Automatically protecting computer systems from attacks that exploit security vulnerabilities
First Claim
1. A method for automatically protecting a computer system from attacks that exploit security vulnerabilities, comprising:
- detecting requests for execution of code portions;
determining vulnerabilities of a code portion, for which an execution request is detected, providing a secure history determination result indicating whether or not a parameter set used to call the code portion was used before the publication of an oldest vulnerability of the code portion;
evaluating whether or not the execution of the code portion shall be prevented in a case at least one vulnerability concerning the code portion is determined; and
preventing the execution of the code portion if determined to do so in the evaluating,wherein the evaluating is based on the secure history determination result, wherein one or more parameter test procedures are defined, whereby each parameter test procedure of the one or more parameter test procedures is specific to a different one of said vulnerabilities and provides a result value when executed that indicates if a parameter set used to call the code portion exploits this vulnerability or not, and wherein the evaluating is based on one or more of said result values of the one or more parameter test procedures.
1 Assignment
0 Petitions
Accused Products
Abstract
A first method for automatically protecting a computer system from attacks that exploit security vulnerabilities detects requests for execution of code portions, determines vulnerabilities of a code portion for which an execution request is detected, evaluates whether or not the execution of the code portion shall be prevented in a case at least one vulnerability concerning the code portion is determined, and prevents execution of the code portion if determined to do so in the evaluation. A second method for automatically protecting a computer system from attacks that exploit security vulnerabilities detects code portions which are currently executed, determines vulnerabilities of a code portion that is currently executed, evaluates whether or not the execution of the code portion shall be aborted in a case at least one vulnerability concerning the code portion is determined, and aborts execution of the code portion if determined to do so in the evaluation.
264 Citations
19 Claims
-
1. A method for automatically protecting a computer system from attacks that exploit security vulnerabilities, comprising:
-
detecting requests for execution of code portions; determining vulnerabilities of a code portion, for which an execution request is detected, providing a secure history determination result indicating whether or not a parameter set used to call the code portion was used before the publication of an oldest vulnerability of the code portion; evaluating whether or not the execution of the code portion shall be prevented in a case at least one vulnerability concerning the code portion is determined; and preventing the execution of the code portion if determined to do so in the evaluating, wherein the evaluating is based on the secure history determination result, wherein one or more parameter test procedures are defined, whereby each parameter test procedure of the one or more parameter test procedures is specific to a different one of said vulnerabilities and provides a result value when executed that indicates if a parameter set used to call the code portion exploits this vulnerability or not, and wherein the evaluating is based on one or more of said result values of the one or more parameter test procedures. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer software product including a non-transitory computer-readable storage medium storing a program which, when executed on a processing device, is adapted to perform a method for automatically protecting a computer system from attacks that exploit security vulnerabilities, comprising:
-
detecting requests for execution of code portions; determining vulnerabilities of a code portion, for which an execution request is detected, providing a secure history determination result indicating whether or not a parameter set used to call the code portion was used before the publication of an oldest vulnerability of the code portion; evaluating whether or not the execution of the code portion shall be prevented in a case at least one vulnerability concerning the code portion is determined; and preventing the execution of the code portion if determined to do so in the evaluating, wherein the evaluating is based on the secure history determination result, wherein one or more parameter test procedures are defined, whereby each parameter test procedure of the one or more parameter test procedures is specific to a different one of said vulnerabilities and provides a result value when executed that indicates if a parameter set used to call the code portion exploits this vulnerability or not, and wherein the evaluating is based on one or more of said result values of the one or more parameter test procedures.
-
-
10. A method for automatically protecting a computer system from attacks that exploit security vulnerabilities, comprising:
-
detecting code portions that are currently executed, determining vulnerabilities of a code portion that is currently executed, providing a secure history determination result indicating whether or not a parameter set used to call the code portion was used before the publication of the oldest vulnerability of the code portion; evaluating whether or not the execution of the code portion shall be aborted in a case at least one vulnerability concerning the code portion is determined; and aborting the execution of the code portion if determined to do so in the evaluating, wherein the evaluating is based on the secure history determination result, wherein one or more parameter test procedures are defined, whereby each parameter test procedure of the one or more parameter test procedures is specific to a different one of said vulnerabilities and provides a result value when executed that indicates if a parameter set used to call the code portion exploits this vulnerability or not, and wherein the evaluating is based on one or more of said result values of the one or more parameter test procedures. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A computer software product including a non-transitory computer-readable storage medium storing a program which, when executed on a processing device, is adapted to perform a method for automatically protecting a computer system from attacks that exploit security vulnerabilities, comprising:
-
detecting code portions that are currently executed, determining vulnerabilities of a code portion that is currently executed, providing a secure history determination result indicating whether or not a parameter set used to call the code portion was used before the publication of the oldest vulnerability of the code portion; evaluating whether or not the execution of the code portion shall be aborted in a case at least one vulnerability concerning the code portion is determined; and aborting the execution of the code portion if determined to do so in the evaluating, wherein the evaluating is based on the secure history determination result, wherein one or more parameter test procedures are defined, whereby each parameter test procedure of the one or more parameter test procedures is specific to a different one of said vulnerabilities and provides a result value when executed that indicates if a parameter set used to call the code portion exploits this vulnerability or not, and wherein the evaluating is based on one or more of said result values of the one or more parameter test procedures.
-
-
18. A method for automatically protecting a computer system from attacks that exploit security vulnerabilities, comprising:
-
detecting requests for execution of code portions; determining vulnerabilities of a code portion for which an execution request is detected; evaluating whether or not the execution of the code portion shall be prevented in a case at least one vulnerability concerning the code portion is determined; preventing the execution of the code portion if determined to do so in the evaluating; and a secure history determination step providing a secure history determination result indicating whether or not a parameter set used to call the code portion was used before the publication of an oldest vulnerability of the code portion, wherein the evaluating is based on the secure history determination result, wherein one or more parameter test procedures are defined, whereby each parameter test procedure of the one or more parameter test procedures is specific to a different one of said vulnerabilities and provides a result value when executed that indicates if a parameter set used to call the code portion exploits this vulnerability or not, and wherein the evaluating is based on one or more of said result values of the one or more parameter test procedures.
-
-
19. A method for automatically protecting a computer system from attacks that exploit security vulnerabilities, comprising:
-
detecting code portions that are currently executed;
determining vulnerabilities of a code portion that is currently executed;evaluating whether or not the execution of the code portion shall be aborted in a case at least one vulnerability concerning the code portion is determined; aborting the execution of the code portion if determined to do so in the evaluating; and a secure history determination step providing a secure history determination result indicating whether or not a parameter set used to call the code portion was used before the publication of the oldest vulnerability of the code portion, wherein the evaluating is based on the secure history determination result, wherein one or more parameter test procedures are defined, whereby each parameter test procedure of the one or more parameter test procedures is specific to a different one of said vulnerabilities and provides a result value when executed that indicates if a parameter set used to call the code portion exploits this vulnerability or not, and wherein the evaluating is based on one or more of said result values of the one or more parameter test procedures.
-
Specification