Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 1 of 21
`
` 
`
` 
`
` 
`
` 
`
` 
`
` 
`
`Exhibit 15
`
`

`

`case 3:17-cv-os65-wHa Docume!ABTIKDLIIGATEUEALTTET TELAT
`Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 2 of 21
`US006154844A
`
`United States Patent 15
`6,154,844
`[45] Date of Patent: Nov.28, 2000
`Touboulet al.
`
`
`
`[11] Patent Number:
`
`[54]
`
`SYSTEM AND METHOD FOR ATTACHING A
`DOWNLOADABLE SECURITY PROFILE TO
`A DOWNLOADABLE
`
`Primary Examiner—Robert W. Beausoliel, Jr.
`Assistant Examiner—Christopher A. Revak
`Attorney, Agent, or I’irm—Squire, Sanders & Dempsey,
`L.LP.
`
`[75]
`
`Inventors: Shlomo Touboul, Kefar-Haim;
`Nachshon Gal, Tel-Aviv, both of Israel
`
`[57]
`
`ABSTRACT
`
`[73] Assignee: Finjan Software, Ltd., San Jose, Calif.
`
`A system comprises an inspector and a protection engine.
`The inspector includes a content inspection engine that uses
`a set of rules to generate a Downloadable security profile
`corresponding to a Downloadable, e.g., Java™ applets,
`ActiveX™ controls, JavaScript™ scripts, or Visual Basic
`scripts. The content inspection engine links the Download-
`able security profile to the Downloadable. The set of rules
`may include a list of suspicious operations, or a list of
`suspicious code patterns. The first content inspection engine
`may link to the Downloadablea certificate that identifies the
`content inspection engine which created the Downloadable
`security profile. Additional content inspection engines may
`generate and link additional Downloadable security profiles
`to the Downloadable. Each additional Downloadable secu-
`rily profile may also include a certificate that identifies ils
`creating content inspection engine. Each content inspection
`engine preferably creates a Downloadable ID that identifies
`the Downloadable to which the Downloadable security
`profile corresponds. The protection includes a Download-
`able interceptor for receiving a Downloadable,afile reader
`§,077,677 12/1991 Murphyet al. oe 395/10
`coupled to the interceptor for determining whether the
`we. 380/4
`5,359,659
`10/1994 Rosenthal.......
`
`Downloadable includes a Downloadable security profile, an
`11/1994 Tajalli et al. oe 395/700
`§,361,359
`engine coupled to the file reader for determining whether to
`trust
`the Downloadable security profile, and a security
`policy analysis engine coupled to the verification engine for
`comparing the Downloadable sccurity profile against a secu-
`rity policy if the engine determines that the Downloadable
`securily profile is trustworthy. A Downloadable ID verifi-
`cation engine retrieves the Downloadable ID that identifies
`the Downloadable to which the Downloadable security
`profile corresponds, generates the Downloadable ID for the
`Downloadable and compares the generated Downloadable
`to the linked Downloadable. The protection engine further
`includes a certificate authenticator for authenticating the
`certificate that identifies a content inspection engine which
`created the Downloadable security profile as from a trusted
`source. The certificate authenticator can also authenticate a
`certificate that identifies a developer that created the Down-
`loadable.
`
`[21] Appl. No.: 08/995,648
`
`[22]
`
`Filed:
`
`Dec. 22, 1997
`
`Related U.S. Application Data
`Provisional application No. 60/030,639, Nov. 8, 1996.
`[60]
`Inte C07 occ ccceecccssssssaeecessssnessesssseesseesenee HO4L 9/36
`[SL]
`[52] U.S. Ch. oes 713/201; 714/38; 713/164
`[58] Field of Search oo...eee 713/201, 200,
`713/202, 164, 105, 166, 167, 176; 714/38,
`704, 207, 33; 709/229; 380/4, 25, 24; 705/51,
`54, 55
`
`[56]
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`(List continued on next page.)
`OTHER PUBLICATIONS
`
`X.N. Zhang, “Secure Code Distribution,” Computer, pp.
`76-79, Jun. 1997.
`International
`IBM AntiVirus User’s Guide Version 2.4,
`Business Machines Corporation, Nov. 15, 1995, pp. 6-7.
`Jim K. Omura, “Novel Applications of Cryptography in
`Digital Communications”, IEEE Communications Maga-
`zinc, May, 1990; pp. 21-27.
`Norvin Leachet al, “IE 3.0 Applets Will Earn Certification”,
`PC Week,v13, 029, 1998, 2 pages.
`Microsoft Authenticode Technology, “Ensuring Account-
`ability and Authenticity for Software Components on the
`Internet”, Microsoft Corporation, Oct. 1996, including con-
`tents, Introduction and pp. 1-10.
`
`(List continued on next page.)
`
`44 Claims, 7 Drawing Sheets
`
`120Z
`125
`EVP. OPFR
`
`INSPECTOR 160
`
`
`
`170
`OQWLOAOABLE
`CONTENT [NSPECRION ENGINE
`
`EVELOPWEN: ENGINE
`165
`195
`
`
`
`
`
`RULES BASE||SIGNED
`ad
`INSPECTEC
` DEVELOPER CERTIFICATE
`DOWNLOADAALE
`
`SIGNED DOWSLOACABLE
`
`
`
`INSPECTOR CERTIFICATE}
`
`185
`WEB SERVER 190
`WES PAGE DATA
`
`
`
`
`
`
`
`NETWORIC GATOMAY
`L- rio
`NETWORK PROTECTION
`ENGINE.
`
`10 I4
`weecue]
`COMPUTER FRUIESION
`ENGINE
`
`
`BV
`
`
`
`TNTERNAL COMPUTER
`NEMWORK
`COMPUTER CLIENT
`
`
`
`115
`
`135
`
`
`
`FINJAN-JN 000001
`
`

