Secure system for allowing the execution of authorized computer program code

US 7,698,744 B2
Filed: 12/05/2005
Issued: 04/13/2010
Est. Priority Date: 12/03/2004
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method of allowing authorized code to execute on a computer system, the method comprising:

intercepting, by a kernel-level driver within the computer system, a request to create a process associated with a code module;

determining, by the kernel-level driver, if the request is authorized by authenticating the request with reference to a multi-level whitelist database architecture, the multi-level whitelist database architecture including (i) a global whitelist database hosted by a trusted third party service provider (ii) a local whitelist database created based on the global whitelist and (iii) an in-memory code module cache containing entries corresponding to code modules that have previously been authenticated with reference to the global whitelist database or the local whitelist database, the entries including information regarding whether the corresponding code module has been altered since it was previously authenticated and information regarding whether the corresponding code module was previously affirmatively authenticated;

allowing, by the kernel-level driver, the code module to be loaded and executed by granting the request if the request is authorized.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Reexamination

Accused Products

Abstract

Systems and methods are described for allowing the execution of authorized computer program code and for protecting computer systems and networks from unauthorized code execution. In one embodiment, a multi-level proactive whitelist approach is employed to secure a computer system by allowing only the execution of authorized computer program code thereby protecting the computer system against the execution of malicious code such as viruses, Trojan horses, spy-ware, and/or the like. Various embodiments use a kernel-level driver, which intercepts or “hooks” certain system Application Programming Interface (API) calls in order to monitor the creation of processes prior to code execution. The kernel-level driver may also intercept and monitor the loading of code modules by running processes, and the passing of non-executable code modules, such as script files, to approved or running code modules via command line options, for example. Once intercepted, a multi-level whitelist approach may be used to authorize the code execution.

224 Citations

46 Claims

1. A method of allowing authorized code to execute on a computer system, the method comprising:
- intercepting, by a kernel-level driver within the computer system, a request to create a process associated with a code module;
  
  determining, by the kernel-level driver, if the request is authorized by authenticating the request with reference to a multi-level whitelist database architecture, the multi-level whitelist database architecture including (i) a global whitelist database hosted by a trusted third party service provider (ii) a local whitelist database created based on the global whitelist and (iii) an in-memory code module cache containing entries corresponding to code modules that have previously been authenticated with reference to the global whitelist database or the local whitelist database, the entries including information regarding whether the corresponding code module has been altered since it was previously authenticated and information regarding whether the corresponding code module was previously affirmatively authenticated;
  
  allowing, by the kernel-level driver, the code module to be loaded and executed by granting the request if the request is authorized.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the computer system is a server.
  - 3. The method of claim 1, wherein the request is originated by a client system.
  - 4. The method of claim 1, wherein the code module is associated with one or more boot processes of the computer system.
  - 5. The method of claim 1, the method further comprising:
    - if the request cannot be authenticated with reference to the in-memory code module cache, then determining if the code module is authorized to execute by causing a content authenticator associated with the code module to be compared with one or more entries in the local whitelist database; and
      
      if the request cannot be authenticated with reference to the local whitelist database, then determining if the code module is authorized to execute by causing the content authenticator to be compared with one or more entries in the global whitelist database.
  - 6. The method of claim 1, the method further comprising:
    - performing an inventory of a mass storage device associated with the computer system to determine installed code modules;
      
      associating with each code module a content authenticator, and recording each content authenticator in the local whitelist database.
  - 7. The method of claim 1, the method further comprising recording, in a software activity database, information associated with the execution and utilization of code modules.

8. A method of allowing authorized code to execute on a computer system, the method comprising:
- intercepting, by a kernel driver of the computer system, a request to create a process associated with a code module;
  
  determining, by the kernel driver, whether to authorize the request by causing a cryptographic hash value of the code module to be authenticated with reference to a whitelist database remote from the computer system and maintained by a trusted service provider, the remote whitelist database containing cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code;
  
  allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the remote whitelist database; and
  
