System and method for inspecting dynamically generated executable code

US 7,757,289 B2
Filed: 12/12/2005
Issued: 07/13/2010
Est. Priority Date: 12/12/2005
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method for protecting a computer from dynamically generated malicious content, comprising:

receiving at a gateway computer content being sent to a client computer for processing, the content including a call to an original function, and the call including an input;

modifying the content at the gateway computer, comprising replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input to a security computer for inspection;

transmitting the modified content from the gateway computer to the client computer;

processing the modified content at the client computer;

transmitting the input to the security computer for inspection when the substitute function is invoked;

modifying the input at the security computer if the input itself includes a call to a second original function with a second input by replacing the call to the second original function with a corresponding call to a second substitute function, the second substitute function being operational to send the second input to the security computer for inspections;

determining at the security computer whether it is safe for the client computer to invoke the original function;

transmitting the modified input from the security computer to the client computer, if the input was modified;

transmitting an indicator of whether it is safe for the client computer to invoke the original function, from the security computer to the client computer; and

invoking the original function at the client computer, only if the indicator received from the security computer indicates that such invocation is safe.

View all claims

7 Assignments

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

A method for protecting a client computer from dynamically generated malicious content, including receiving at a gateway computer content being sent to a client computer for processing, the content including a call to an original function, and the call including an input, modifying the content at the gateway computer, including replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input to a security computer for inspection, transmitting the modified content from the gateway computer to the client computer, processing the modified content at the client computer, transmitting the input to the security computer for inspection when the substitute function is invoked, determining at the security computer whether it is safe for the client computer to invoke the original function with the input, transmitting an indicator of whether it is safe for the client computer to invoke the original function with the input, from the security computer to the client computer, and invoking the original function at the client computer with the input, only if the indicator received from the security computer indicates that such invocation is safe. A system and a computer-readable storage medium are also described and claimed.

26 Citations

View as Search Results

46 Claims

1. A method for protecting a computer from dynamically generated malicious content, comprising:
- receiving at a gateway computer content being sent to a client computer for processing, the content including a call to an original function, and the call including an input;
  
  modifying the content at the gateway computer, comprising replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input to a security computer for inspection;
  
  transmitting the modified content from the gateway computer to the client computer;
  
  processing the modified content at the client computer;
  
  transmitting the input to the security computer for inspection when the substitute function is invoked;
  
  modifying the input at the security computer if the input itself includes a call to a second original function with a second input by replacing the call to the second original function with a corresponding call to a second substitute function, the second substitute function being operational to send the second input to the security computer for inspections;
  
  determining at the security computer whether it is safe for the client computer to invoke the original function;
  
  transmitting the modified input from the security computer to the client computer, if the input was modified;
  
  transmitting an indicator of whether it is safe for the client computer to invoke the original function, from the security computer to the client computer; and
  
  invoking the original function at the client computer, only if the indicator received from the security computer indicates that such invocation is safe.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein said modifying the content further comprises inserting a definition of the substitute function into the content.
  - 3. The method of claim 1 wherein said modifying the content further comprises inserting a link to a definition of the substitute function into the content.
  - 4. The method of claim 1 wherein the gateway computer is the same computer as the security computer.
  - 5. The method of claim 1 wherein the gateway computer is a different computer than the security computer.
  - 6. The method of claim 1 further comprising transmitting an ID of the client computer to the security computer, and wherein said transmitting an indicator uses the ID of the client computer to direct the transmission to the client computer.
  - 7. The method of claim 1 further comprising:
    - suspending processing of the modified content by the client computer after said transmitting the input to the security computer; and
      
      resuming processing of the modified content by the client computer after the client computer receives the indicator from the security computer.
  - 8. The method of claim 1 further comprising recording information about the input in an event log when said determining determines that it is not safe for the client computer to invoke the original function.
  - 9. The method of claim 1 wherein said determining further comprises:
    - scanning the input to derive a security profile thereof;
      
      retrieving a security policy for the client computer; and
      
      comparing the derived security profile with the retrieved security policy.

10. A system for protecting a computer from dynamically generated malicious content, comprising:
- a gateway computer, comprising;
  
  a gateway receiver for receiving content being sent to a client computer for processing, the content including a call to an original function, and the call including an input;
  
  a content modifier for modifying the received content by replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input to a security computer for inspection; and
  
  a gateway transmitter for transmitting the modified content from the gateway computer to the client computer;
  
  the security computer, comprising;
  
  a security receiver for receiving the input from the client computer;
  
  an input modifier for modifying the input if the input itself includes a call to a second original function with a second input by replacing the call to the second original function with a corresponding call to a second substitute function, the second substitute function being operational to send the second input to the security computer for inspections;
  
  an input inspector for determining whether it is safe for the client computer to invoke the original function; and
  
  a security transmitter for transmitting the modified input to the client computer, if the input was modified by said input modifier, and for transmitting an indicator of the determining to the client computer; and
  
  a client computer communicating with said gateway computer and with said security computer, comprising;
  
  a client receiver for receiving the modified content from said gateway computer, for receiving the modified input, if the input was modified by said input modifier, and for receiving the indicator from said security computer;
  
  a content processor for processing the modified content, and for invoking the original function only if the indicator indicates that such invocation is safe; and
  
  a client transmitter for transmitting the input to said security computer for inspection, when the substitute function is invoked.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10 wherein said content modifier inserts a definition of the substitute function into the content.
  - 12. The system of claim 10 wherein said content modifier inserts a link to a definition of the substitute function into the content.
  - 13. The system of claim 10 wherein the gateway computer is the same computer as the security computer.
  - 14. The system of claim 10 wherein the gateway computer is a different computer than the security computer.
  - 15. The system of claim 10 wherein said client transmitter also transmits an ID of said client computer, and wherein said security transmitter uses the ID to direct its transmission to the client computer.
  - 16. The system of claim 10 wherein said content processor (i) suspends processing of the modified content after said client transmitter transmits the input to said security computer, and (ii) resumes processing of the modified content after said client receiver receives the indicator from said security computer.
  - 17. The system of claim 10 wherein said security computer further comprises an event logger for recording information about the input in an event log when said input inspector determines that it is not safe for said client computer to invoke the original function.
  - 18. The system of claim 10 wherein said input inspector further comprises:
    - a content scanner for scanning the input to derive a security profile thereof;
      
      a policy manager for obtaining a security policy for the client computer; and
      
      a profile evaluator for comparing the derived security profile with the obtained security policy.

19. A method for protecting a computer from dynamically generated malicious content, comprising:
- receiving content being sent to the computer for processing, the content including a call to an original function, and the call including an input;
  
  modifying the content, comprising replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspection;
  
  modifying the input if the input itself includes a call to a second original function with a second input by replacing the call to the second original function with a corresponding call to a second substitute function, the second substitute function being operational to send the second input to the security computer for inspections;
  
  transmitting the modified content to the computer for processing; and
  
  transmitting the modified input to the computer, if the input was modified.
- View Dependent Claims (20, 21)
- - 20. The method of claim 19 wherein said modifying the content further comprises inserting a definition of the substitute function into the content.
  - 21. The method of claim 19 wherein said modifying the content further comprises inserting a link to a definition of the substitute function into the content.

22. A system for protecting a computer from dynamically generated malicious content, comprising:
- a receiver for receiving content being sent to the computer for processing, the content including a call to an original function, and the call including an input;
  
  a content modifier for modifying the received content by replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspection;
  
  an input modifier for modifying the input if the input itself includes a call to a second original function with a second input by replacing the call to the second original function with a corresponding call to a second substitute function, the second substitute function being operational to send the second input to the security computer for inspections;
  
  a transmitter for transmitting the modified content and the modified input, if modified by said input modifier, to the computer.
- View Dependent Claims (23, 24)
- - 23. The system of claim 22 wherein said content modifier inserts a definition of the substitute function into the content.
  - 24. The system of claim 22 wherein said content modifier inserts a link to a definition of the substitute function into the content.

25. A method for protecting a computer from dynamically generated malicious content, comprising:
- receiving content being sent to the computer for processing, the content including a call to an original function, and the call including an input;
  
  modifying the content, comprising replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspection;
  
  transmitting the modified content to the computer for processing;
  
  receiving the input from the computer;
  
  modifying the input if the input itself includes a call to a second original function with a second input by replacing the call to the second original function with a corresponding call to a second substitute function, the second substitute function being operational to send the second input to the security computer for inspections;
  
  determining whether it is safe for the computer to invoke the original function;
  
  transmitting the modified input to the computer, if the input was modified; and
  
  transmitting to the computer an indicator of whether it is safe for the computer to invoke the original function.
- View Dependent Claims (26, 27, 28, 29)
- - 26. The method of claim 25 wherein said modifying the content further comprises inserting a definition of the substitute function into the content.
  - 27. The method of claim 25 wherein said modifying the content further comprises inserting a link to a definition of the substitute function into the content.
  - 28. The method of claim 25 further comprising recording information about the input in an event log when said determining determines that it is not safe for the computer to invoke the original function.
  - 29. The method of claim 25 wherein said determining further comprises:
    - scanning the input to derive a security profile thereof;
      
      retrieving a security policy for the computer; and
      
      comparing the derived security profile with the retrieved security policy.