`

`Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 3 of 21
`Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 3 of 21
`
`6,154,844
`
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`11/1996 Judson...ceceeeeeteeees 395/793
`
`1/1996 Gupta et al. oe 395/186
`1/1996 Chess et al. 0 395/183.14
`
`5,485,409
`5,485,575
`5,572,643
`5,623,600
`..
`4/1997 Jietal.
`395/187.01
`5,638,446
`6/1997 Rubin oes
`ceeteeeeenenes 380/25
`5,692,047
`11/1997 McManis
`we. 380/4
`
`5,692,124
`11/1997 Holden et al
`395/187.01
`
`5,720,033
`2/1998 Deo oe
`.. 395/186
`
`5,724,425
`wo.
`ecseseeeeeee 380/25
`3/1998 Changet al.
`5,740,248
`woes
`ceeteteeeeee 380/25
`4/1998 Fieres et ab.
`
`5,761,421
`..
`. 395/200.53
`6/1998 van Hoff et al.
`
`5,765,205
`6/1998 Breslauetal. ........
`.. 711/203
`5,784,459
`7/1998 Devarakonda et al.
`oe 380/4
`5,796,952
`8/1998 Davis et al...
`.. 395/200.54
`5,805,829
`9/1998 Cohenet al. wc 395/200,32
`5,832,208
`11/1998 Chen et al. oe 395/187.01
`5,850,559
`12/1998 Angelo etal.
`.
`.. 395/750.03
`
`5,859,966
`1/1999 Hayman et al. eee 713/200
`
`5,864,683
`....
`1/1999 Boebertet al.
`395/200.79
`5,892,904
`..
`4/1999 Atkinsonet al.
`w 713/201
`
`5,956,481
`9/1999 Walsh et al.
`...
`«. 713/200
`
`5,974,549
`.. 713/200
`10/1999 Golan.....
`5,983,348 LL/1999 Ti cece ccececeescseeeeeeceeeeeesenes 713/200
`OTHER PUBLICATIONS
`
`
`
`Web Page, Article “Frequently Asked Questions About
`Authenticode”, Microsoft Corporation, last updated Feb. 17,
`1997, URL: http:/Avww.microsoft.com/workshop/security/
`authcode/signfaq.asp#9, pp. 1-13.
`
`http: //icl.ihs.com:80/cgi-bin/icl,,
`page:
`Web
`cgi?se...2ehts%26ViewTemplate% 3ddocview% Sfb%2ehts,
`Okamato, E. et al., “ID—Based Authentication System For
`Computer Virus Detection”, [EEE/IEE Electronic Library
`online, Electronics Letters, vol. 26,
`Issue
`15,
`ISSN
`0013-5194, Jul. 19, 1990, Abstract and pp. 1169-1170.
`“Finjan Announces a Personal Java™ Firewall for Web
`Browsers—the SurfinShield™ 1.6”, Press Release of Finjan
`Releases SurfinShield, Oct. 21, 1996, 2 pages.
`“Finjan Software Releases SurfinBoard, Industry’s First
`JAVA Security Product For the World Wide Web”, Article
`published on the Internet by Finjan Software, Ltd., Jul. 29,
`1996, 1 page.
`“Powerful PC Security for the New World of Java™ and
`Downloadables, Surfin Shield™” Article published on the
`Internet by Finjan Software Ltd., 1996, 2 pages.
`“Company Profile Finjan—Safe Surfing, The Java Security
`solutions Provider” Article published on the Internet by
`Finjan Software Ltd., Oct. 31, 1996, 3 pages.
`“Finjan Announces Major Power Boost and New Features
`for SurfinShield™ 2.0” Las Vegas Convention Center/Pa-
`villion 5 P5551, Nov. 18, 1996, 3 pages.
`“Java Security: Issues & Solutions” Article published on the
`Internet by Finjan Software Ltd., 1996, 8 pages.
`“Products” Article published on the Internet, 7 pages.
`Mark LaDue, “Online Business Consultant” Article pub-
`lished on the Internet, Home Page, Inc. 1996, 4 pages.
`
`FINJAN-JN 000002
`
`