  wherein the kernel driver is implemented in one or more processors and one or more computer-readable storage media associated with the computer system, the one or more computer-readable storage media having instructions tangibly embodied therein representing the kernel driver that are executable by the one or more processors.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 9. The method of claim 8, wherein the remote whitelist database represents a part of a multi-level whitelist architecture including one or more most recently used (MRU) caches local to the computer system and one or more whitelist databases local to the computer system.
  - 10. The method of claim 8, wherein the code module comprises an executable object.
  - 11. The method of claim 8, wherein the code module comprises a file system object.
  - 12. The method of claim 8, wherein the code module comprises a script file.
  - 13. The method of claim 8, wherein the approved code modules include code modules associated with common operating system software, operating system services, and common utilities, including word processors and internet browsers.
  - 14. The method of claim 8, wherein the approved code modules are identified by multiple sources.
  - 15. The method of claim 8, further comprising:
    - providing a local whitelist database maintained by an information technology (IT) administrator; and
      
      consulting, by the kernel driver, the local whitelist database before or after authenticating the cryptographic hash value with reference to the remote whitelist database;
      
      whereby the IT administrator has the ability to tailor the local whitelist to allow or disallow particular code modules from running on the computer system.
  - 16. The method of claim 8, wherein said intercepting, by the kernel driver of the computer system, a request to create a process associated with a code module comprises the kernel driver monitoring operating system process creation or module load activity.
  - 17. The method of claim 8, wherein said intercepting, by the kernel driver of the computer system, a request to create a process associated with a code module comprises the kernel driver hooking low-level operating system application programming interfaces (APIs) to intercept one or more operating system operations of interest including one or more of process creation, module loading, and file system input/output activity.
  - 18. The method of claim 8, wherein said intercepting, by the kernel driver of the computer system, a request to create a process associated with a code module comprises an operating system process creation activity monitor intercepting new process creation activity within the computer system by hooking to a Windows CreateSection API call and temporarily turning control over to the kernel driver.
  - 19. The method of claim 8, wherein said intercepting, by the kernel driver of the computer system, a request to create a process associated with a code module occurs during boot processing of the computer system.
  - 20. The method of claim 8, wherein said intercepting, by the kernel driver of the computer system, a request to create a process associated with a code module occurs during normal system operations of the computer system.
  - 21. The method of claim 10, wherein the cryptographic hash value covers a code segment of the executable object but not a data segment of the executable object.
  - 22. The method of claim 10, wherein the cryptographic hash value covers both a code segment and a data segment of the executable object.

23. A code execution authorization system comprising:
- a kernel driver of a computer system implemented in one or more computer processors of the computer system and one or more computer-readable storage media associated with the computer system, the one or more computer-readable storage media having instructions tangibly embodied therein representing the kernel driver that are executable by the one or more computer processors, the kernel driver operable to perform a method of allowing authorized code to execute on the computer system comprising;
  
  intercepting a request to create a process associated with a code module;
  
  determining whether to authorize the request by causing a cryptographic hash value of the code module to be authenticated with reference to the global whitelist database hosted by a trusted service provider, the global whitelist database containing cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code; and
  
  allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the global whitelist database.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 24. The code execution authorization system of claim 23, wherein the global whitelist database represents a part of a multi-level whitelist architecture including one or more most recently used (MRU) caches local to the computer system and one or more whitelists local to the computer system.
  - 25. The code execution authorization system of claim 23, wherein the code module comprises an executable object.
  - 26. The code execution authorization system of claim 23, wherein the code module comprises a file system object.
  - 27. The code execution authorization system of claim 23, wherein the approved code modules include code modules associated with common operating system software, operating system services, and common utilities, including word processors and internet browsers.
  - 28. The code execution authorization system of claim 23, wherein the approved code modules are identified by multiple sources.
  - 29. The code execution authorization system of claim 23, the method further comprising:
    - consulting a local whitelist database before or after authenticating the cryptographic hash value with reference to the global whitelist database, the local whitelist database maintained by an information technology (IT) administrator;
      
