Secure system for allowing the execution of authorized computer program code

US 9,842,203 B2
Filed: 12/28/2015
Issued: 12/12/2017
Est. Priority Date: 12/03/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

monitoring, by a kernel mode driver of an operating system of a computer system, a set of events occurring within one or more of a file system accessible by the computer system and the operating system;

in connection with said monitoring, responsive to observation, by the kernel mode driver, of an event of the set of events performed by or initiated by an active process running on the computer system, wherein the active process corresponds to a first code module stored within the file system and the event relates to a second code module stored within the file system, performing or bypassing a real-time authentication process on the second code module with reference to a multi-level whitelist database architecture to determine whether to allow the second code module to be loaded into a random access memory (RAM) of the computer system, the multi-level whitelist database architecture including (i) a global whitelist database hosted by a trusted third-party service provider containing cryptographic hash values of approved code modules, which have been identified by multiple sources as not containing viruses or malicious code, (ii) a local whitelist database stored local to the computer system and created based on the global whitelist and (iii) a most recently used (MRU) cache maintained within the RAM and containing entries corresponding to code modules that have previously been authenticated by the real-time authentication process, the entries each including a run option indicative of whether the corresponding code module was previously affirmatively authenticated by the real-time authentication process;

allowing, by the kernel mode driver, the active process to load the second code module into the RAM (i) when the real-time authentication process is bypassed or (ii) when the real-time authentication process is performed and results in an affirmative determination; and

preventing, by the kernel mode driver, the active process from loading the second code module into the RAM when the real-time authentication process is performed and results in a negative determination.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for selective authorization of code modules are provided. According to one embodiment, a kernel mode driver monitors events occurring within a file system or an operating system. Responsive to observation of a trigger event performed by or initiated by an active process, in which the active process corresponds to a first code module within the file system and the event relates to a second code module within the file system, performing or bypassing a real-time authentication process on the second code module with reference to a multi-level whitelist database architecture. The active process is allowed to load the second code module into memory when the real-time authentication process is bypassed or when it is performed and results in an affirmative determination.

Citations

18 Claims

1. A method comprising:
- monitoring, by a kernel mode driver of an operating system of a computer system, a set of events occurring within one or more of a file system accessible by the computer system and the operating system;
  
  in connection with said monitoring, responsive to observation, by the kernel mode driver, of an event of the set of events performed by or initiated by an active process running on the computer system, wherein the active process corresponds to a first code module stored within the file system and the event relates to a second code module stored within the file system, performing or bypassing a real-time authentication process on the second code module with reference to a multi-level whitelist database architecture to determine whether to allow the second code module to be loaded into a random access memory (RAM) of the computer system, the multi-level whitelist database architecture including (i) a global whitelist database hosted by a trusted third-party service provider containing cryptographic hash values of approved code modules, which have been identified by multiple sources as not containing viruses or malicious code, (ii) a local whitelist database stored local to the computer system and created based on the global whitelist and (iii) a most recently used (MRU) cache maintained within the RAM and containing entries corresponding to code modules that have previously been authenticated by the real-time authentication process, the entries each including a run option indicative of whether the corresponding code module was previously affirmatively authenticated by the real-time authentication process;
  
  allowing, by the kernel mode driver, the active process to load the second code module into the RAM (i) when the real-time authentication process is bypassed or (ii) when the real-time authentication process is performed and results in an affirmative determination; and
  
  preventing, by the kernel mode driver, the active process from loading the second code module into the RAM when the real-time authentication process is performed and results in a negative determination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the second code module comprises one or more of an executable code module, a dynamically-linked library file, a Java applet, and a JavaScript.
  - 3. The method of claim 1, further comprising:
    - determining, by the kernel mode driver, an identity or type of the first code module; and
      
      selectively performing the real-time authentication process on the second code module based on the determined identity or type of the first code module.
  - 4. The method of claim 1, wherein the cryptographic hash value is computed using Message Digest #5 (MD-5).
  - 5. The method of claim 1, wherein the cryptographic hash value is computed using a Secure Hash Algorithm (SHA).
  - 6. The method of claim 1, wherein said monitoring a set of events occurring within one or more of a file system accessible by the computer system and the operating system comprises monitoring operating system process creation or module load activity.
  - 7. The method of claim 6, wherein said monitoring operating system process creation or module load activity comprises an operating system module load activity monitor intercepting module load activity by running processes within the computer system by hooking to an application programming interface (API) call of the operating system and temporarily turning control over to the kernel mode driver.
  - 8. The method of claim 1, further comprising:
    - when the second code module cannot be affirmatively authenticated with reference to the MRU cache, then determining whether the code module is authorized to execute by calculating a cryptographic hash value of the second code module and causing the cryptographic hash value to be compared with one or more cryptographic hash in the local whitelist database; and
      
      when the second code module cannot be affirmatively authenticated with reference to the local whitelist database, then determining whether the second code module is authorized to execute by causing the cryptographic hash value to be compared with one or more cryptographic hash values in the global whitelist database.
  - 9. The method of claim 1, wherein the second code module comprises a script file.