`

`Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 4 of 21
`Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 4 of 21
`
`U.S. Patent
`
`Nov. 28, 2000
`
`Sheet 1 of 7
`
`6,154,844
`
`FIG.
`
`1
`
`io
`
`DEVELOPER
`
`INSPECTOR
`
`160
`
`DOWNLOADABLE
`DEVELOPMENT ENGINE
`
`155
`
`DEVELOPER CERTIFICATE
`
`CONTENT INSPECTION ENGINE
`165
`195
`
`RULES BASE
`
`SIGNED
`INSPECTED
`
`DOWNLOADABLE
`
`750
`
`170
`
`SIGNED DOWNLOADABLE
`
`INSPECTOR CERTIFICATE
`
`
`
`EXTERNAL
`
`COMPUTER NETWORK
`
`
`185
`105
`WEB SERVER 190
`
`
`
`WEB PAGE DATA
`135
`
`NETWORK GATEWAY
`
`
`
`NETWORK PROTECTION
`ENGINE
`
`115
`
`INTERNAL COMPUTER
`NETWORK
`
`COMPUTER CLIENT
`
`135
`
`ENGINE
`
`COMPUTER PROTECTION
`
`110
`
`FINJAN-JN 000003
`
`

`

`Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 5 of 21
`Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 5 of 21
`
`U.S. Patent
`
`Nov.28, 2000
`
`Sheet 2 of 7
`
`gee
`
`FOVINGINIGzeOstFOVYOLS“WNYGINIOIAIOJOVYOISVIVASNOLIYOINNWINOD
`
`
`
`
`
`OFTIavavOINMOGoce
`
`Oz!poneeneenceennaannennn;ozz|||{|l|
`
`gore7NSH
`
`
`
`INIONISNOLLYOINNNINODSSI
`
`
`
`INIONIIN3NdOT3A30JVOLSILN3OYad073A
`AIVOTSILNIOOl|SLVOIIILY30
`
`
`WAISASONILVYAd0CaN9IS
`
`YOLOISNIJIgyavoMo|Yad0713A30
`
`OL!GZ|940c|iaPamannnDo:
`S61COW
`ozeGeGo¢
`
`
`
`oleZ|Ma0vaNWSYO||ZOIAGGINaino||3010LNANIyossa00ud|Ole
`
`OS!,
`
`I|
`
`6,154,844
`
`09¢
`
`FIgvavOINMOG
`
`FINJAN-JN 000004
`
`
`

`

`
`ace asvasane|YIMoreWAISASONILvYad0oor
`
`
`
`
`0g!NOILO4dSNILNAINODS643103dSNIC3NIIS
`oopANIONSYOLOIdSNIOrtSNOLLVOINAWNODAIVOLIILYIO
`
`
`
`
`
`
`
`
`OL+Y4qVayWSYOJOTAIGIAdLNOJOIAIGIAdNI4YOSSIO0Ud
`clsxy“Old
`
`
`
`JOVYOLS“TWNYSLNIJOIAIGJNVYOLSVIVd
`
`
`
`Sol
`
`OcrSlySOP
`
`SNOILYOINNWNOD
`
`Oly
`
`Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 6 of 21
`Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 6 of 21
`
`U.S. Patent
`
`Nov.28, 2000
`
`Sheet 3 of 7
`
`
`
`6,154,844
`
`Gtr
`
`
`
`INIONGT1evavOINMOC
`
`FINJAN-JN 000005
`
`
`

`

`Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 7 of 21
`Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 7 of 21
`
`U.S. Patent
`
`Nov. 28, 2000
`
`Sheet 4 of 7
`
`6,154,844
`
`FIG. 5
`
`S
`
`DOWNLOADABLE FILE INTERCEPTOR
`
`229
`
`FILE READER
`
`910
`
`(7242
`
`CERTIFICATE AUTHENTICATOR[7°/9
`
`DOWNLOADABLE ID
`VERIFICATION ENGINE
`CONTENT INSPECTION ENGINE
`
`LOCAL SECURITY POLICY
`ANALYSIS ENGINE
`
`LOCAL SECURITY POLICIES
`
`RE-TRANSMISION ENGINE
`
`520
`
`[7°29
`
`530
`
`555
`
`FINJAN-JN 000006
`
`

