Automatically protecting computer systems from attacks that exploit security vulnerabilities

US 8,732,839 B2
Filed: 07/31/2007
Issued: 05/20/2014
Est. Priority Date: 07/31/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A method for automatically protecting a computer system from attacks that exploit security vulnerabilities, comprising:

detecting requests for execution of code portions;

determining vulnerabilities of a code portion, for which an execution request is detected, providing a secure history determination result indicating whether or not a parameter set used to call the code portion was used before the publication of an oldest vulnerability of the code portion;

evaluating whether or not the execution of the code portion shall be prevented in a case at least one vulnerability concerning the code portion is determined; and

preventing the execution of the code portion if determined to do so in the evaluating,wherein the evaluating is based on the secure history determination result, wherein one or more parameter test procedures are defined, whereby each parameter test procedure of the one or more parameter test procedures is specific to a different one of said vulnerabilities and provides a result value when executed that indicates if a parameter set used to call the code portion exploits this vulnerability or not, and wherein the evaluating is based on one or more of said result values of the one or more parameter test procedures.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first method for automatically protecting a computer system from attacks that exploit security vulnerabilities detects requests for execution of code portions, determines vulnerabilities of a code portion for which an execution request is detected, evaluates whether or not the execution of the code portion shall be prevented in a case at least one vulnerability concerning the code portion is determined, and prevents execution of the code portion if determined to do so in the evaluation. A second method for automatically protecting a computer system from attacks that exploit security vulnerabilities detects code portions which are currently executed, determines vulnerabilities of a code portion that is currently executed, evaluates whether or not the execution of the code portion shall be aborted in a case at least one vulnerability concerning the code portion is determined, and aborts execution of the code portion if determined to do so in the evaluation.

264 Citations

19 Claims

1. A method for automatically protecting a computer system from attacks that exploit security vulnerabilities, comprising:
- detecting requests for execution of code portions;
  
  determining vulnerabilities of a code portion, for which an execution request is detected, providing a secure history determination result indicating whether or not a parameter set used to call the code portion was used before the publication of an oldest vulnerability of the code portion;
  
  evaluating whether or not the execution of the code portion shall be prevented in a case at least one vulnerability concerning the code portion is determined; and
  
  preventing the execution of the code portion if determined to do so in the evaluating,wherein the evaluating is based on the secure history determination result, wherein one or more parameter test procedures are defined, whereby each parameter test procedure of the one or more parameter test procedures is specific to a different one of said vulnerabilities and provides a result value when executed that indicates if a parameter set used to call the code portion exploits this vulnerability or not, and wherein the evaluating is based on one or more of said result values of the one or more parameter test procedures.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method according to claim 1, whereinsaid code portion is a procedure external to a requesting code module issuing said request for execution, said method, in a case the execution of said code portion is prevented, further comprising:
    - executing in place of said prevented code portion a shortcut procedure that ensures that said requesting code module can continue.
  - 3. A method according to claim 1, whereinsaid vulnerabilities are known vulnerabilities.
  - 4. A method according to claim 1, further comprising:
    - providing a secure history determination result indicating whether or not a parameter set used to call the code portion was used before the publication of a first vulnerability of the code portion, wherein the evaluating is based on the secure history determination result.
  - 5. A method according to claim 4, whereinsaid first vulnerability is an oldest vulnerability of the code portion without a parameter test procedure.
  - 6. A method according to claim 1, further comprising:
    - determining which fixes need to be applied to allow for a secure execution of a code portion of which the execution is prevented or aborted; and
      
      presenting a user said fixes and/or applying said fixes.
  - 7. A method according to claim 1, further comprising:
    - determining what other code portion might be used instead of the one of which the execution was prevented or aborted; and
      
      presenting a user said other code portion.
  - 8. A method according to claim 1, whereinfor each code portion there is an associated code portion identifier, andthe determining vulnerabilities of a code portion is based on querying a database that holds associations of vulnerabilities with code portion identifiers,wherein a vulnerability is determined to be a vulnerability of the code portion when the database holds an association of the vulnerability with the code portion identifier of the code portion.

9. A computer software product including a non-transitory computer-readable storage medium storing a program which, when executed on a processing device, is adapted to perform a method for automatically protecting a computer system from attacks that exploit security vulnerabilities, comprising:
- detecting requests for execution of code portions;
  
  determining vulnerabilities of a code portion, for which an execution request is detected,providing a secure history determination result indicating whether or not a parameter set used to call the code portion was used before the publication of an oldest vulnerability of the code portion;
  
  evaluating whether or not the execution of the code portion shall be prevented in a case at least one vulnerability concerning the code portion is determined; and
  
  preventing the execution of the code portion if determined to do so in the evaluating, wherein the evaluating is based on the secure history determination result, wherein one or more parameter test procedures are defined, whereby each parameter test procedure of the one or more parameter test procedures is specific to a different one of said vulnerabilities and provides a result value when executed that indicates if a parameter set used to call the code portion exploits this vulnerability or not, and wherein the evaluating is based on one or more of said result values of the one or more parameter test procedures.

