News Column

Patent Issued for Computer Security System and Method

July 22, 2014



By a News Reporter-Staff News Editor at Life Science Weekly -- According to news reporting originating from Alexandria, Virginia, by NewsRx journalists, a patent by the inventors Kargman, James B. (Chicago, IL); Scott, Peter (Boulder, CO); Bromberger, Jeffrey (Omaha, NE), filed on April 22, 2013, was published online on July 8, 2014 (see also Secure Vector).

The assignee for this patent, patent number 8775802, is Secure Vector (Chicago, IL).

Reporters obtained the following quote from the background information supplied by the inventors: "Computer security is becoming an increasingly important issue as more and more reliance is placed on computers to manage important information. The increasing threat of viruses has required that systems provide adequate protection against both known and unknown threats.

"The present system and method for providing computer security relate primarily to the Microsoft Windows.RTM.-based operating system platforms, including, but not limited to, Windows XP,.RTM. Windows Vista,.RTM. Windows 7,.RTM. Windows 8,.RTM. Windows Server 2008,.RTM. Windows Server 2012,.RTM.which are tied to the Intel,.RTM. Itanium,.RTM. and AMD.RTM. processors with an Intel 8086.RTM.-based or RISC-based instruction set, register, and memory configurations. The present system and method particularly relate to both the 32-bit and the 64-bit versions of these operating systems in which more robust features are provided. However, the principles established herein are do not specifically require Windows or the specific hardware platforms noted above, and the invention is not to be construed as so limiting. Numerous other embodiments are contemplated.

"In the 32-bit Windows architectures, an application running in user-mode can chain (patch) into a system call table via a known user-mode application program interface (API). The problem with this approach is that a malicious application can chain into the system call table and from there easily infect almost any part of the system.

"In the 64-bit version of Windows, a feature called the Kernel Patch Protection (KPP), (informally known as 'PatchGuard') was implemented that does not allow alteration of the operating system code itself, making the system more secure and less vulnerable to malicious code. However, since some useful programs rely on patching the OS in order to work properly, these applications do not work on the 64-bit version.

"For both the 32-bit and the 64-bit versions of Windows, anti-virus and anti-spyware software is needed, since it is possible to install programs that can give an attacker access to, and control over, the system, merely by clicking on a link in an e-mail or by visiting a malicious website containing malware.

"Conventional anti-virus and anti-malware software relies on signatures, or specific attributes of malware to detect viruses and malware and to defend against them. Such signatures could be, e.g., a specific series of instructions or a data field that is consistent across copies of the virus payload. However, new so-called 'polymorphic' and automatically self-modifying malware can get around these protections by changing their signature dynamically. Criminal enterprises have formed and are currently using these techniques to invade Windows-based systems and steal passwords and account information; in some cases such techniques have been used to steal hundreds of thousands of dollars using online banking credentials that were stolen.

"Furthermore, the zero-day problem also negates signature-based anti-virus and anti-malware solutions. The zero-day problem is the day on which a virus or malicious software is first introduced into the general population. On the first day, no analysis has been performed on the threat and no potential signatures have been identified and provided in the anti-virus program databases.

"Previous attempts to protect against this sort of malware have been based on a separate area of memory or physical disk where all changes to the system are recorded and mapped to the 'actual' files, so that changes are not committed to the actual system files, but rather the temporary image of those files. However, these systems have significant limitations in their ability to function, and some cannot function at all on the 64-bit platform because of their reliance on using routines that can be considered security risks.

"What is needed is a kernel-mode product for both 32-bit and 64-bit Windows platforms which allows users to selectively isolate processes from sensitive areas in the operating system. The important components that are protected through isolation may include the file system, the system registry, named pipe and mail slot access, socket-based connections, and port-communications,

"Port based accesses may be filtered for isolated processes. The actions which isolated processes can perform over these ports, such as asking the caller about the connections, not registering any ports which can be used for call back from the outside, etc. can be provided as well."

In addition to obtaining background information on this patent, NewsRx editors also obtained the inventors' summary information for this patent: "The following acronyms are used in this application.