30. A system for protecting a computer from dynamically generated malicious content, comprising:
- a receiver (i) for receiving content being sent to the computer for processing, the content including a call to an original function, and the call including an input, and (ii) for receiving the input from the computer;
  
  a content modifier for modifying the received content by replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspection;
  
  an input modifier for modifying the input if the input itself includes a call to a second original function with a second input, by replacing the call to the second original function with a corresponding call to a second substitute function, the second substitute function being operational to send the second input for inspection;
  
  an input inspector for determining whether it is safe for the computer to invoke the original function; and
  
  a transmitter (i) for transmitting the modified content to the computer, (ii) for transmitting the modified input to the computer, if the input was modified by said input modifier, and (iii) for transmitting an indicator of the determining to the computer.
- View Dependent Claims (31, 32, 33, 34)
- - 31. The system of claim 30 wherein said content modifier inserts a definition of the substitute function into the content.
  - 32. The system of claim 30 wherein said content modifier inserts a link to a definition of the substitute function into the content.
  - 33. The system of claim 30 further comprising an event logger for recording information about the input in an event log when said input inspector determines that it is not safe for the computer to invoke the original function.
  - 34. The system of claim 30 wherein said input inspector comprises:
    - a content scanner for scanning the input to derive a security profile thereof;
      
      a policy manager for obtaining a security policy for the computer; and
      
      a profile evaluator for comparing the derived security profile with the obtained security policy.

35. A method for protecting a computer from dynamically generated malicious content, comprising:
- receiving an input from the computer;
  
  modifying the input if the input includes a call to an original function, the call having an input by replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspections;
  
  determining whether it is safe for the computer to invoke a function with the input;
  
  transmitting the modified input to the computer, if the input was modified; and
  
  transmitting an indicator of said determining to the computer.
- View Dependent Claims (36, 37, 38, 39, 40)
- - 36. The method of claim 35 wherein said modifying the input further comprises inserting a definition of the substitute function into the input.
  - 37. The method of claim 35 wherein said modifying the input further comprises inserting a link to a definition of the substitute function into the input.
  - 38. The method of claim 35 further comprising receiving an ID of the computer, and wherein said transmitting an indicator uses the ID to direct the transmission to the computer.
  - 39. The method of claim 35 further comprising recording information about the input in an event log when said determining determines that it is not safe for the computer to invoke a function with the input.
  - 40. The method of claim 35 wherein said determining further comprises:
    - scanning the input to derive a security profile thereof;
      
      retrieving a security policy for the computer; and
      
      comparing the derived security profile with the retrieved security policy.

41. A system for protecting a computer from dynamically generated malicious content, comprising:
- a receiver for receiving an input from the computer;
  
  an input modifier for modifying the input if the input includes a call to an original function, the call having an input, by replacing the call to the original function with a corresponding call to a substitute function, the substitute function being operational to send the input for inspection;
  
  an input inspector for determining whether it is safe for the computer to invoke a function with the input; and
  
  a transmitter for transmitting the modified input, if modified by said input modifier, and an indicator of the determining to the computer.
- View Dependent Claims (42, 43, 44, 45, 46)
- - 42. The system of claim 41 wherein said input modifier inserts a definition of the substitute function into the input.
  - 43. The system of claim 41 wherein said input modifier inserts a link to a definition of the substitute function into the input.
  - 44. The system of claim 41 wherein said receiver also receives an ID of the computer, and wherein said transmitter uses the ID to direct its transmission to the computer.
  - 45. The system of claim 41 further comprising an event logger for recording information about the input in an event log when said input inspector determines that it is not safe for the computer to invoke a function with the input.
  - 46. The system of claim 41 wherein said input inspector further comprises:
    - a content scanner for scanning the input to derive a security profile thereof;
      
      a policy manager for obtaining a security policy for the computer; and
      
      a profile evaluator for comparing the derived security profile with the obtained security policy.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Finjan Holdings, Inc. (SoftBank Group Corp.)
Original Assignee
Finjan, Inc. (SoftBank Group Corp.)
Inventors
Ben-Itzhak, Yuval, Gruzman, David
Primary Examiner(s)
Pich; Ponnoreay

Application Number

US11/298,475
Publication Number

US 20070136811A1
Time in Patent Office

1,674 Days
Field of Search

726/22, 726/24, 726/25
US Class Current

726/24
CPC Class Codes

G06F 21/562   Static detection

G06F 2221/2129   Authenticate client device ...

G06F 2221/2147   Locking files

System and method for inspecting dynamically generated executable code

First Claim

7 Assignments

Litigations

1 Petition

Accused Products

Abstract

26 Citations

46 Claims

Specification

Use Cases

Quick Links

Others

System and method for inspecting dynamically generated executable code

First Claim

7 Assignments

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

46 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others