Secure system for allowing the execution of authorized computer program code
Abstract
Systems and methods for allowing authorized code to execute on a computer system are provided. According to one embodiment, file or operating system activity relating to a code module is intercepted. A cryptographic hash value of the code module is authenticated with reference to a multi-level whitelist, which includes a remote global whitelist and a local whitelist. The remote global whitelist is maintained by a trusted service provider and contains cryptographic hash values of approved code modules known not to contain malicious code. The local whitelist is accessible by computer systems within the LAN and contains cryptographic hash values of a subset of the approved code modules. The cryptographic hash value is checked against the local whitelist. If no match is found, it is checked against the global whitelist. The code module is allowed to be loaded and executed if the cryptographic hash value corresponds to an approved code module.
Claims
exact text as granted — not AI-modified1 . A method of allowing authorized code to execute on a computer system within a local area network (LAN), the method comprising:
intercepting, by a kernel mode driver of the computer system, file system or operating system activity relating to a code module; before the code module is executed by the computer system, causing, by the kernel mode driver, a cryptographic hash value of the code module to be authenticated with reference to a multi-level whitelist, the multi-level whitelist comprising (i) a global whitelist database remote from the computer system and maintained by a trusted service provider, the global whitelist database containing cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code and (ii) a local whitelist database associated with the LAN and locally accessible by the computer system and one or more other computer systems within the LAN, the local whitelist database containing cryptographic hash values of at least a subset of the approved code modules, wherein the cryptographic hash value is first checked against the local whitelist database and if no match is found, then the cryptographic hash value is checked against the global whitelist database; allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the multi-level whitelist; and wherein the kernel mode driver is implemented in one or more processors and one or more computer-readable storage media associated with the computer system, the one or more computer-readable storage media having instructions tangibly embodied therein representing the kernel mode driver that are executable by the one or more processors.
2 . The method of claim 1 , wherein the multi-level whitelist includes one or more most recently used (MRU) caches local to the computer system.
3 . The method of claim 2 , wherein the one or more MRU caches comprise in-memory data structures containing information regarding code modules recently authenticated by the kernel mode driver.
4 . The method of claim 1 , wherein the code module comprises an executable object.
5 . The method of claim 1 , wherein the cryptographic hash value covers a code segment of the executable object but not a data segment of the executable object.
6 . The method of claim 1 , wherein the cryptographic hash value covers both a code segment and a data segment of the executable object.
7 . The method of claim 1 , wherein the code module comprises a file system object.
8 . The method of claim 1 , wherein the code module comprises a script file.
9 . The method of claim 1 , wherein the code module comprises a Java applet.
10 . The method of claim 1 , wherein the code module comprises JavaScript.
11 . The method of claim 1 , wherein the code module comprises a dynamically-linked library file that is used by multiple programs.
12 . The method of claim 1 , wherein the cryptographic hash value is computed using Message Digest #5 (MD-5).
13 . The method of claim 1 , wherein the cryptographic hash value is computed using a Secure Hash Algorithm (SHA).
14 . The method of claim 11 , wherein the cryptographic hash value is computed using SHA-1.
15 . The method of claim 11 , wherein the cryptographic hash value is computed using SHA-256.
16 . The method of claim 1 , further comprising calculating, by the kernel mode driver, a cryptographic hash value of the code module.
17 . The method of claim 1 , wherein the kernel mode driver is configured for operation within a Microsoft Windows operating system.
18 . The method of claim 1 , wherein the approved code modules include code modules associated with common operating system software, operating system services, and common utilities, including word processors and Internet browsers.
19 . The method of claim 1 , wherein a user of the computer system is a registered user of the trusted service provider.
20 . The method of claim 1 , wherein an enterprise with which the computer system is associated is a registered user of the trusted service provider.
21 . The method of claim 1 , wherein the approved code modules are identified by multiple sources.
22 . The method of claim 21 , wherein the approved code modules include all safe code modules currently known to the trusted service provider.
23 . The method of claim 1 , wherein the local whitelist database is maintained by an information technology (IT) administrator, whereby the IT administrator has the ability to tailor the local whitelist to allow or disallow particular code modules from running on a plurality of computer systems within the LAN, including the computer system.
24 . The method of claim 1 , wherein said intercepting, by the kernel mode driver of the computer system, file system or operating system activity relating to a code module comprises the kernel mode driver monitoring operating system process creation or module load activity.
25 . The method of claim 1 , wherein said intercepting, by the kernel mode driver of the computer system, file system or operating system activity relating to a code module comprises the kernel mode driver hooking low-level operating system application programming interfaces (APIs) to intercept one or more operating system operations of interest including one or more of process creation, module loading, and file system read/write activity.
26 . The method of claim 17 , wherein said intercepting, by the kernel mode driver of the computer system, file system or operating system activity relating to a code module comprises an operating system process creation activity monitor intercepting new process creation activity within the computer system by hooking to a Windows CreateSection API call and temporarily turning control over to the kernel mode driver.
