign, suspicious, malicious, or performance-degrading. If the behavior is found to be suspicious, operations of the observer module may be adjusted, such as to perform deeper observations. If the behavior is found to be malicious or performance-degrading behavior the user and/or a client module may be alerted in a secure, tamper-proof manner.
211 Citations
11 Claims
-
1. A method of monitoring and analyzing behaviors in a computing device having a high level operating system and a secure computing environment, comprising:
-
executing a first process via one or more hardware processors of the computing device in a privileged-normal portion of the secure computing environment of the computing device, the first process monitoring device behaviors over a period of time to collect behavior information and using the behavior information to generate a behavior vector; executing a second process via the one or more hardware processors of the computing device in an unprivileged-normal portion of the secure computing environment of the computing device; executing a secure authentication process via the one or more hardware processors in a privileged-secure portion of the secure computing environment of the computing device; the first process providing a communication request message to the secure authentication process executing in the privileged-secure portion at the same or higher privilege level and at a higher security level than the first process; the secure authentication process using the information included in the communication request message to authenticate the first process in the privileged-secure portion of the computing device; the secure authentication process performing an integrity check of the first process in the privileged-secure portion of the computing device, the integrity check including the secure authentication process accessing a portion of a memory of the computing device allocated to the first process by the high level operating system to generate a cryptographic measurement in the privileged-secure portion; the secure authentication process generating a key that includes the generated cryptographic measurement in response to the secure authentication process successfully authenticating the first process and the secure authentication process successfully performing the integrity check of the first process; the secure authentication process in the privileged-secure portion providing the generated key to the first process in the privileged-normal portion; the first process in the privileged-normal portion providing a second communication request message that includes the generated behavior vector and the generated key to the second process executing in the unprivileged-normal portion of the secure computing environment of the computing device; the second process authenticating the first process based on the key and the cryptographic measurement included in the key to determine whether the first process can be trusted; and the second process analyzing the behavior vector included in the second communication request message received from the first process to determine whether a behavior is benign in response to the second process determining, based on the key and the cryptographic measurement included in the key, that the first process can be trusted. - View Dependent Claims (2, 3, 4)
-
-
5. A computing device, comprising:
a multi-core processor including two or more processor cores, one or more of which is configured with processor-executable instructions to perform operations comprising; executing a first process in a privileged-normal portion of a secure computing environment of the computing device, the first process monitoring device behaviors over a period of time to collect behavior information and using the behavior information to generate a behavior vector; executing a second process in an unprivileged-normal portion of the secure computing environment of the computing device; executing a secure authentication process in a privileged-secure portion of the secure computing environment of the computing device; the first process providing a communication request message to the secure authentication process executing in the privileged-secure portion of a secure computing environment of the computing device at the same or higher privilege level and at a higher security level than the first process; the secure authentication process using the information included in the communication request message to authenticate the first process in the privileged-secure portion of the computing device; the secure authentication process performing an integrity check of the first process in the privileged-secure portion of the computing device, the integrity check including the secure authentication process accessing a portion of a memory of the computing device allocated to the first process by a high level operating system of the computing device to generate a cryptographic measurement in the privileged-secure portion; the secure authentication process generating a key that includes the generated cryptographic measurement in response to the secure authentication process successfully authenticating the first process and the secure authentication process successfully performing the integrity check of the first process; the secure authentication process in the privileged-secure portion providing the generated key to the first process in the privileged-normal portion; the first process in the privileged-normal portion providing a second communication request message that includes the generated behavior vector and the generated key to the second process executing in the unprivileged-normal portion of the secure computing environment; the second process authenticating the first process based on the key and the cryptographic measurement included in the key to determine whether the first process can be trusted; and the second process analyzing the behavior vector included in the second communication request message received from the first process to determine whether a behavior is benign in response to the second process determining, based on the key and the cryptographic measurement included in the key, that the first process can be trusted. - View Dependent Claims (6, 7, 8)
-
9. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a processor to perform operations for monitoring and analyzing behaviors in a computing device having a high level operating system that includes a secure computing environment, the operations comprising:
-
executing a first process in a privileged-normal portion of the secure computing environment of the computing device, the first process monitoring device behaviors over a period of time to collect behavior information and using the behavior information to generate a behavior vector; executing a second process via the one or more hardware processors of the computing device in an unprivileged-normal portion of the secure computing environment of the computing device; executing a secure authentication process via the one or more hardware processors in a privileged-secure portion of the secure computing environment of the computing device; the first process providing a communication request message to the secure authentication process executing in the privileged-secure portion of the secure computing environment of the computing device at the same or higher privilege level and at a higher security level than the first process; the secure authentication process using the information included in the communication request message to authenticate the first process in the privileged-secure portion of the computing device; the secure authentication process performing an integrity check of the first process in the privileged-secure portion of the computing device, the integrity check including the secure authentication process accessing a portion of a memory of the computing device allocated to the first process by the high level operating system of the computing device to generate a cryptographic measurement in the privileged-secure portion; the secure authentication process generating a key that includes the generated cryptographic measurement in response to the secure authentication process successfully authenticating the first process and the secure authentication process successfully performing the integrity check of the first process; the secure authentication process in the privileged-secure portion providing the generated key to the first process in the privileged-normal portion; the first process in the privileged-normal portion providing a second communication request message that includes the generated behavior vector and the generated key to the second process executing in the unprivileged-normal portion of the secure computing environment of the computing device; the second process authenticating the first process based on the key and the cryptographic measurement included in the key to determine whether the first process can be trusted; and the second process analyzing the behavior vector included in the second communication request message received from the first process to determine whether a behavior is benign in response to the second process determining, based on the key and the cryptographic measurement included in the key, that the first process can be trusted. - View Dependent Claims (10, 11)
-
Specification