US2012216281A1PendingUtilityA1

Systems and Methods for Providing a Computing Device Having a Secure Operating System Kernel

44
Assignee: UNER ERIC RIDVANPriority: Feb 22, 2011Filed: Dec 9, 2011Published: Aug 23, 2012
Est. expiryFeb 22, 2031(~4.6 yrs left)· nominal 20-yr term from priority
G06F 21/52G06F 21/51H04L 9/3234G06F 21/566G06F 21/50
44
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A method and apparatus for resisting malicious code in a computing device. A software component corresponding to an operating system kernel is analyzed prior to executing the software component to detect the presence of one or more specific instructions such as malicious code, a change in mode permissions or instructions to modify or turn off security monitoring software, and taking a graduated action in response to the detection of one or more specific instructions. The graduated action taken is specified by a security policy (or policies) stored on the computing device. The analyzing may include off-line scanning of a particular code or portion of code for certain instructions, op codes, or patterns, and includes scanning in real-time as the kernel or kernel module is loading while the code being scanned is not yet executing (i.e., it is not yet “on-line”). Analysis of other code proceeds according to policies.

Claims

exact text as granted — not AI-modified
1 . A method of resisting malicious code in a computing device, comprising:
 analyzing a software component corresponding to an operating system kernel, prior to executing the software component, to detect the presence of one or more specific instructions; and   taking a graduated action in response to the detection of one or more specific instructions.   
     
     
         2 . The method of  claim 1 , wherein the one or more specific instructions comprise one or more instructions to change a memory access permission. 
     
     
         3 . The method, of  claim 1 , wherein the one or more specific instructions comprise one or more instructions to modify or turn off security monitoring software. 
     
     
         4 . The method of  claim 1 , wherein taking graduated action comprises at least one of removing the detected one or more specific instructions from the kernel software limiting access to peripheral devices. limiting access to kernel certain functions and shutting the computing device down. 
     
     
         5 . The method of  claim 1 , further comprising:
 analyzing a software component corresponding to a user application, prior to executing the user application, to detect the presence of one or more specific instructions; and   taking a graduated action in response to the detection of one or more specific instructions.   
     
     
         6 . The method of  claim 1 , wherein the software component comprises a loadable module. 
     
     
         7 . The method of  claim 1 , further comprising:
 providing a first secure memory segment; and   storing the software component corresponding to the operating system kernel in the first secure memory segment.   
     
     
         8 . The method of  claim 7 , further comprising:
 preventing the software component corresponding to the operating system kernel from being modified by processes running in a privilege mode or a user mode while the component is stored in the first secure memory segment.   
     
     
         9 . The method of  claim 7 , further comprising:
 providing a second secure memory segment, distinct from the first secure memory segment; and   storing a software component corresponding to a security monitor, distinct from a hypervisor, in the second secure memory segment.   
     
     
         10 . The method of  claim 9 , further comprising:
 running the software component corresponding to a security monitor in a secure monitor Mode (SMM) having a higher privilege than a kernel mode and a user mode on the computing device.   
     
     
         11 . The method of  claim 10 , wherein instructions to change a memory access permission may only be issued from a process running in secure monitor mode (SMM). 
     
     
         12 . The method of  claim 9 , further comprising:
 monitoring the software component corresponding to the operating system kernel using the security monitor.   
     
     
         13 . The method of  claim 12 , wherein the monitoring step comprises:
 detecting the presence of one or more specific instructions; and   taking a graduated action in response to the detection of one or more specific instructions.   
     
     
         14 . The method of  claim 9 , further comprising:
 monitoring a software component corresponding to a user application using the security monitor.   
     
     
         15 . The method of  claim 14 , wherein the monitoring step comprises:
 detecting the presence of one or more specific instructions; and   taking a graduated action in response to the detection of one or more specific instructions.   
     
     
         16 . A computing device, comprising:
 a memory; and   a processor coupled to the memory and configured with processor executable instructions to perform operations, comprising:
 analyzing a software component corresponding to an operating system kernel, prior to executing the software component, to detect the presence of one or more specific instructions; and 
 taking a graduated action in response to the detection of one or more specific instructions. 
   
     
     
         17 . The device of  claim 16 , wherein the one or more specific instructions comprise one or more instructions to change a memory access permission. 
     
     
         18 . The device of  claim 16 , wherein the one or more specific instructions comprise one or more instructions to modify or turn off security monitoring software. 
     
     
         19 . The device of  claim 16 , wherein taking graduated action comprises at least one of removing the detected one or more specific instructions from the kernel software, limiting access to peripheral devices limiting access to kernel certain functions and shutting the computing device down. 
     
     
         20 . The device of  claim 16 , wherein the processor is-configured with processor executable instructions to perform operations further comprising:
 analyzing a software component corresponding to a user application, prior to executing the user application, to detect the presence of one or more specific instructions; and   taking a graduated action in response to the detection of one or more specific instructions.   
     
     
         21 . The device of  claim 16 , wherein the software component comprises a loadable module. 
     
     
         22 . The device of  claim 16 , wherein the processor is configured with processor-executable instructions to perform operations further comprising:
 providing a first secure memory segment; and   storing the software component corresponding to the operating system kernel in the first secure memory segment.   
     
     
         23 . The device of  claim 22 , wherein the processor is configured with processor executable instructions to perform operations further comprising:
 preventing the software component corresponding to the operating system, kernel from being modified by processes running in a privilege mode or a user mode while the component is stored-in the first secure memory segment.   
     
     
         24 . The device of  claim 22 , wherein the processor is configured with processor-executable instructions to perform operations further comprising:
 providing a-second secure memory segment, distinct from the first secure memory segment; and   storing a software component corresponding to a security monitor, distinct from a hypervisor in the second secure memory segment.   
     
     
         25 . The device of  claim 24 , wherein the processor is configured with processor-executable instructions to perform operations further comprising:
 running the software component corresponding to a security monitor in a secure monitor mode (SMM) having a higher privilege than a kernel mode and a user mode on the computing device.   
     
     
         26 . The device of  claim 24 , wherein instructions to change a memory access permission may only be issued from a process running in secure monitor mode (SMM). 
     
     
         27 . The device of  claim 24 , wherein the processor is configured with processor-executable instructions to perform operations further comprising:
 monitoring the software component corresponding to the operating system kernel using the security monitor.   
     
     
         28 . The device of  claim 27 , wherein the monitoring comprises:
 detecting the presence of one or more specific instructions; and   taking a graduated :action in response to the detection of one or more specific instructions.   
     
     
         29 . The device of  claim 24 , wherein the processor is configured with processor-executable instructions to perform operations further comprising:
 monitoring a software component corresponding to a user application using the security monitor.   
     
     
         30 . The device of  claim 29 , wherein the monitoring comprises:
 detecting the presence of one or more specific instructions; and   taking a graduated action in response to the detection of one or more specific instructions.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.