Method and system for protecting against the execution of unauthorized software
Abstract
In accordance with an embodiment of the present invention, a client device is protected against the execution of unauthorized software. The client includes a code authentication process that verifies the integrity of executable code, by generating and comparing a first hash value of the executable code with a known hash value of the original code. Furthermore, during boot-up, the client initializes a CPU exception vector table with one or more vector table entries. One or more, or all, of the vector table entries direct the CPU to execute the code authentication process prior to executing an event handler when an exception event occurs. Consequently, the code authentication process is virtually guaranteed to execute, thereby protecting against the execution of unauthorized code.
Claims
exact text as granted — not AI-modifiedWhat is being claimed is:
1. A method for providing security on a client device, the method being performed by one or more processors and comprising:
initializing an exception vector table, the exception vector table including comprising one or more vector table entries that each references a corresponding event handling routine that is used to process a corresponding exception event, wherein at least one vector table entry of the one or more vector table entries causes a code authentication process to be executed before a the corresponding event handling routine is executed;
in response to detecting an the corresponding exception event associated with the at least one vector table entry of the one or more vector table entries, executing the code authentication process to authenticate a portion of executable code stored in a memory resource, the code authentication process determining whether the portion of the executable code is authorized or unauthorized; and
in response to the code authentication process determining that the portion of the executable code is authorized, executing an the corresponding event handling routine corresponding to the at least one vector table entry of the one or more vector table entries.
2. The method of claim 1 , further comprising:
in response to the code authentication process determining that the portion of the executable code is unauthorized, preventing the execution of the corresponding event handling routine corresponding to the at least one vector table entry of the one or more vector table entries.
3. The method of claim 2 , further comprising:
in response to the code authentication process determining that the portion of the executable code is not authorized unauthorized, transmitting information about the determined unauthorized portion of the executable code determined to be unauthorized to a server over a network.
4. The method of claim 1 , further comprising:
maintaining status information indicating:
which portions of the executable code have been authenticated by the code authentication process, the portions of the executable code comprising the portion of the executable code; and
when the portions of the executable code have been authenticated by the code authentication process.
5. The method of claim 4 , wherein:
the code authentication process is executed to authenticate the portion of the executable code based, at least in part, on the maintained status information maintained.
6. The method of claim 1 , further comprising:
during a power-on procedure,:
(i) executing a system integrity authenticator to authenticate boot-loader code stored in a non-volatile memory resource, by determining that the boot-loader code is authorized; and
(ii) in response to the system integrity authenticator determining that the boot-loader code is authorized, loading a portion of the an operating system into the memory resource by executing the boot-loader code.
7. The method of claim 6 , wherein:
the exception vector table is initialized in response to executing the boot-loader code.
8. The method of claim 6 , wherein:
the system integrity authenticator also authenticates at least one of:
code corresponding the exception vector table; or
code corresponding to the code authentication process.
9. A client device comprising:
one or more memory resources; and
one or more processing resources coupled to the one or more memory resources, the one or more processing resources configured to:
initialize an exception vector table, the exception vector table including comprising one or more vector table entries that each references a corresponding event handling routine that is used to process a corresponding exception event, wherein at least one vector table entry of the one or more vector table entries causes a code authentication process to be executed before a the corresponding event handling routine is executed;
in response to detecting an the corresponding exception event associated with the at least one vector table entry of the one or more vector table entries, execute the code authentication process to authenticate a portion of executable code stored in the one or more memory resources, the code authentication process determining whether the portion of the executable code is authorized or unauthorized; and
in response to the code authentication process determining that the portion of the executable code is authorized, execute an the corresponding event handling routine corresponding to the at least one vector table entry of the one or more vector table entries.
10. The method client device of claim 9 , wherein:
the one or more processors processing resources are further configured to, in response to the code authentication process determining that the portion of the executable code is unauthorized, prevent the execution of the corresponding event handling routine corresponding to the at least one vector table entry of the one or more vector table entries.
11. The method client device of claim 10 , wherein:
the one or more processors processing resources are further configured to, in response to the code authentication process determining that the portion of the executable code is not authorized unauthorized, transmit information about the determined unauthorized portion of the executable code determined to be unauthorized to a server over a network.
12. The method client device of claim 9 , wherein:
the one or more processors processing resources are further configured to maintain status information indicating:
which portions of the executable code have been authenticated by the code authentication process, the portions of the executable code comprising the portion of the executable code; and
when the portions of the executable code have been authenticated by the code authentication process.
13. The method client device of claim 12 , wherein:
the one or more processors processing resources execute the code authentication process based, at least in part, on the maintained status information maintained.
14. The method client device of claim 9 , wherein:
the one or more processors processing resources are further configured to, during a power-on procedure,:
(i) execute a system integrity authenticator to authenticate boot-loader code stored in a non-volatile memory resource, by determining that the boot-loader code is authorized; and
(ii) in response to the system integrity authenticator determining that the boot-loader code is authorized, load a portion of the an operating system into the one or more memory resources by executing the boot-loader code.
15. The method client device of claim 14 , wherein:
the one or more processing resources initialize the exception vector table in response to executing the boot-loader code.
16. The method client device of claim 14 , wherein:
the system integrity authenticator also authenticates at least one of:
code corresponding the exception vector table; or
code corresponding to the code authentication process.
17. A non-transitory computer readable medium storing instructions that, when executed by one or more processors, causes cause the one or more processors to perform steps comprising:
initializing an exception vector table, the exception vector table including comprising one or more vector table entries that each references a corresponding event handling routine that is used to process a corresponding exception event, wherein at least one vector table entry of the one or more vector table entries causes a code authentication process to be executed before a the corresponding event handling routine is executed;
in response to detecting an the corresponding exception event associated with the at least one vector table entry of the one or more vector table entries, executing the code authentication process to authenticate a portion of executable code stored in a memory resource, the code authentication process determining whether the portion of the executable code is authorized or unauthorized; and
in response to the code authentication process determining that the portion of the executable code is authorized, executing an the corresponding event handling routine corresponding to the at least one vector table entry of the one or more vector table entries.
18. The non-transitory computer readable medium of claim 17 , further storing instructions that cause the one or more processors to,:
in response to the code authentication process determining that the portion of the executable code is not authorized, unauthorized:
(i) prevent the execution of the corresponding event handling routine corresponding to the at least one vector table entry, of the one or more vector table entries; and
(ii) transmit information about the determined unauthorized portion of the executable code determined to be unauthorized to a server over a network.
19. The non-transitory computer readable medium of claim 17 , further storing instructions that cause the one or more processors to:
maintain status information indicating:
which portions of the executable code have been authenticated by the code authentication process, the portions of the executable code comprising the portion of the executable code; and
when the portions of the executable code have been authenticated by the code authentication process.
20. The non-transitory computer readable medium of claim 19 , further storing instructions that cause the one or more processors to:
execute the code authentication process based, at least in part, on the maintained status information maintained.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.