US2011167260A1PendingUtilityA1

Computer system lock-down

56
Assignee: FORTINET INCPriority: Dec 3, 2004Filed: Feb 8, 2011Published: Jul 7, 2011
Est. expiryDec 3, 2024(expired)· nominal 20-yr term from priority
H04L 63/08G06F 2221/033G06F 21/51Y10S707/99944H04L 63/10G06F 2221/2141G06F 9/445H04L 63/0884G06F 21/44G06F 21/52G06F 21/602H04L 63/145G06F 21/53H04L 9/0643Y10S707/99934Y10S707/99943H04L 9/32H04L 9/3239G06F 21/10
56
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Systems and methods for allowing authorized code to execute on a computer system are provided. According to one embodiment, a method is provided for locking down a computer system. A customized, local whitelist database is stored with a memory of the computer system. The whitelist database forms a part of an authentication system operable within the computer system and contains therein cryptographic hash values of code modules expressly approved for execution by the computer system. A kernel mode driver of the authentication system intercepts file system or operating system activity relating to a code module. The authentication system determines whether to authorize the request by causing a cryptographic hash value of the code module to be authenticated against the whitelist database. The authentication system allows the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values.

Claims

exact text as granted — not AI-modified
1 . A method of locking down a computer system to limit execution of computer program code to only that which can be verified to be approved to run on the computer system, the method comprising:
 storing within a memory of the computer system a customized, local whitelist database, the customized, local whitelist database forming part of an authentication system operable within the computer system and containing therein cryptographic hash values of code modules expressly approved for execution by the computer system;   intercepting, by a kernel mode driver of the authentication system, file system or operating system activity relating to a code module;   determining, by the authentication system, whether to authorize the request by causing a cryptographic hash value of the code module to be authenticated with reference to the customized, local whitelist database;   allowing, by the authentication system, the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of code modules expressly approved for execution by the computer system that are contained within the customized, local whitelist database by causing processing relating to the file system or operating system activity to proceed; and   wherein the authentication system is implemented in one or more processors and one or more computer-readable storage media associated with the computer system, the one or more computer-readable storage media having instructions tangibly embodied therein representing the authentication system that are executable by the one or more processors.   
     
     
         2 . The method of  claim 1 , further comprising disallowing, by the authentication system, the code module from being loaded and executed within the computer system if the cryptographic hash value does not match any of the cryptographic hash values of code modules expressly approved for execution by the computer system that are contained within the customized, local whitelist database by causing processing relating to the file system or operating system activity to stop. 
     
     
         3 . The method of  claim 2 , wherein the computer system comprises an end-user workstation within an enterprise. 
     
     
         4 . The method of  claim 2 , further comprising recording, by a user mode service layer of the authentication system, in a software activity database, information associated with the execution and utilization of code modules by the computer system. 
     
     
         5 . The method of  claim 3 , further comprising if the cryptographic hash value does not match any of the cryptographic hash values of code modules expressly approved for execution by the computer system that are contained within the customized, local whitelist database, then causing information regarding the code module to be provided to a system or network administrator via a centralized remote management console associated with the authentication system. 
     
     
         6 . The method of  claim 3 , wherein the customized, local whitelist database additionally contains therein information identifying a set of one or more code modules that are expressly not approved for execution. 
     
     
         7 . The method of  claim 6 , wherein the set of one or more code modules that are not approved for execution include one or more non-work-related software applications which may distract employees from working. 
     
     
         8 . The method of  claim 6 , wherein the set of one or more code modules that are not approved for execution include those associated with one or more of music player applications and gaming applications. 
     
     
         9 . The method of  claim 1 , wherein prior to said storing within a memory of the computer system a customized, local whitelist database, performing, by the authentication system, an inventory of a mass storage device associated with the computer system to determine installed code modules. 
     
     
         10 . The method of  claim 1 , further comprising receiving, by the authentication system, an update to the customized, local whitelist database from a centralized remote management console. 
     
     
         11 . The method of  claim 1 , wherein the customized, local whitelist database comprises an in-memory data structure and the memory comprises random access memory. 
     
