Systems and Methods for Providing a Computing Device Having a Secure Operating System Kernel
Abstract
A method and apparatus for resisting malicious code in a computing device. A software component corresponding to an operating system kernel is analyzed prior to executing the software component to detect the presence of one or more specific instructions such as malicious code, a change in mode permissions or instructions to modify or turn off security monitoring software, and taking a graduated action in response to the detection of one or more specific instructions. The graduated action taken is specified by a security policy (or policies) stored on the computing device. The analyzing may include off-line scanning of a particular code or portion of code for certain instructions, op codes, or patterns, and includes scanning in real-time as the kernel or kernel module is loading while the code being scanned is not yet executing (i.e., it is not yet “on-line”). Analysis of other code proceeds according to policies.
Claims
exact text as granted — not AI-modified1 . A method of resisting malicious code in a computing device, comprising:
analyzing a software component corresponding to an operating system kernel, prior to executing the software component, to detect the presence of one or more specific instructions; and taking a graduated action in response to the detection of one or more specific instructions.
2 . The method of claim 1 , wherein the one or more specific instructions comprise one or more instructions to change a memory access permission.
3 . The method, of claim 1 , wherein the one or more specific instructions comprise one or more instructions to modify or turn off security monitoring software.
4 . The method of claim 1 , wherein taking graduated action comprises at least one of removing the detected one or more specific instructions from the kernel software limiting access to peripheral devices. limiting access to kernel certain functions and shutting the computing device down.
5 . The method of claim 1 , further comprising:
analyzing a software component corresponding to a user application, prior to executing the user application, to detect the presence of one or more specific instructions; and taking a graduated action in response to the detection of one or more specific instructions.
6 . The method of claim 1 , wherein the software component comprises a loadable module.
7 . The method of claim 1 , further comprising:
providing a first secure memory segment; and storing the software component corresponding to the operating system kernel in the first secure memory segment.
8 . The method of claim 7 , further comprising:
preventing the software component corresponding to the operating system kernel from being modified by processes running in a privilege mode or a user mode while the component is stored in the first secure memory segment.
9 . The method of claim 7 , further comprising:
providing a second secure memory segment, distinct from the first secure memory segment; and storing a software component corresponding to a security monitor, distinct from a hypervisor, in the second secure memory segment.
10 . The method of claim 9 , further comprising:
running the software component corresponding to a security monitor in a secure monitor Mode (SMM) having a higher privilege than a kernel mode and a user mode on the computing device.
11 . The method of claim 10 , wherein instructions to change a memory access permission may only be issued from a process running in secure monitor mode (SMM).
12 . The method of claim 9 , further comprising:
monitoring the software component corresponding to the operating system kernel using the security monitor.
13 . The method of claim 12 , wherein the monitoring step comprises:
detecting the presence of one or more specific instructions; and taking a graduated action in response to the detection of one or more specific instructions.
14 . The method of claim 9 , further comprising:
monitoring a software component corresponding to a user application using the security monitor.
15 . The method of claim 14 , wherein the monitoring step comprises:
detecting the presence of one or more specific instructions; and taking a graduated action in response to the detection of one or more specific instructions.
16 . A computing device, comprising:
a memory; and a processor coupled to the memory and configured with processor executable instructions to perform operations, comprising:
analyzing a software component corresponding to an operating system kernel, prior to executing the software component, to detect the presence of one or more specific instructions; and
taking a graduated action in response to the detection of one or more specific instructions.
17 . The device of claim 16 , wherein the one or more specific instructions comprise one or more instructions to change a memory access permission.
18 . The device of claim 16 , wherein the one or more specific instructions comprise one or more instructions to modify or turn off security monitoring software.
19 . The device of claim 16 , wherein taking graduated action comprises at least one of removing the detected one or more specific instructions from the kernel software, limiting access to peripheral devices limiting access to kernel certain functions and shutting the computing device down.
20 . The device of claim 16 , wherein the processor is-configured with processor executable instructions to perform operations further comprising:
analyzing a software component corresponding to a user application, prior to executing the user application, to detect the presence of one or more specific instructions; and taking a graduated action in response to the detection of one or more specific instructions.
21 . The device of claim 16 , wherein the software component comprises a loadable module.
22 . The device of claim 16 , wherein the processor is configured with processor-executable instructions to perform operations further comprising:
providing a first secure memory segment; and storing the software component corresponding to the operating system kernel in the first secure memory segment.
23 . The device of claim 22 , wherein the processor is configured with processor executable instructions to perform operations further comprising:
preventing the software component corresponding to the operating system, kernel from being modified by processes running in a privilege mode or a user mode while the component is stored-in the first secure memory segment.
24 . The device of claim 22 , wherein the processor is configured with processor-executable instructions to perform operations further comprising:
providing a-second secure memory segment, distinct from the first secure memory segment; and storing a software component corresponding to a security monitor, distinct from a hypervisor in the second secure memory segment.
25 . The device of claim 24 , wherein the processor is configured with processor-executable instructions to perform operations further comprising:
running the software component corresponding to a security monitor in a secure monitor mode (SMM) having a higher privilege than a kernel mode and a user mode on the computing device.
26 . The device of claim 24 , wherein instructions to change a memory access permission may only be issued from a process running in secure monitor mode (SMM).
27 . The device of claim 24 , wherein the processor is configured with processor-executable instructions to perform operations further comprising:
monitoring the software component corresponding to the operating system kernel using the security monitor.
28 . The device of claim 27 , wherein the monitoring comprises:
detecting the presence of one or more specific instructions; and taking a graduated :action in response to the detection of one or more specific instructions.
29 . The device of claim 24 , wherein the processor is configured with processor-executable instructions to perform operations further comprising:
monitoring a software component corresponding to a user application using the security monitor.
30 . The device of claim 29 , wherein the monitoring comprises:
detecting the presence of one or more specific instructions; and taking a graduated action in response to the detection of one or more specific instructions.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.