AUTOMATICALLY PROTECTING COMPUTER SYSTEMS FROM ATTACKS THAT EXPLOIT SECURITY VULNERABILITIES

US 20100257610A1
Filed: 07/31/2007
Published: 10/07/2010
Est. Priority Date: 07/31/2007
Status: Active Grant

First Claim

Patent Images

1-13. -13. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first method for automatically protecting a computer system from attacks that exploit security vulnerabilities detects requests for execution of code portions, determines vulnerabilities of a code portion for which an execution request is detected, evaluates whether or not the execution of the code portion shall be prevented in a case at least one vulnerability concerning the code portion is determined, and prevents execution of the code portion if determined to do so in the evaluation. A second method for automatically protecting a computer system from attacks that exploit security vulnerabilities detects code portions which are currently executed, determines vulnerabilities of a code portion that is currently executed, evaluates whether or not the execution of the code portion shall be aborted in a case at least one vulnerability concerning the code portion is determined, and aborts execution of the code portion if determined to do so in the evaluation.

60 Citations

View as Search Results

36 Claims

1-13. -13. (canceled)

14. A method for automatically protecting a computer system from attacks that exploit security vulnerabilities, comprising:
- detecting requests for execution of code portions;
  
  determining vulnerabilities of a code portion for which an execution request is detected;
  
  evaluating whether or not the execution of the code portion shall be prevented in a case at least one vulnerability concerning the code portion is determined; and
  
  preventing the execution of the code portion if determined to do so in the evaluating.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 15. A method according to claim 14, whereinsaid code portion is a procedure external to a requesting code module issuing said request for execution, said method, in a case the execution of said code portion is prevented, and further comprising:
    - executing in place of said prevented code portion a shortcut procedure that ensures that said requesting code module can continue.
  - 16. A method according to claim 14, whereinsaid vulnerabilities are known vulnerabilities.
  - 17. A method according to claim 14, whereinfor each code portion there is an associated code portion identifier, andthe determining vulnerabilities of a code portion is based on querying a database that holds associations of vulnerabilities with code portion identifiers,wherein a vulnerability is determined to be a vulnerability of the code portion when the database holds an association of the vulnerability with the code portion identifier of the code portion.
  - 18. A method according to claim 17, further comprising:
    - a secure history determination providing a secure history determination result indicating whether or not a parameter set used to call the code portion was used before the publication of an oldest vulnerability of the code portion, whereinthe evaluating is based on the secure history determination result.
  - 19. A method according to claim 17, wherein one or more parameter test procedures are defined, wherebyeach parameter test procedure of the one or more parameter test procedures is specific to a different one of said vulnerabilities and provides a result value when executed that indicates if a parameter set used to call the code portion exploits this vulnerability or not, andwhereinthe evaluating is based on one or more of said result values of the one or more parameter test procedures.
  - 20. A method according to claim 19, further comprising:
    - a secure history determination providing a secure history determination result indicating whether or not a parameter set used to call the code portion was used before the publication of a first vulnerability of the code portion, whereinthe evaluating is based on the secure history determination result.
  - 21. A method according to claim 20, whereinsaid first vulnerability is an oldest vulnerability of the code portion without a parameter test procedure.
  - 22. A method according to claim 18, further comprising:
    - storing, whenever a code portion is executed, an identifier of the executed code portion together with a parameter set used to call the executed code portion and a time stamp, whereby the parameter set is stored based on a secure hash in a case the parameter set is determined to require too large an amount of storage capacity.
  - 23. A method according to claim 14, further comprising:
    - determining which fixes need to be applied to allow for a secure execution of a code portion of which the execution is prevented or aborted; and
      
      telling a user said fixes and/or applying said fixes.
  - 24. A method according to claim 14, further comprising:
    - determining what other code portion might be used instead of the one of which the execution was prevented or aborted; and
      
      telling a user said other code portion.
  - 25. A computer software product which, when executed on a processing device, is adapted to perform the method according to claim 14.

26. A method for automatically protecting a computer system from attacks that exploit security vulnerabilities, comprising:
- detecting code portions that are currently executed;
  
  determining vulnerabilities of a code portion that is currently executed;
  
  evaluating whether or not the execution of the code portion shall be aborted in a case at least one vulnerability concerning the code portion is determined; and
  
  aborting the execution of the code portion if determined to do so in the evaluating.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 27. A method according to claim 26, whereinsaid vulnerabilities are known vulnerabilities.
  - 28. A method according to claim 26, whereinfor each code portion there is an associated code portion identifier, andthe determining vulnerabilities of a code portion is based on querying a database that holds associations of vulnerabilities with code portion identifiers,wherein a vulnerability is determined to be a vulnerability of the code portion when the database holds an association of the vulnerability with the code portion identifier of the code portion.
  - 29. A method according to claim 28, further comprising:
    - a secure history determination providing a secure history determination result indicating whether or not a parameter set used to call the code portion was used before the publication of the oldest vulnerability of the code portion, whereinthe evaluating is based on the secure history determination result.
  - 30. A method according to claim 28, wherein one or more parameter test procedures are defined, wherebyeach parameter test procedure of the one or more parameter test procedures is specific to a different one of said vulnerabilities and provides a result value when executed that indicates if a parameter set used to call the code portion exploits this vulnerability or not, andwhereinthe evaluating is based on one or more of said result values of the one or more parameter test procedures.
  - 31. A method according to claim 30, further comprisinga secure history determination providing a secure history determination result indicating whether or not a parameter set used to call the code portion was used before the publication of a first vulnerability of the code portion, whereinthe evaluating is based on the secure history determination result.
  - 32. A method according to claim 31, whereinsaid first vulnerability is an oldest vulnerability of the code portion without a parameter test procedure.
  - 33. A method according to claim 29, further comprising:
    - storing, whenever a code portion is executed, an identifier of the executed code portion together with a parameter set used to call the executed code portion and a time stamp, whereby the parameter set is stored based on a secure hash in a case the parameter set is determined to require too large an amount of storage capacity.
  - 34. A method according to claim 26, further comprising:
    - determining which fixes need to be applied to allow for a secure execution of a code portion of which the execution is prevented or aborted; and
      
      telling a user said fixes and/or applying said fixes.
  - 35. A method according to claim 26, further comprising:
    - determining what other code portion might be used instead of the one of which the execution was prevented or aborted; and
      
      telling a user said other code portion.
  - 36. A computer software product which, when executed on a processing device, is adapted to perform the method according to claim 26.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sony Corporation (Sony Group Corp.)
Original Assignee
Sony Corporation (Sony Group Corp.)
Inventors
Hohl, Fritz

Granted Patent

US 8,732,839 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/52   during program execution, e...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

AUTOMATICALLY PROTECTING COMPUTER SYSTEMS FROM ATTACKS THAT EXPLOIT SECURITY VULNERABILITIES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

60 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

AUTOMATICALLY PROTECTING COMPUTER SYSTEMS FROM ATTACKS THAT EXPLOIT SECURITY VULNERABILITIES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links