"Table of Acronyms

"ACE Access Control Entry (a Microsoft-defined protection mechanism) AMD Advanced Micro Devices (company) API application program interface CM configuration manager DACL discretionary access control list FAT file allocation table (older file system for Microsoft Windows) FS file system FSD file system driver GUID globally unique identifier IO or I/O input/output KPP Kernel Patch Protection (Microsoft Windows 64-bit version feature, informally known as 'PatchGuard') LPC local procedure call MSDN Microsoft Developer's Network NPFS named pipe file system NTFS (Windows) NT file system PDF Portable Document Format (defined by Adobe) RAM random-access memory RFM Registry Filtering Model (defined by Microsoft Windows) RISC reduced instruction set computer ROM read-only memory RPC remote procedure call SSDT System Service Descriptor Table (defined by Microsoft Windows)

"Based on the above background discussion, and in accordance with various embodiments of the invention discussed in more detail below, a method is provided for protecting a computer system, comprising: attaching a security descriptor to a process running on a processor of the computer system that has been previously started; associating with the security descriptor an isolation indicator that, by itself, indicates the process is to run in an isolation mode, thereby rendering it as an isolated process, the isolated process running with non-isolated processes in a common environment; calling a kernel routine by the isolated process that is also callable by a process that is not running in isolation mode; attempting to write to an object of a disk or a registry by the kernel routine called by the isolated process; determining, by a filter driver running in kernel mode, whether the kernel routine is requesting the write on behalf of the isolated process or a non-isolated process; if the write is requested on behalf of the isolated process, then performing the write in a pseudo storage area; and if the write is requested on behalf of the non-isolated process, then performing the write in an actual storage area in which the disk, registry, or other actual system or process data resides;

"wherein if the requested write is a first object write, then copying the object from the actual storage area to the pseudo storage area; assigning a first process group to the process; creating an additional group process within the first process group; performing a first determination by an application programming interface (API) that the additional group process is within the first process group, and as a result of the first determination, causing the additional group process to inherit and duplicate a handle of the process.

"A method is also provided for protecting a computer system, comprising: attaching a security descriptor to a process running on a processor of the computer system that has been previously started; associating with the security descriptor an isolation indicator that, by itself, indicates the process is to run in an isolation mode, thereby rendering it as an isolated process, the isolated process running with non-isolated processes in a common environment; calling a kernel routine by the isolated process that is also callable by a process that is not running in isolation mode; attempting to write to an object of a disk or a registry by the kernel routine called by the isolated process; determining, by a filter driver running in kernel mode, whether the kernel routine is requesting the write on behalf of the isolated process or a non-isolated process; if the write is requested on behalf of the isolated process, then performing the write in a pseudo storage area; and if the write is requested on behalf of the non-isolated process, then performing the write in an actual storage area in which the disk, registry, or other actual system or process data resides; wherein if the requested write is a first object write, then copying the object from the actual storage area to the pseudo storage area; utilizing a communication element that allows inter-process communication between the process and an other process within a first process group, but blocks inter-process communication between the process and a further process that is not within the first process group.

"Finally, a method is provided for protecting a computer system, comprising: attaching a security descriptor to a process running on a processor of the computer system that has been previously started; associating with the security descriptor an isolation indicator that, by itself, indicates the process is to run in an isolation mode, thereby rendering it as an isolated process, the isolated process running with non-isolated processes in a common environment; calling a kernel routine by the isolated process that is also callable by a process that is not running in isolation mode; attempting to write to an object of a disk or a registry by the kernel routine called by the isolated process; determining, by a filter driver running in kernel mode, whether the kernel routine is requesting the write on behalf of the isolated process or a non-isolated process; if the write is requested on behalf of the isolated process, then performing the write in a pseudo storage area; and if the write is requested on behalf of the non-isolated process, then performing the write in an actual storage area in which the disk, registry, or other actual system or process data resides; wherein if the requested write is a first object write, then copying the object from the actual storage area to the pseudo storage area; providing a user mode library for patching import and export tables for isolated process groups to control isolated processes from performing calls into system application program interface routines that could allow the isolated processes from modifying, controlling, or terminating a non-isolated process or a process from a different process group."

For more information, see this patent: Kargman, James B.; Scott, Peter; Bromberger, Jeffrey. Computer Security System and Method. U.S. Patent Number 8775802, filed April 22, 2013, and published online on July 8, 2014. Patent URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=8775802.PN.&OS=PN/8775802RS=PN/8775802

Keywords for this news article include: Software, Secure Vector.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC


For more stories covering the world of technology, please see HispanicBusiness' Tech Channel



Source: Life Science Weekly


Story Tools






HispanicBusiness.com Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters