System and method for inspecting dynamically generated executable code

US 20070136811A1
Filed: 12/12/2005
Published: 06/14/2007
Est. Priority Date: 12/12/2005
Status: Active Grant

First Claim

Patent Images

1. A method for protecting a client computer from dynamically generated malicious content, comprising:

receiving at a gateway computer content being sent to a client computer for processing, the content including a call to an original function, and the call including an input;

modifying the content at the gateway computer, comprising replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input to a security computer for inspection;

transmitting the modified content from the gateway computer to the client computer;

processing the modified content at the client computer;

transmitting the input to the security computer for inspection when the substitute function is invoked;

determining at the security computer whether it is safe for the client computer to invoke the original function with the input;

transmitting an indicator of whether it is safe for the client computer to invoke the original function with the input, from the security computer to the client computer; and

invoking the original function at the client computer with the input, only if the indicator received from the security computer indicates that such invocation is safe.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for protecting a client computer from dynamically generated malicious content, including receiving at a gateway computer content being sent to a client computer for processing, the content including a call to an original function, and the call including an input, modifying the content at the gateway computer, including replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input to a security computer for inspection, transmitting the modified content from the gateway computer to the client computer, processing the modified content at the client computer, transmitting the input to the security computer for inspection when the substitute function is invoked, determining at the security computer whether it is safe for the client computer to invoke the original function with the input, transmitting an indicator of whether it is safe for the client computer to invoke the original function with the input, from the security computer to the client computer, and invoking the original function at the client computer with the input, only if the indicator received from the security computer indicates that such invocation is safe. A system and a computer-readable storage medium are also described and claimed.

59 Citations

View as Search Results

69 Claims

1. A method for protecting a client computer from dynamically generated malicious content, comprising:
- receiving at a gateway computer content being sent to a client computer for processing, the content including a call to an original function, and the call including an input;
  
  modifying the content at the gateway computer, comprising replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input to a security computer for inspection;
  
  transmitting the modified content from the gateway computer to the client computer;
  
  processing the modified content at the client computer;
  
  transmitting the input to the security computer for inspection when the substitute function is invoked;
  
  determining at the security computer whether it is safe for the client computer to invoke the original function with the input;
  
  transmitting an indicator of whether it is safe for the client computer to invoke the original function with the input, from the security computer to the client computer; and
  
  invoking the original function at the client computer with the input, only if the indicator received from the security computer indicates that such invocation is safe.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 further comprising modifying the input at the security computer if the input itself includes a call to a second original function with a second input, comprising replacing the call to the second original function with a corresponding call to a second substitute function, the second substitute function being operational to send the second input to the security computer for inspection, and wherein said transmitting an indicator comprises transmitting the modified input from the security computer to the client computer.
  - 3. The method of claim 1 wherein said modifying the content further comprises inserting a definition of the substitute function into the content.
  - 4. The method of claim 1 wherein said modifying the content further comprises inserting a link to a definition of the substitute function into the content.
  - 5. The method of claim 1 wherein the substitute function is of the general form
  - 6. The method of claim 1 wherein the gateway computer is the same computer as the security computer.
  - 7. The method of claim 1 wherein the gateway computer is a different computer than the security computer.
  - 8. The method of claim 1 further comprising transmitting an ID of the client computer to the security computer, and wherein said transmitting an indicator uses the ID of the client computer to direct the transmission to the client computer.
  - 9. The method of claim 1 further comprising:
    - suspending processing of the modified content by the client computer after said transmitting the input to the security computer; and
      
      resuming processing of the modified content by the client computer after the client computer receives the indicator from the security computer.
  - 10. The method of claim 1 further comprising recording information about the input in an event log when said determining determines that it is not safe for the client computer to invoke the original function with the input.
  - 11. The method of claim 1 wherein said determining further comprises:
    - scanning the input to derive a security profile thereof;
      
      retrieving a security policy for the client computer; and
      
      comparing the derived security profile with the retrieved security policy.