      whereby the IT administrator has the ability to tailor the local whitelist to allow or disallow particular code modules from running on the computer system.
  - 30. The code execution authorization system of claim 23, wherein said intercepting a request to create a process associated with a code module comprises monitoring operating system process creation or module load activity.
  - 31. The code execution authorization system of claim 23, wherein said intercepting a request to create a process associated with a code module comprises hooking low-level operating system application programming interfaces (APIs) to intercept one or more operating system operations of interest including one or more of process creation, module loading, and file system input/output activity.
  - 32. The code execution authorization system of claim 23, wherein said intercepting a request to create a process associated with a code module comprises an operating system process creation activity monitor intercepting new process creation activity within the computer system by hooking to a Windows CreateSection API call and temporarily turning control over to the kernel driver.
  - 33. The code execution authorization system of claim 23, wherein said intercepting a request to create a process associated with a code module occurs during boot processing of the computer system.
  - 34. The code execution authorization system of claim 23, wherein said intercepting a request to create a process associated with a code module occurs during normal system operations of the computer system.
  - 35. The code execution authorization system of claim 25, wherein the cryptographic hash value covers a code segment of the executable object, but not a data segment of the executable object.
  - 36. The code execution authorization system of claim 25, wherein the cryptographic hash value covers both a code segment and a data segment of the executable object.

37. A program storage device readable by a computer system, tangibly embodying a program of instructions executable by one or more computer processors of the computer system to perform method steps for allowing authorized code to execute on the computer system comprising:
- intercepting a request to create a process associated with a code module;
  
  determining whether to authorize the request by causing a cryptographic hash value of the code module to be authenticated with reference to a whitelist database remote from the computer system and maintained by a trusted service provider, the remote whitelist database containing cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code; and
  
  allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the remote whitelist database.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 38. The program storage device of claim 37, wherein the remote whitelist database represents a part of a multi-level whitelist architecture including one or more most recently used (MRU) caches local to the computer system and one or more whitelists local to the computer system.
  - 39. The program storage device of claim 37, wherein the code module comprises an executable object.
  - 40. The program storage device of claim 37, wherein the code module comprises a file system object.
  - 41. The program storage device of claim 37, wherein the approved code modules include code modules associated with common operating system software, operating system services, and common utilities, including word processors and internet browsers.
  - 42. The program storage device of claim 37, wherein the approved code modules are identified by multiple sources.
  - 43. The program storage device of claim 37, the method further comprising:
    - consulting a local whitelist database before or after authenticating the cryptographic hash value with reference to the global whitelist database, the local whitelist database maintained by an information technology (IT) administrator;
      
      whereby the IT administrator has the ability to tailor the local whitelist to allow or disallow particular code modules from running on the computer system.
  - 44. The program storage device of claim 37, wherein said intercepting a request to create a process associated with a code module comprises hooking low-level operating system application programming interfaces (APIs) to intercept one or more operating system operations of interest including one or more of process creation, module loading and file system input/output activity.
  - 45. The program storage device of claim 37, wherein said intercepting a request to create a process associated with a code module occurs during boot processing of the computer system.
  - 46. The program storage device of claim 39, wherein the cryptographic hash value covers both a code segment and a data segment of the executable object.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Fortinet Inc.
Original Assignee
WhiteCell Software Incorporated
Inventors
Gandee, John J., Godwin, Kurt E., Fanton, Andrew F., Rozga, Anthony A., Lutton, William H., Harper, Edwin L.
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
RAHIM, MONJUR

Application Number

US11/296,094
Publication Number

US 20060150256A1
Time in Patent Office

1,590 Days
Field of Search

235/382, 713/200, 713/201, 713/150, 714/724, 707/9, 707/205, 707/200, 715/808, 726/3, 726/24, 726/22, 726/27, 380/270
US Class Current

726/27
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/44   Program or device authentic...

G06F 21/51   at application loading time...

G06F 21/52   during program execution, e...

G06F 21/53   by executing in a restricte...

G06F 21/602   Providing cryptographic fac...

G06F 2221/033   Test or assess software

G06F 2221/2141   Access rights, e.g. capabil...

G06F 9/445   Program loading or initiati...

H04L 63/08   for authentication of entit...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

H04L 63/145   the attack involving the pr...

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/32   including means for verifyi...

H04L 9/3239   involving non-keyed hash fu...

Y10S 707/99934   Query formulation, input pr...

Y10S 707/99943   Generating database or data...

Y10S 707/99944   Object-oriented database st...

Secure system for allowing the execution of authorized computer program code

First Claim

2 Assignments

Litigations

0 Petitions

Reexamination

Accused Products

Abstract

224 Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

Secure system for allowing the execution of authorized computer program code

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Reexamination

Accused Products

Subscription Required

Abstract

224 Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links