System and method for protecting a client during runtime from hostile downloadables

DC CAFC

US 6,480,962 B1
Filed: 04/18/2000
Issued: 11/12/2002
Est. Priority Date: 11/08/1996
Status: Expired due to Term

- Alert
- Pin

Associated Case

Associated Defendants

First Claim

Patent Images

1. A computer-based method, comprising:

monitoring substantially in parallel a plurality of subsystems of the operating system during runtime for an event caused from a request made by a Downloadable;

interrupting processing of the request;

comparing information pertaining to the Downloadable against a predetermined security policy; and

performing a predetermined responsive action based on the comparison.

View all claims

5 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Reexaminations

Accused Products

Abstract

A system protects a client from hostile Downloadables. The system includes security rules defining suspicious actions and security policies defining the appropriate responsive actions to rule violations. The system includes an interface for receiving incoming Downloadable and requests made by the Downloadable. The system still further includes a comparator coupled to the interface for examining the Downloadable, requests made by the Downloadable and runtime events to determine whether a security policy has been violated, and a response engine coupled to the comparator for performing a violation-based responsive action.

226 Citations

51 Claims

1. A computer-based method, comprising:
- monitoring substantially in parallel a plurality of subsystems of the operating system during runtime for an event caused from a request made by a Downloadable;
  
  interrupting processing of the request;
  
  comparing information pertaining to the Downloadable against a predetermined security policy; and
  
  performing a predetermined responsive action based on the comparison.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 44)
- - 2. The method of claim 1, wherein monitoring the operating system includes monitoring a request sent to a Downloadable engine.
  - 3. The method of claim 2,
4. The method of claim 2,wherein the Downloadable engine includes an AppletX™
- platform having a message engine, a dynamic-data-exchange and a dynamically-linked library; and
  
  wherein monitoring the operating system includes monitoring the message engine, the dynamic-data-exchange and the dynamically-linked library for receipt of the request.
5. The method of claim 1, further comprising determining whether information pertaining to the Downloadable violates a security rule.
6. The method of claim 5, further comprising determining whether violation of the security rule violates the security policy.
7. The method of claim 1, further comprising:
- comparing information pertaining to the Downloadable with information pertaining to a predetermined suspicious Downloadable; and
  
  performing a predetermined responsive action based on the comparison with the information pertaining to the predetermined suspicious Downloadable.
8. The method of claim 1, wherein the predetermined responsive action includes storing results of the comparison in an event log.
9. The method of claim 1, wherein the predetermined responsive action includes informing the user when the security policy has been violated.
10. The method of claim 1, wherein the predetermined responsive action includes storing information on the Downloadable in a suspicious Downloadable database.
11. The method of claim 1, wherein the predetermined responsive action includes discarding the Downloadable.
44. The system of claim 1, wherein each subsystem includes one of a file system, network system, process system or memory system.

12. A system, comprising:
- a security policy;
  
  a plurality of operating system interfaces operating substantially in parallel, each interface for recognizing a runtime event in a subsystem of the operating system caused from a request made by a Downloadable;
  
  a first comparator coupled to the interfaces for comparing information pertaining to the received Downloadable with the security policy; and
  
  a response engine coupled to the first comparator for performing a predetermined responsive action based on the comparison with the security policy.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 45)
- - 13. The system of claim 12, wherein the interfaces-include a Java™
    - class extension for monitoring a Java™
      
      class in a Java™
      
      virtual machine for receipt of a request.
  - 14. The system of claim 12, wherein the interfaces include an AppletX™
    - extension for monitoring a message engine, a dynamic-data-exchange and a dynamically-linked library in an AppletX™
      
      environment for receipt of a request.
  - 15. The system of claim 12, further comprising
16. The system of claim 15, wherein the first comparator determines whether violation of the security rule violates the security policy.
17. The system of claim 12, further comprisinga predetermined suspicious Downloadable;
- and a second comparator coupled to the interfaces for comparing information pertaining to the Downloadable with information pertaining to the predetermined suspicious Downloadable;
  
  wherein the response engine is further coupled to the second comparator and performs the responsive action based on the comparison with the information pertaining to the predetermined suspicious Downloadable.
18. The system of claim 12, further comprising an event log coupled to the first comparator for storing results of the comparison.
19. The system of claim 12, further comprising a user interface coupled to the first comparator.
20. The system of claim 12, further comprising a suspicious Downloadable database for storing information on known and previously-deemed suspicious Downloadables.
21. The system of claim 12, wherein the predetermined suspicious action includes discarding the Downloadable.
45. The system of claim 12, wherein each subsystem includes one of a file system, network system, process system or memory system.