12. A system for protecting a client computer from dynamically generated malicious content, comprising:
- a gateway computer, comprising;
  
  a gateway receiver for receiving content being sent to a client computer for processing, the content including a call to an original function, and the call including an input;
  
  a content modifier for modifying the received content by replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input to a security computer for inspection; and
  
  a gateway transmitter for transmitting the modified content from the gateway computer to said client computer;
  
  a security computer, comprising;
  
  a security receiver for receiving the input from said client computer;
  
  an input inspector for determining whether it is safe for said client computer to invoke the original function with the input; and
  
  a security transmitter for transmitting an indicator of the determining to said client computer; and
  
  a client computer communicating with said gateway computer and with said security computer, comprising;
  
  a client receiver for receiving the modified content from said gateway computer, and for receiving the indicator from said security computer;
  
  a content processor for processing the modified content, and for invoking the original function only if the indicator indicates that such invocation is safe; and
  
  a client transmitter for transmitting the input to said security computer for inspection, when the substitute function is invoked.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12 wherein said security computer further comprises an input modifier for modifying the input if the input itself includes a call to a second original function with a second input, by replacing the call to the second original function with a corresponding call to a second substitute function, the second substitute function being operational to send the second input to said security computer for inspection, and wherein said security transmitter also transmits the modified input to the client computer.
  - 14. The system of claim 12 wherein said content modifier inserts a definition of the substitute function into the content.
  - 15. The system of claim 12 wherein said content modifier inserts a link to a definition of the substitute function into the content.
  - 16. The system of claim 12 wherein the substitute function is of the general form
  - 17. The system of claim 12 wherein the gateway computer is the same computer as the security computer.
  - 18. The system of claim 12 wherein the gateway computer is a different computer than the security computer.
  - 19. The system of claim 12 wherein said client transmitter also transmits an ID of said client computer, and wherein said security transmitter uses the ID to direct its transmission to the client computer.
  - 20. The system of claim 12 wherein said content processor (i) suspends processing of the modified content after said client transmitter transmits the input to said security computer, and (ii) resumes processing of the modified content after said client receiver receives the indicator from said security computer.
  - 21. The system of claim 12 wherein said security computer further comprises an event logger for recording information about the input in an event log when said content inspector determines that it is not safe for said client computer to invoke the original function with the input.
  - 22. The system of claim 12 wherein said input inspector further comprises:
    - a content scanner for scanning the input to derive a security profile thereof;
      
      a policy manager for obtaining a security policy for the client computer; and
      
      a profile evaluator for comparing the derived security profile with the obtained security policy.

23. A computer-readable storage medium storing program code for causing at least one computing device to:
- receive content including a call to an original function, and the call including an input;
  
  replace the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspection, thereby generating modified content;
  
  process the modified content;
  
  transmit the input for inspection, when the substitute function is invoked while processing the modified content, and suspend processing of the modified content;
  
  determine whether it is safe for a computer to invoke the original function with the input;
  
  transmit an indicator of whether it is safe to invoke the original function with the input; and
  
  resume processing of the modified content after receiving the indicator, and invoke the original function with the input only if the indicator indicates that such invocation is safe.

24. A method for protecting a client computer from dynamically generated malicious content, comprising:
- receiving content being sent to a client computer for processing, the content including a call to an original function, and the call including an input;
  
  modifying the content, comprising replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input to a security computer for inspection; and
  
  transmitting the modified content to the client computer for processing.
- View Dependent Claims (25, 26, 27)
- - 25. The method of claim 24 wherein said modifying the content further comprises inserting a definition of the substitute function into the content.
  - 26. The method of claim 24 wherein said modifying the content further comprises inserting a link to a definition of the substitute function into the content.
  - 27. The method of claim 24 wherein the substitute function is of the general form

28. A system for protecting a client computer from dynamically generated malicious content, comprising:
- a receiver for receiving content being sent to a client computer for processing, the content including a call to an original function, and the call including an input;
  
  a content modifier for modifying the received content by replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input to a security computer for inspection; and
  
  a transmitter for transmitting the modified content to the client computer.
- View Dependent Claims (29, 30, 31)
- - 29. The system of claim 28 wherein said content modifier inserts a definition of the substitute function into the content.
  - 30. The system of claim 28 wherein said content modifier inserts a link to a definition of the substitute function into the content.
  - 31. The system of claim 28 wherein the substitute function is of the general form

32. A computer-readable storage medium storing program code for causing a computing device to:
- receive content including a call to an original function, and the call including an input; and
  
  replace the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspection.

33. A method for protecting a client computer from dynamically generated malicious content, comprising:
- receiving content being sent to a client computer for processing, the content including a call to an original function, and the call including an input;
  
  modifying the content, comprising replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspection;
  
  transmitting the modified content to the client computer for processing;
  
  receiving the input from the client computer;
  
  determining whether it is safe for the client computer to invoke the original function with the input; and
  
  transmitting to the client computer an indicator of whether it is safe for the client computer to invoke the original function with the input.
- View Dependent Claims (34, 35, 36, 37, 38, 39)
- - 34. The method of claim 33 further comprising modifying the input if the input itself includes a call to a second original function with a second input, comprising replacing the call to the second original function with a corresponding call to a second substitute function, the second substitute function being operational to send the second input for inspection, and wherein said transmitting an indicator comprises transmitting the modified input to the client computer.
  - 35. The method of claim 33 wherein said modifying the content further comprises inserting a definition of the substitute function into the content.
  - 36. The method of claim 33 wherein said modifying the content further comprises inserting a link to a definition of the substitute function into the content.
  - 37. The method of claim 33 wherein the substitute function is of the general form
  - 38. The method of claim 33 further comprising recording information about the input in an event log when said determining determines that it is not safe for the client computer to invoke the original function with the input.
  - 39. The method of claim 33 wherein said determining further comprises:
    - scanning the input to derive a security profile thereof;
      
      retrieving a security policy for the client computer; and
      
      comparing the derived security profile with the retrieved security policy.

40. A system for protecting a client computer from dynamically generated malicious content, comprising:
- a receiver (i) for receiving content being sent to a client computer for processing, the content including a call to an original function, and the call including an input, and (ii) for receiving the input from the client computer;
  
  a content modifier for modifying the received content by replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspection;
  
  an input inspector for determining whether it is safe for the client computer to invoke the original function with the input; and
  
  a transmitter (i) for transmitting the modified content to the client computer, and (ii) for transmitting an indicator of the determining to the client computer.
- View Dependent Claims (41, 42, 43, 44, 45, 46)
- - 41. The system of claim 40 further comprising an input modifier for modifying the input if the input itself includes a call to a second original function with a second input, by replacing the call to the second original function with a corresponding call to a second substitute function, the second substitute function being operational to send the second input for inspection, and wherein said transmitter also transmits the modified input to the client computer.
  - 42. The system of claim 40 wherein said content modifier inserts a definition of the substitute function into the content.
  - 43. The system of claim 40 wherein said content modifier inserts a link to a definition of the substitute function into the content.
  - 44. The system of claim 40 wherein the substitute function is of the general form
  - 45. The system of claim 40 further comprising an event logger for recording information about the input in an event log when said content inspector determines that it is not safe for the client computer to invoke the original function with the input.
  - 46. The system of claim 40 wherein said input inspector comprises:
    - a content scanner for scanning the input to derive a security profile thereof;
      
      a policy manager for obtaining a security policy for the client computer; and
      
      a profile evaluator for comparing the derived security profile with the obtained security policy.

47. A computer-readable storage medium storing program code for causing a computing device to:
- receive content including a call to an original function, and the call including an input;
  
  replace the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspection; and
  
  determine whether it is safe for a computer to invoke the original function with the input.

48. A method for protecting a computer from dynamically generated malicious content, comprising:
- processing content received over a network, the content including a call to a first function, and the call including an input;
  
  transmitting the input to a security computer for inspection, when the first function is invoked;
  
  receiving from the security computer an indicator of whether it is safe to invoke a second function with the input; and
  
  invoking the second function with the input, only if the indicator indicates that such invocation is safe.
- View Dependent Claims (49)
- - 49. The method of claim 48 further comprising:
    - suspending processing of the content after said transmitting the input to the security computer; and
      
      resuming processing of the content after said receiving the indicator from the security computer.