     
         12 . The method of  claim 1 , wherein the memory comprises a mass storage device of the computer system. 
     
     
         13 . The method of  claim 1 , wherein said intercepting, by the kernel mode driver of the authentication system, file system or operating system activity relating to a code module comprises the kernel mode driver hooking low-level operating system application programming interfaces (APIs) to intercept one or more operating system operations of interest including one or more of process creation, module loading and file system input/output activity. 
     
     
         14 . The method of  claim 1 , further comprising verifying, by the authentication system, that the customized, local whitelist database has not been modified in an unauthorized manner by calculating a hash value of the contents of the customized, local whitelist database and comparing the hash value to a predetermined hash value. 
     
     
         15 . A computer system comprising:
 a storage device having tangibly embodied thereon instructions associated with a code module authentication system and a customized, local whitelist database, the customized, local whitelist database containing therein cryptographic hash values of code modules expressly approved for execution by the computer system; and   one or more processors coupled to the storage device and operable to execute the instructions associated with the code module authentication system to perform a method comprising:   intercepting file system or operating system activity relating to a code module;   determining whether to authorize the request by causing a cryptographic hash value of the code module to be authenticated with reference to the customized, local whitelist database; and   allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of code modules expressly approved for execution by the computer system that are contained within the customized, local whitelist database by causing processing relating to the file system or operating system activity to proceed.   
     
     
         16 . The computer system of  claim 15 , wherein the method further comprises disallowing the code module from being loaded and executed within the computer system if the cryptographic hash value does not match any of the cryptographic hash values of code modules expressly approved for execution by the computer system that are contained within the customized, local whitelist database by causing processing relating to the file system or operating system activity to stop. 
     
     
         17 . The computer system of  claim 16 , wherein the computer system comprises an end-user workstation within an enterprise. 
     
     
         18 . The computer system of  claim 17 , wherein the method further comprises if the cryptographic hash value does not match any of the cryptographic hash values of code modules expressly approved for execution by the computer system that are contained within the customized, local whitelist database, then causing information regarding the code module to be provided to a system or network administrator via a centralized remote management console associated with the code module authentication system. 
     
     
         19 . The computer system of  claim 15 , wherein the method further comprises verifying the customized, local whitelist database has not been modified in an unauthorized manner by calculating a hash value of the contents of the customized, local whitelist database and comparing the hash value to a predetermined hash value. 
     
     
         20 . A non-transitory program storage device readable by a computer system, tangibly embodying a program of instructions executable by one or more computer processors of the computer system to perform method steps for allowing authorized code to execute on the computer system comprising:
 intercepting file system or operating system activity relating to a code module;   determining, by the authentication system, whether to authorize the request by causing a cryptographic hash value of the code module to be authenticated with reference to a customized, local whitelist database stored within a memory of the computer system and containing therein cryptographic hash values of code modules expressly approved for execution by the computer system; and   allowing the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values of code modules expressly approved for execution by the computer system that are contained within the customized, local whitelist database by causing processing relating to the file system or operating system activity to proceed.   
     
     
         21 . The non-transitory program storage device of  claim 20 , wherein the method steps further comprise disallowing the code module from being loaded and executed within the computer system if the cryptographic hash value does not match any of the cryptographic hash values of code modules expressly approved for execution by the computer system that are contained within the customized, local whitelist database by causing processing relating to the file system or operating system activity to stop. 
     
     
         22 . The non-transitory program storage device of  claim 21 , wherein the computer system comprises an end-user workstation within an enterprise. 
     
     
         23 . The non-transitory program storage device of  claim 22 , wherein the method steps further comprise if the cryptographic hash value does not match any of the cryptographic hash values of code modules expressly approved for execution by the computer system that are contained within the customized, local whitelist database, then causing information regarding the code module to be provided to a system or network administrator via a centralized remote management console associated with the code module authentication system. 
     
     
         24 . The non-transitory program storage device of  claim 20 , wherein the method steps further comprise verifying the customized, local whitelist database has not been modified in an unauthorized manner by calculating a hash value of the contents of the customized, local whitelist database and comparing the hash value to a predetermined hash value.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.