22. A system for determining whether a Downloadable, which is received by a Downloadable engine, is suspicious, comprising:
- means for monitoring substantially in parallel a plurality of subsystems of the operating system during runtime for an event caused from a request made by a Downloadable;
  
  means for interrupting processing of the request;
  
  means for comparing information pertaining to the Downloadable against a predetermined security policy; and
  
  means for performing a predetermined responsive action based on the comparison.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 46)
- - 23. The system of claim 22, wherein the means for monitoring the operating system includes means for monitoring a request sent to a Downloadable engine.
  - 24. The system of claim 23,
25. The system of claim 23,wherein the Downloadable engine includes an AppletX™
- platform having a message engine, a dynamic-data-exchange and a dynamically-linked library; and
  
  wherein the means for monitoring the operating system includes means for monitoring the message engine, the dynamic-data-exchange and the dynamically-linked library for receipt of the request.
26. The system of claim 22, further comprising means for determining whether information pertaining to the Downloadable violates a security rule.
27. The system of claim 26, further comprising means for determining whether violation of the security rule violates the security policy.
28. The method of claim 22, further comprising:
- means for comparing information pertaining to the Downloadable with information pertaining to a predetermined suspicious Downloadable; and
  
  means for performing a predetermined responsive action based on the comparison with the information pertaining to the predetermined suspicious Downloadable.
29. The system of claim 22, wherein the predetermined responsive action includes storing results of the comparison in an event log.
30. The system of claim 22, wherein the predetermined responsive action includes informing the user when the security policy has been violated.
31. The system of claim 22, wherein the predetermined responsive action includes storing information on the Downloadable in a suspicious Downloadable database.
32. The system of claim 22, wherein the predetermined responsive action includes discarding the Downloadable.
46. The system of claim 22, wherein each subsystem includes one of a file system, network system, process system or memory system.

33. A computer-readable storage medium storing program code for causing a computer to perform the steps of:
- monitoring substantially in parallel a plurality of subsystems of the operating system during runtime for an event caused from a request made by a Downloadable;
  
  interrupting processing of the request;
  
  comparing information pertaining to the Downloadable against a predetermined security policy; and
  
  performing a predetermined responsive action based on the comparison.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 47)
- - 34. The medium of claim 33, wherein monitoring the operating system includes monitoring a request sent to a Downloadable engine.
  - 35. The medium of claim 33,
36. The medium of claim 35,wherein the Downloadable engine includes an AppletX™
- platform having a message engine, a dynamic-data-exchange and a dynamically-linked library; and
  
  wherein monitoring the operating system includes monitoring the message engine, the dynamic-data-exchange and the dynamically-linked library for receipt of the request.
37. The medium of claim 33, further comprising determining whether information pertaining to the Downloadable violates a security rule.
38. The medium of claim 37, further comprising determining whether violation of the security rule violates the security policy.
39. The medium of claim 33, further comprising:
- comparing information pertaining to the Downloadable with information pertaining to a predetermined suspicious Downloadable; and
  
  performing a predetermined responsive action based on the comparison with the information pertaining to the predetermined suspicious Downloadable.
40. The medium of claim 33, wherein the predetermined responsive action includes storing results of the comparison in an event log.
41. The medium of claim 33, wherein the predetermined responsive action includes informing the user when the security policy has been violated.
42. The medium of claim 33, wherein the predetermined responsive action includes storing information on the Downloadable in a suspicious Downloadable database.
43. The medium of claim 33, wherein the predetermined responsive action includes discarding the Downloadable.
47. The system of claim 33, wherein each subsystem includes one of a file system, network system, process system or memory system.

48. A method, comprising:
- intercepting, by an operating system probe associated with an operating system function, an operating system call being issued by a downloadable to an operating system and associated with the operating system function;
  
  comparing, by a runtime environment monitor, the operating system call against a predetermined security policy before allowing the operating system to process the operating system call;
  
  blocking, by a response engine, operating system calls that are forbidden according to the security policy; and
  
  allowing, by the response engine, operating system calls that are permitted according to the security policy.
- View Dependent Claims (49)
- - 49. The method of claim 48, wherein the Downloadable is one of a Java component, an ActiveX control, executable code, or interpretable code.

50. A system, comprising:
- an operating system probe associated with an operating system function for intercepting an operating system call being issued by a downloadable to an operating system and associated with the operating system function;
  
  a runtime environment monitor for comparing the operating system call against a predetermined security policy before allowing the operating system to process the operating system call; and
  
  a response engine for blocking operating system calls that are forbidden according to the security policy, and for allowing operating system calls that are permitted according to the security policy.
- View Dependent Claims (51)
- - 51. The system of claim 50, wherein the Downloadable is one of a Java component, an ActiveX control, executable code, or interpretable code.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Finjan Holdings, Inc. (SoftBank Group Corp.)
Original Assignee
Finjan Software Limited (SoftBank Group Corp.)
Inventors
Touboul, Shlomo
Primary Examiner(s)
LE, DIEU MINH T

Application Number

US09/551,302
Time in Patent Office

938 Days
Field of Search

713/200, 713/201, 713/202, 714/38, 714/704, 709/225, 709/229
US Class Current

726/22
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/53   by executing in a restricte...

G06F 2211/009   Trust

G06F 2221/2119   Authenticating web pages, e...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/145   the attack involving the pr...

System and method for protecting a client during runtime from hostile downloadables

First Claim

5 Assignments

Litigations

0 Petitions

Reexaminations

Accused Products

Abstract

226 Citations

51 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for protecting a client during runtime from hostile downloadables

First Claim

5 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Reexaminations

Accused Products

Subscription Required

Abstract

226 Citations

51 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links