Sensor for detecting and eliminating inter-process memory breaches in multitasking operating systems
First Claim
1. A security method for detecting malicious inter-process memory breaches in a computer using a multi-tasking operating system and having a memory divisible into memory spaces with the memory including a plurality of shared code resource (SCR) stacks, each stack including a plurality of SCRs that while being executed for carrying out the various demands of a plurality of program processes, during computer operation, are organized in specific chain-like structures with specific behaviors and with boundaries between memory spaces for said program processes but with a common physical memory space for a SCR stack, said computer, when carrying out a program process, having the capability of extending an SCR stack by at least one of adding and replacing at least one SCR to the organized chain-like structure of the SCR stack and modifying the SCR stack'"'"'s behavior, said security method comprising the steps of:
- (a) creating and storing a knowledge base that is comprised of structure and/or behavior information of each SCR stack during its execution in the memory of the computer;
(b) selecting for continuous monitoring an SCR stack which is being activated and executed by the computer operating system;
(c) implanting a dedicated SCR within said selected and activated SCR stack;
(d) monitoring said selected and activated SCR stack while it is being executed in memory via said dedicated SCR implanted in said selected and activated SCR stack to determine at least one of its structure and behavior;
(e) generating a report by said dedicated SCR in said selected and activated SCR stack while said selected and activated SCR stack is activated and executing, said report being indicative of at least one of the structure and behavior of said selected and activated SCR stack;
(f) transmitting said report for comparison with said stored knowledge base;
(g) comparing the indications of said transmitted report with said knowledge base;
(h) ceasing the activity and execution of said selected and activated SCR stack responsive to any non-matching detected between the indications of said report and said knowledge base to stop any hostile activity resulting in violation of the authenticity, structure and/or behavior of said SCR stack; and
(i) issuing an alert indicative of the hostile activity responsive to ceasing the activity and execution of said selected and activated SCR stack according to step (h).
3 Assignments
0 Petitions
Accused Products
Abstract
The invention relates to a method for detecting and eliminating SCR breach operations by a second party within the memory space allocated to a first party, in a multi-tasking system, which comprises: (a) pre-recording by the first party within a knowledge base the structure and/or behavior of an SCR stack; (b) implanting within the SCR stack a dedicated SCR for reporting on the structure and/or behavior of said SCR stack when the SCR stack is activated; (c) when the SCR stack is activated, comparing the data reported by the dedicated SCR with the pre-recorded stack structure and/or behavior; (d) whenever non-matching in the structure and/or behavior is found, ceasing the activity of the activated stack, and alerting.
-
Citations
33 Claims
-
1. A security method for detecting malicious inter-process memory breaches in a computer using a multi-tasking operating system and having a memory divisible into memory spaces with the memory including a plurality of shared code resource (SCR) stacks, each stack including a plurality of SCRs that while being executed for carrying out the various demands of a plurality of program processes, during computer operation, are organized in specific chain-like structures with specific behaviors and with boundaries between memory spaces for said program processes but with a common physical memory space for a SCR stack, said computer, when carrying out a program process, having the capability of extending an SCR stack by at least one of adding and replacing at least one SCR to the organized chain-like structure of the SCR stack and modifying the SCR stack'"'"'s behavior, said security method comprising the steps of:
-
(a) creating and storing a knowledge base that is comprised of structure and/or behavior information of each SCR stack during its execution in the memory of the computer; (b) selecting for continuous monitoring an SCR stack which is being activated and executed by the computer operating system; (c) implanting a dedicated SCR within said selected and activated SCR stack; (d) monitoring said selected and activated SCR stack while it is being executed in memory via said dedicated SCR implanted in said selected and activated SCR stack to determine at least one of its structure and behavior; (e) generating a report by said dedicated SCR in said selected and activated SCR stack while said selected and activated SCR stack is activated and executing, said report being indicative of at least one of the structure and behavior of said selected and activated SCR stack; (f) transmitting said report for comparison with said stored knowledge base; (g) comparing the indications of said transmitted report with said knowledge base; (h) ceasing the activity and execution of said selected and activated SCR stack responsive to any non-matching detected between the indications of said report and said knowledge base to stop any hostile activity resulting in violation of the authenticity, structure and/or behavior of said SCR stack; and (i) issuing an alert indicative of the hostile activity responsive to ceasing the activity and execution of said selected and activated SCR stack according to step (h). - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A security apparatus for detecting malicious inter-process memory breaches in a computer using a multi-tasking operating system and having a memory divisible into memory spaces with the memory including a plurality of shared code resource (SCR) stacks, each stack including a plurality of SCRs that while being executed for carrying out the various demands of a plurality of program processes, during computer operation, are organized in specific chain-like structures with specific behaviors and with boundaries between memory spaces for said program processes but with a common physical memory space for a SCR stack, said computer, when carrying out a program process, having the capability of extending an SCR stack by at least one of adding and replacing at least one SCR to the organized chain-like structure of the SCR stack and modifying the SCR stack'"'"'s behavior, said security apparatus comprising:
-
(a) a knowledge base, accessible to the computer, that is comprised of structure and/or behavior information of each SCR stack during its execution in the memory of the computer; (b) a probe, executable by the computer, in a form of an SCR that is implanted within a selected and activated SCR stack for monitoring said selected and activated SCR stack while the stack is being executed in memory and for generating a report indicative of at least one of the structure and behavior of said selected and activated SCR stack; (c) a sensor for receiving said report and for comparing indications relating to at least one of the structure and behavior of said selected and activated SCR stack with said stored knowledge base; (d) means for ceasing the activity and execution of said selected and activated SCR stack responsive to any non-matching detected between the indications of said report and said knowledge base to stop any hostile activity resulting in violation of the authenticity, structure and/or behavior of said SCR stack; and (e) means for issuing an alert indicative of the hostile activity responsive to ceasing the activity and execution of said selected and activated SCR stack. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A non-transitory tangible computer readable medium having stored thereon, computer-executable instructions that, if executed by a computer, cause the computer to perform operations comprising:
-
implanting a dedicated shared code resource (SCR) within an SCR stack, wherein the SCR stack is configured to be executable by the computer, wherein the SCR stack comprises one or more SCRs, and wherein the SCR stack has an associated structure and an associated behavior; and upon the computer activating the dedicated SCR, comparing at least one member selected from the group consisting of structure of the SCR stack and behavior of the SCR stack with information of the SCR stack stored in a knowledge base. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
-
22. A security apparatus comprising:
-
a knowledge base, encoded in memory accessible to a computer, comprising at least one of structure and behavior information of a shared code resource (SCR) stack, wherein the SCR stack comprises one or more SCRs; a probe, executable by the computer, implanted within the SCR stack for reporting at least one information of the SCR stack selected from the group consisting of structure information and behavior information when the SCR stack is activated; and a comparing unit for comparing the information reported by the probe with the information recorded in the knowledge base. - View Dependent Claims (23, 24, 25, 26, 27, 28)
-
-
29. A system comprising:
-
means, including a non-transitory tangible computer readable medium having computer executable instructions stored thereon, for reporting at least one information of a shared code resource (SCR) stack selected from the group consisting of structure information and behavior information when the SCR stack is activated; and means for comparing the reported information with at least one information of the SCR stack stored in a knowledge base selected from the group consisting of structure information and behavior information, wherein the means for comparing include means for implanting a dedicated SCR within the SCR stack. - View Dependent Claims (30, 31, 32, 33)
-
Specification