27 . The method of claim 1 , wherein said intercepting, by the kernel mode driver of the computer system, file system or operating system activity relating to a code module occurs during boot processing of the computer system.
28 . The method of claim 1 , wherein said intercepting, by the kernel mode driver of the computer system, file system or operating system activity relating to a code module occurs during normal system operations of the computer system.
29 . The method of claim 1 , further comprising performing a periodic scan of code modules stored on the computer system.
30 . A code execution authorization system comprising:
a kernel mode driver of a computer system implemented in one or more computer processors of the computer system and one or more computer-readable storage media associated with the computer system, the one or more computer-readable storage media having instructions tangibly embodied therein representing the kernel mode driver that are executable by the one or more computer processors, the kernel mode driver operable to perform a method of allowing authorized code to execute on the computer system comprising:
intercepting file system or operating system activity relating to a code module;
before the code module is executed by the computer system, causing a cryptographic hash value of the code module to be authenticated with reference to a multi-level whitelist, the multi-level whitelist comprising (i) a global whitelist database remote from the computer system and maintained by a trusted service provider, the global whitelist database containing cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code and (ii) a local whitelist database associated with a local area network (LAN) in which the computer system and one or more other computer systems exist, the local whitelist database containing cryptographic hash values of at least a subset of the approved code modules, wherein the cryptographic hash value is first checked against the local whitelist database and if no match is found, then the cryptographic hash value is checked against the global whitelist database; and
allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the multi-level whitelist.
31 . The code execution authorization system of claim 30 , wherein the multi-level whitelist includes one or more most recently used (MRU) caches local to the computer system.
32 . The code execution authorization system of claim 31 , wherein the one or more MRU caches comprise in-memory data structures containing information regarding code modules recently authenticated by the kernel mode driver.
33 . The code execution authorization system of claim 30 , wherein the code module comprises an executable object.
34 . The code execution authorization system of claim 30 , wherein the cryptographic hash value covers a code segment of the executable object but not a data segment of the executable object.
35 . The code execution authorization system of claim 30 , wherein the cryptographic hash value covers both a code segment and a data segment of the executable object.
36 . The code execution authorization system of claim 30 , wherein the code module comprises a file system object.
37 . The code execution authorization system of claim 30 , wherein the code module comprises a script file.
38 . The code execution authorization system of claim 30 , wherein the code module comprises a Java applet.
39 . The code execution authorization system of claim 30 , wherein the code module comprises JavaScript.
40 . The code execution authorization system of claim 30 , wherein the code module comprises a dynamically-linked library file that is used by multiple programs.
41 . The code execution authorization system of claim 30 , wherein the cryptographic hash value is computed using Message Digest #5 (MD-5).
42 . The code execution authorization system of claim 30 , wherein the cryptographic hash value is computed using a Secure Hash Algorithm (SHA).
43 . The code execution authorization system of claim 40 , wherein the cryptographic hash value is computed using SHA-1.
44 . The code execution authorization system of claim 40 , wherein the cryptographic hash value is computed using SHA-256.
45 . The code execution authorization system of claim 30 , wherein the method further comprises calculating a cryptographic hash value of the code module.
46 . The code execution authorization system of claim 30 , wherein the kernel mode driver is configured for operation within a Microsoft Windows operating system.
47 . The code execution authorization system of claim 30 , wherein the approved code modules include code modules associated with common operating system software, operating system services, and common utilities, including word processors and Internet browsers.
48 . The code execution authorization system of claim 30 , wherein a user of the computer system is a registered user of the trusted service provider.
49 . The code execution authorization system of claim 30 , wherein an enterprise with which the computer system is associated is a registered user of the trusted service provider.
50 . The code execution authorization system of claim 30 , wherein the approved code modules are identified by multiple sources.
51 . The code execution authorization system of claim 50 , wherein the approved code modules include all safe code modules currently known to the trusted service provider.
52 . The code execution authorization system of claim 30 , wherein the local whitelist database is maintained by an information technology (IT) administrator, whereby the IT administrator has the ability to tailor the local whitelist to allow or disallow particular code modules from running on a plurality of computer systems within the LAN, including the computer system.
53 . The code execution authorization system of claim 30 , wherein said intercepting file system or operating system activity relating to a code module comprises monitoring operating system process creation or module load activity.
54 . The code execution authorization system of claim 30 , wherein said intercepting file system or operating system activity relating to a code module comprises hooking low-level operating system application programming interfaces (APIs) to intercept one or more operating system operations of interest including one or more of process creation, module loading, and file system read/write activity.
55 . The code execution authorization system of claim 46 , wherein said intercepting file system or operating system activity relating to a code module comprises an operating system process creation activity monitor intercepting new process creation activity within the computer system by hooking to a Windows CreateSection API call and temporarily turning control over to the kernel mode driver.
56 . The code execution authorization system of claim 30 , wherein said intercepting file system or operating system activity relating to a code module occurs during boot processing of the computer system.