10. A method for automatically protecting a computer system from attacks that exploit security vulnerabilities, comprising:
- detecting code portions that are currently executed, determining vulnerabilities of a code portion that is currently executed, providing a secure history determination result indicating whether or not a parameter set used to call the code portion was used before the publication of the oldest vulnerability of the code portion;
  
  evaluating whether or not the execution of the code portion shall be aborted in a case at least one vulnerability concerning the code portion is determined; and
  
  aborting the execution of the code portion if determined to do so in the evaluating, wherein the evaluating is based on the secure history determination result, wherein one or more parameter test procedures are defined, whereby each parameter test procedure of the one or more parameter test procedures is specific to a different one of said vulnerabilities and provides a result value when executed that indicates if a parameter set used to call the code portion exploits this vulnerability or not, and wherein the evaluating is based on one or more of said result values of the one or more parameter test procedures.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. A method according to claim 10, whereinsaid vulnerabilities are known vulnerabilities.
  - 12. A method according to claim 10, further comprising providing a secure history determination result indicating whether or not a parameter set used to call the code portion was used before the publication of a first vulnerability of the code portion, wherein the evaluating is based on the secure history determination result.
  - 13. A method according to claim 12, whereinsaid first vulnerability is an oldest vulnerability of the code portion without a parameter test procedure.
  - 14. A method according to claim 10, further comprising:
    - determining which fixes need to be applied to allow for a secure execution of a code portion of which the execution is prevented or aborted; and
      
      presenting a user said fixes and/or applying said fixes.
  - 15. A method according to claim 10, further comprising:
    - determining what other code portion might be used instead of the one of which the execution was prevented or aborted; and
      
      presenting a user said other code portion.
  - 16. A method according to claim 10, whereinfor each code portion there is an associated code portion identifier, andthe determining vulnerabilities of a code portion is based on querying a database that holds associations of vulnerabilities with code portion identifiers,wherein a vulnerability is determined to be a vulnerability of the code portion when the database holds an association of the vulnerability with the code portion identifier of the code portion.

17. A computer software product including a non-transitory computer-readable storage medium storing a program which, when executed on a processing device, is adapted to perform a method for automatically protecting a computer system from attacks that exploit security vulnerabilities, comprising:
- detecting code portions that are currently executed, determining vulnerabilities of a code portion that is currently executed, providing a secure history determination result indicating whether or not a parameter set used to call the code portion was used before the publication of the oldest vulnerability of the code portion;
  
  evaluating whether or not the execution of the code portion shall be aborted in a case at least one vulnerability concerning the code portion is determined; and
  
  aborting the execution of the code portion if determined to do so in the evaluating,wherein the evaluating is based on the secure history determination result,wherein one or more parameter test procedures are defined, whereby each parameter test procedure of the one or more parameter test procedures is specific to a different one of said vulnerabilities and provides a result value when executed that indicates if a parameter set used to call the code portion exploits this vulnerability or not, and wherein the evaluating is based on one or more of said result values of the one or more parameter test procedures.

18. A method for automatically protecting a computer system from attacks that exploit security vulnerabilities, comprising:
- detecting requests for execution of code portions;
  
  determining vulnerabilities of a code portion for which an execution request is detected;
  
  evaluating whether or not the execution of the code portion shall be prevented in a case at least one vulnerability concerning the code portion is determined;
  
  preventing the execution of the code portion if determined to do so in the evaluating;
  
  and a secure history determination step providing a secure history determination result indicating whether or not a parameter set used to call the code portion was used before the publication of an oldest vulnerability of the code portion, whereinthe evaluating is based on the secure history determination result,wherein one or more parameter test procedures are defined, whereby each parameter test procedure of the one or more parameter test procedures is specific to a different one of said vulnerabilities and provides a result value when executed that indicates if a parameter set used to call the code portion exploits this vulnerability or not, and wherein the evaluating is based on one or more of said result values of the one or more parameter test procedures.

19. A method for automatically protecting a computer system from attacks that exploit security vulnerabilities, comprising:
- detecting code portions that are currently executed;
  
  determining vulnerabilities of a code portion that is currently executed;
  
  evaluating whether or not the execution of the code portion shall be aborted in a case at least one vulnerability concerning the code portion is determined;
  
  aborting the execution of the code portion if determined to do so in the evaluating;
  
  and a secure history determination step providing a secure history determination result indicating whether or not a parameter set used to call the code portion was used before the publication of the oldest vulnerability of the code portion, whereinthe evaluating is based on the secure history determination result, wherein one or more parameter test procedures are defined, wherebyeach parameter test procedure of the one or more parameter test procedures is specific to a different one of said vulnerabilities and provides a result value when executed that indicates if a parameter set used to call the code portion exploits this vulnerability or not, and wherein the evaluating is based on one or more of said result values of the one or more parameter test procedures.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sony Corporation (Sony Group Corp.)
Original Assignee
Sony Corporation (Sony Group Corp.)
Inventors
Hohl, Fritz
Primary Examiner(s)
Shaw, Yin-Chen
Assistant Examiner(s)
WANG, HARRIS C

Application Number

US12/296,479
Publication Number

US 20100257610A1
Time in Patent Office

2,485 Days
Field of Search

726/25
US Class Current

726/25
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/52   during program execution, e...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

Automatically protecting computer systems from attacks that exploit security vulnerabilities

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

264 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Automatically protecting computer systems from attacks that exploit security vulnerabilities

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

264 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links