50. A system for protecting a computer from dynamically generated malicious content, comprising:
- a content processor (i) for processing content received over a network, the content including a call to a first function, and the call including an input, and (ii) for invoking a second function with the input, only if a security computer indicates that such invocation is safe;
  
  a transmitter for transmitting the input to the security computer for inspection, when the first function is invoked; and
  
  a receiver for receiving an indicator from the security computer whether it is safe to invoke the second function with the input.
- View Dependent Claims (51)
- - 51. The system of claim 50 wherein said content processor (i) suspends processing of the content after said transmitter transmits the input to the security computer, and (ii) resumes processing of the modified content after said receiver receives the indicator from the security computer.

52. A computer-readable storage medium storing program code for causing a computing device to:
- process content received over a network, the content including a call to a first function, and the call including an input;
  
  transmit the input for inspection, when the first function is invoked, and suspend processing of the content;
  
  receive an indicator of whether it is safe to invoke a second function with the input; and
  
  resume processing of the content after receiving the indicator, and invoke the second function with the input only if the indicator indicates that such invocation is safe.

53. A method for protecting a client computer from dynamically generated malicious content, comprising:
- receiving an input from a client computer;
  
  determining whether it is safe for the client computer to invoke a function with the input; and
  
  transmitting an indicator of said determining to the client computer.
- View Dependent Claims (54, 55, 56, 57, 58, 59, 60)
- - 54. The method of claim 53 further comprising modifying the input if the input includes a call to an original function, the call having an input, comprising replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspection, and wherein said transmitting an indicator comprises transmitting the modified input to the client computer.
  - 55. The method of claim 54 wherein said modifying the input further comprises inserting a definition of the substitute function into the input.
  - 56. The method of claim 54 wherein said modifying the input further comprises inserting a link to a definition of the substitute function into the input.
  - 57. The method of claim 54 wherein the substitute function is of the general form
  - 58. The method of claim 53 further comprising receiving an ID of the client computer, and wherein said transmitting an indicator uses the ID to direct the transmission to the client computer.
  - 59. The method of claim 53 further comprising recording information about the input in an event log when said determining determines that it is not safe for the client computer to invoke the original function with the input.
  - 60. The method of claim 53 wherein said determining further comprises:
    - scanning the input to derive a security profile thereof;
      
      retrieving a security policy for the client computer; and
      
      comparing the derived security profile with the retrieved security policy.

61. A system for protecting a client computer from dynamically generated malicious content, comprising:
- a receiver for receiving an input from a client computer;
  
  an input inspector for determining whether it is safe for the client computer to invoke a function with the input; and
  
  a transmitter for transmitting an indicator of the determining to the client computer.
- View Dependent Claims (62, 63, 64, 65, 66, 67, 68)
- - 62. The system of claim 61 further comprising an input modifier for modifying the input if the input includes a call to an original function, the call having an input, by replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspection, and wherein said transmitter also transmits the modified input to the client computer.
  - 63. The system of claim 62 wherein said input modifier inserts a definition of the substitute function into the input.
  - 64. The system of claim 62 wherein said input modifier inserts a link to a definition of the substitute function into the input.
  - 65. The system of claim 62 wherein the substitute function is of the general form
  - 66. The system of claim 61 wherein said receiver also receives an ID of the client computer, and wherein said transmitter uses the ID to direct its transmission to the client computer.
  - 67. The system of claim 61 further comprising an event logger for recording information about the input in an event log when said input inspector determines that it is not safe for the client computer to invoke the function with the input.
  - 68. The system of claim 61 wherein said input inspector further comprises:
    - a content scanner for scanning the input to derive a security profile thereof;
      
      a policy manager for obtaining a security policy for the client computer; and
      
      a profile evaluator for comparing the derived security profile with the obtained security policy.

69. A computer-readable storage medium storing program code for causing a computing device to:
- receive an input from a computer;
  
  determine whether it is safe for the computer to invoke a function with the input; and
  
  transmit an indicator of the determination to the computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Finjan Holdings, Inc. (SoftBank Group Corp.)
Original Assignee
Finjan, Inc. (SoftBank Group Corp.)
Inventors
Ben-Itzhak, Yuval, Gruzman, David

Granted Patent

US 7,757,289 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/562   Static detection

G06F 2221/2129   Authenticate client device ...

G06F 2221/2147   Locking files

System and method for inspecting dynamically generated executable code

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

59 Citations

69 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for inspecting dynamically generated executable code

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

69 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links