57 . The code execution authorization system of claim 30 , wherein said intercepting file system or operating system activity relating to a code module occurs during normal system operations of the computer system.
58 . The code execution authorization system of claim 30 , wherein the method further comprises performing a periodic scan of code modules stored on the computer system.
59 . A non-transitory program storage device readable by a computer system, tangibly embodying a program of instructions executable by one or more computer processors of the computer system to perform method steps for allowing authorized code to execute on the computer system comprising:
intercepting, by a kernel mode driver, file system or operating system activity relating to a code module; before the code module is executed by the computer system, causing a cryptographic hash value of the code module to be authenticated with reference to a multi-level whitelist, the multi-level whitelist comprising (i) a global whitelist database remote from the computer system and maintained by a trusted service provider, the global whitelist database containing cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code and (ii) a local whitelist database associated with a local area network (LAN) in which the computer system and one or more other computer systems exist, the local whitelist database containing cryptographic hash values of at least a subset of the approved code modules, wherein the cryptographic hash value is first checked against the local whitelist database and if no match is found, then the cryptographic hash value is checked against the global whitelist database; and allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of approved code modules within the multi-level whitelist.
60 . The non-transitory program storage device of claim 59 , wherein the multi-level whitelist includes one or more most recently used (MRU) caches local to the computer system.
61 . The non-transitory program storage device of claim 60 , wherein the one or more MRU caches comprise in-memory data structures containing information regarding code modules recently authenticated by the kernel mode driver.
62 . The non-transitory program storage device of claim 59 , wherein the code module comprises an executable object.
63 . The non-transitory program storage device of claim 59 , wherein the cryptographic hash value covers a code segment of the executable object but not a data segment of the executable object.
64 . The non-transitory program storage device of claim 59 , wherein the cryptographic hash value covers both a code segment and a data segment of the executable object.
65 . The non-transitory program storage device of claim 59 , wherein the code module comprises a file system object.
66 . The non-transitory program storage device of claim 59 , wherein the code module comprises a script file.
67 . The non-transitory program storage device of claim 59 , wherein the code module comprises a Java applet.
68 . The non-transitory program storage device of claim 59 , wherein the code module comprises JavaScript.
69 . The non-transitory program storage device of claim 59 , wherein the code module comprises a dynamically-linked library file that is used by multiple programs.
70 . The non-transitory program storage device of claim 59 , wherein the cryptographic hash value is computed using Message Digest #5 (MD-5).
71 . The non-transitory program storage device of claim 59 , wherein the cryptographic hash value is computed using a Secure Hash Algorithm (SHA).
72 . The non-transitory program storage device of claim 69 , wherein the cryptographic hash value is computed using SHA-1.
73 . The non-transitory program storage device of claim 69 , wherein the cryptographic hash value is computed using SHA-256.
74 . The non-transitory program storage device of claim 59 , wherein the method further comprises calculating a cryptographic hash value of the code module.
75 . The non-transitory program storage device of claim 59 , wherein the kernel mode driver is configured for operation within a Microsoft Windows operating system.
76 . The non-transitory program storage device of claim 59 , wherein the approved code modules include code modules associated with common operating system software, operating system services, and common utilities, including word processors and Internet browsers.
77 . The non-transitory program storage device of claim 59 , wherein a user of the computer system is a registered user of the trusted service provider.
78 . The non-transitory program storage device of claim 59 , wherein an enterprise with which the computer system is associated is a registered user of the trusted service provider.
79 . The non-transitory program storage device of claim 59 , wherein the approved code modules are identified by multiple sources.
80 . The non-transitory program storage device of claim 59 , wherein the approved code modules include all safe code modules currently known to the trusted service provider.
81 . The non-transitory program storage device of claim 59 , wherein the local whitelist database is maintained by an information technology (IT) administrator, whereby the IT administrator has the ability to tailor the local whitelist to allow or disallow particular code modules from running on a plurality of computer systems within the LAN, including the computer system.
82 . The non-transitory program storage device of claim 59 , wherein said intercepting file system or operating system activity relating to a code module comprises monitoring operating system process creation or module load activity.
83 . The non-transitory program storage device of claim 59 , wherein said intercepting file system or operating system activity relating to a code module comprises hooking low-level operating system application programming interfaces (APIs) to intercept one or more operating system operations of interest including one or more of process creation, module loading, and file system read/write activity.
84 . The non-transitory program storage device of claim 75 , wherein said intercepting file system or operating system activity relating to a code module comprises an operating system process creation activity monitor intercepting new process creation activity within the computer system by hooking to a Windows CreateSection API call and temporarily turning control over to the kernel mode driver.
85 . The non-transitory program storage device of claim 59 , wherein said intercepting file system or operating system activity relating to a code module occurs during boot processing of the computer system.
86 . The non-transitory program storage device of claim 59 , wherein said intercepting file system or operating system activity relating to a code module occurs during normal system operations of the computer system.
87 . The non-transitory program storage device of claim 59 , wherein the method further comprises performing a periodic scan of code modules stored on the computer system.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.