10. A non-transitory program storage device readable by a computer system, embodying a program of instructions executable by one or more computer processors of the computer system to perform a method for authenticating dependent code modules requested to be loaded by active processes running on the computer system, the method comprising:
- monitoring, by a kernel mode driver of an operating system of the computer system, a set of events occurring within one or more of a file system accessible by the computer system and the operating system;
  
  in connection with said monitoring, responsive to observation, by the kernel mode driver, of an event of the set of events performed by or initiated by an active process running on the computer system, wherein the active process corresponds to a first code module stored within the file system and the event relates to a second code module stored within the file system, performing or bypassing a real-time authentication process on the second code module with reference to a multi-level whitelist database architecture to determine whether to allow the second code module to be loaded into a random access memory (RAM) of the computer system, the multi-level whitelist database architecture including (i) a global whitelist database hosted by a trusted third-party service provider containing cryptographic hash values of approved code modules, which have been identified by multiple sources as not containing viruses or malicious code, (ii) a local whitelist database stored local to the computer system and created based on the global whitelist and (iii) a most recently used (MRU) cache maintained within the RAM and containing entries corresponding to code modules that have previously been authenticated by the real-time authentication process, the entries each including a run option indicative of whether the corresponding code module was previously affirmatively authenticated by the real-time authentication process;
  
  allowing, by the kernel mode driver, the active process to load the second code module into the RAM (i) when the real-time authentication process is bypassed or (ii) when the real-time authentication process is performed and results in an affirmative determination; and
  
  preventing, by the kernel mode driver, the active process from loading the second code module into the RAM when the real-time authentication process is performed and results in a negative determination.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The non-transitory program storage device of claim 10, wherein the second code module comprises one or more of an executable code module, a dynamically-linked library file, a Java applet, and a JavaScript.
  - 12. The non-transitory program storage device of claim 10, wherein the method further comprises:
    - determining, by the kernel mode driver, an identity or type of the first code module; and
      
      selectively performing the real-time authentication process on the second code module based on the determined identity or type of the first code module.
  - 13. The non-transitory program storage device of claim 10, wherein the cryptographic hash value is computed using Message Digest #5 (MD-5).
  - 14. The non-transitory program storage device of claim 10, wherein the cryptographic hash value is computed using a Secure Hash Algorithm (SHA).
  - 15. The non-transitory program storage device of claim 10, wherein said monitoring a set of events occurring within one or more of a file system accessible by the computer system and the operating system comprises monitoring operating system process creation or module load activity.
  - 16. The non-transitory program storage device of claim 15, wherein said monitoring operating system process creation or module load activity comprises an operating system module load activity monitor intercepting module load activity by running processes within the computer system by hooking to an application programming interface (API) call of the operating system and temporarily turning control over to the kernel mode driver.
  - 17. The non-transitory program storage device of claim 10, wherein the method further comprises:
    - when the second code module cannot be affirmatively authenticated with reference to the MRU cache, then determining whether the code module is authorized to execute by calculating a cryptographic hash value of the second code module and causing the cryptographic hash value to be compared with one or more cryptographic hash in the local whitelist database; and
      
      when the second code module cannot be affirmatively authenticated with reference to the local whitelist database, then determining whether the second code module is authorized to execute by causing the cryptographic hash value to be compared with one or more cryptographic hash values in the global whitelist database.
  - 18. The non-transitory program storage device of claim 10, wherein the second code module comprises a script file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Fanton, Andrew F., Gandee, John J., Lutton, William H., Harper, Edwin L., Godwin, Kurt E., Rozga, Anthony A.
Primary Examiner(s)
Truong, Thanhnga B

Application Number

US14/981,262
Publication Number

US 20160132675A1
Time in Patent Office

715 Days
Field of Search

713150, 713164-165, 726 9, 726 18, 726 16, 726 22- 27, 709224-225
US Class Current
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/44   Program or device authentic...

G06F 21/51   at application loading time...

G06F 21/52   during program execution, e...

G06F 21/53   by executing in a restricte...

G06F 21/602   Providing cryptographic fac...

G06F 2221/033   Test or assess software

G06F 2221/2141   Access rights, e.g. capabil...

G06F 9/445   Program loading or initiati...

H04L 63/08   for authentication of entit...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

H04L 63/145   the attack involving the pr...

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/32   including means for verifyi...

H04L 9/3239   involving non-keyed hash fu...

Y10S 707/99934   Query formulation, input pr...

Y10S 707/99943   Generating database or data...

Y10S 707/99944   Object-oriented database st...

Secure system for allowing the execution of authorized computer program code

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Secure system for allowing the execution of authorized computer program code

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links