Secure system for allowing the execution of authorized computer program code
DCFirst Claim
1. A method of allowing authorized code to execute on a computer system, the method comprising:
- intercepting, by a kernel-level driver within the computer system, a request to create a process associated with a code module;
determining, by the kernel-level driver, if the request is authorized by authenticating the request with reference to a multi-level whitelist database architecture, the multi-level whitelist database architecture including (i) a global whitelist database hosted by a trusted third party service provider (ii) a local whitelist database created based on the global whitelist and (iii) an in-memory code module cache containing entries corresponding to code modules that have previously been authenticated with reference to the global whitelist database or the local whitelist database, the entries including information regarding whether the corresponding code module has been altered since it was previously authenticated and information regarding whether the corresponding code module was previously affirmatively authenticated;
allowing, by the kernel-level driver, the code module to be loaded and executed by granting the request if the request is authorized.
2 Assignments
Litigations
0 Petitions
Reexamination
Accused Products
Abstract
Systems and methods are described for allowing the execution of authorized computer program code and for protecting computer systems and networks from unauthorized code execution. In one embodiment, a multi-level proactive whitelist approach is employed to secure a computer system by allowing only the execution of authorized computer program code thereby protecting the computer system against the execution of malicious code such as viruses, Trojan horses, spy-ware, and/or the like. Various embodiments use a kernel-level driver, which intercepts or “hooks” certain system Application Programming Interface (API) calls in order to monitor the creation of processes prior to code execution. The kernel-level driver may also intercept and monitor the loading of code modules by running processes, and the passing of non-executable code modules, such as script files, to approved or running code modules via command line options, for example. Once intercepted, a multi-level whitelist approach may be used to authorize the code execution.
224 Citations
46 Claims
-
1. A method of allowing authorized code to execute on a computer system, the method comprising:
-
intercepting, by a kernel-level driver within the computer system, a request to create a process associated with a code module; determining, by the kernel-level driver, if the request is authorized by authenticating the request with reference to a multi-level whitelist database architecture, the multi-level whitelist database architecture including (i) a global whitelist database hosted by a trusted third party service provider (ii) a local whitelist database created based on the global whitelist and (iii) an in-memory code module cache containing entries corresponding to code modules that have previously been authenticated with reference to the global whitelist database or the local whitelist database, the entries including information regarding whether the corresponding code module has been altered since it was previously authenticated and information regarding whether the corresponding code module was previously affirmatively authenticated; allowing, by the kernel-level driver, the code module to be loaded and executed by granting the request if the request is authorized. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of allowing authorized code to execute on a computer system, the method comprising:
-
intercepting, by a kernel driver of the computer system, a request to create a process associated with a code module; determining, by the kernel driver, whether to authorize the request by causing a cryptographic hash value of the code module to be authenticated with reference to a whitelist database remote from the computer system and maintained by a trusted service provider, the remote whitelist database containing cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code; allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the remote whitelist database; and wherein the kernel driver is implemented in one or more processors and one or more computer-readable storage media associated with the computer system, the one or more computer-readable storage media having instructions tangibly embodied therein representing the kernel driver that are executable by the one or more processors. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A code execution authorization system comprising:
a kernel driver of a computer system implemented in one or more computer processors of the computer system and one or more computer-readable storage media associated with the computer system, the one or more computer-readable storage media having instructions tangibly embodied therein representing the kernel driver that are executable by the one or more computer processors, the kernel driver operable to perform a method of allowing authorized code to execute on the computer system comprising; intercepting a request to create a process associated with a code module; determining whether to authorize the request by causing a cryptographic hash value of the code module to be authenticated with reference to the global whitelist database hosted by a trusted service provider, the global whitelist database containing cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code; and allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the global whitelist database. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
-
37. A program storage device readable by a computer system, tangibly embodying a program of instructions executable by one or more computer processors of the computer system to perform method steps for allowing authorized code to execute on the computer system comprising:
-
intercepting a request to create a process associated with a code module; determining whether to authorize the request by causing a cryptographic hash value of the code module to be authenticated with reference to a whitelist database remote from the computer system and maintained by a trusted service provider, the remote whitelist database containing cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code; and allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the remote whitelist database. - View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46)
-
Specification