`

`Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 8 of 21
`Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 8 of 21
`
`U.S. Patent
`
`Nov. 28, 2000
`
`Sheet 5 of 7
`
`6,154,844
`
`FIG. 6
`
`Ss600
`
`OBTAIN UNINSPECTED DOWNLOADABLE
`
`INCLUDE ALL COMPONENTS IN|,670
`AN ARCHIVE FILE
`
`ATTACH DEVELOPER CERTIFICATE TO THE FILE
`
`SEND FILE TO THE INSPECTOR
`
`620
`
`GENERATE DSP AND DOWNLOADABLE 1D)
`
`949
`
`ATTACH THE DSP AND DOWNLOADABLE ID TO FILE
`
`ATTACH THE INSPECTOR CERTIFICATE TO THE FILE
`
`650
`
`659
`
`
`
`
`
`
`
` ANOTHER
`
`CONTENT INSPECTION
`?
`
`NO
`
`FORWARD THE SIGNED INSPECTED DOWNLOADABLE
`TO THE WEB SERVER FOR DEPLOYMENT
`
`645
`
`FINJAN-JN 000007
`
`

`

`Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 9 of 21
`Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 9 of 21
`
`U.S. Patent
`
`Nov. 28, 2000
`
`Sheet 6 of 7
`
`6,154,844
`
`(sive) RECEIVE DOWNLOADABLE FILE~729
`
`FIG. 7 EXTRACT THE DOWNLOADABLEL-~770
`
`
`AUTHENTICATE THE DEVELOPER CERTIFICATE
`
`715
`
`0
`y
`
`720 PREVIOUSLY INSPECTED
`?
`
` AUTHENTICATE THE INSPECTOR CERTIFICATE
`
`
` ANOTHER DSP
`
`
`GENERATE. DSP ig
`
`EXTRACT THE DSP
`
`AUTHENTICATE THE DOWNLOADABLE ID
`
`
`
`ATTACHED
`2
`
`745
`
`A
`
`PASS ALL
`UTHENTICATION
`?
`
`THE ATTACHED DOWNLOADABLE
`
`
`YES
`
`755
`
`COMPARE DSP AGAINST LOCAL SECURITY POLICIES
`
`
`760
`
`PASS ALL
`NO—~SECURITY POLICIES
`
`
`9
`
` YES
`
`SEND NON-HOSTILE
`PASS THE DOWNLOADABLE
`DOWNLOADABLE 10
`
`INFORM THE CLIENT
`
`
`OF THE FAILURE
`
`
`770
`
`FINJAN-JN 000008
`
`

`

`Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 10 of 21
`Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 10 of 21
`
`Sheet 7 of 7
`
`Nov.28, 2000
`
`U.S. Patent
`
`0£8
`
`G8!
`
`S98068Gl8S08
`
`
`
`
`
`Y30VINWSYdJOIAIGLNdLAOJOIAILAdNIAdd
`
`So8OssSoe
`
`O18
`
`
`
`
`
`CFEWS3LSAS061WIV3OVd93MSOVRSINIINTLVYSd0
`
`
`JOVYOLSWNYIINIIOIAIJOVYOLSVIVGSNOTIVOINNWNOD
`
`
`
`
`
`6,154,844
`
`098
`
`
`
`INTONASNOTLVOINNWNOD
`
`0S809
`
`
`SNISNJYSANSS83MSI1aVavVOINMOC
`
`FINJAN-JN 000009
`
`
`

`

`Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 11 of 21
`Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 11 of 21
`
`6,154,844
`
`1
`SYSTEM AND METHOD FOR ATTACHING A
`DOWNLOADABLE SECURITY PROFILE TO
`A DOWNLOADABLE
`
`PRIORITY REFERENCE TO RELATED
`APPLICATIONS
`
`This application claims benefit of and hereby incorporates
`by reference provisional application Ser. No. 60/030,639,
`entitled “System and Method for Protecting a Computer
`from Hostile Downloadables,” filed on Nov. 8, 1996, by
`inventor Shlomo Touboul; patent application Ser. No.
`08/964,388, entitled “System and Method for Protecting a
`Computer and a Network from Hostile Downloadables,”
`filed on Nov. 6, 1997, by inventor Shlomo Touboul; and
`patent application Ser. No. 08/790,097,entitled “System and
`Method for Protecting a Client
`from Hostile
`Downloadables,” filed on Jan. 29, 1997, also by inventor
`Shlomo Touboul.
`
`10
`
`BACKGROUNDOF THE INVENTION
`
`1. Field of the Invention
`
`This invention relates generally to computer networks,
`and more particularly provides a system and method for
`attaching a Downloadable security profile to a Download-
`able to facilitate the protection of computers and networks
`from a hostile Downloadable.
`
`2. Description of the Background Art
`The Internet is currently a collection of over 100,000
`individual computer networks owned by governments,
`universities, nonprofit groups and companies,and is expand-
`ing at an accelerating rate. Because the Internet is public, the
`Internet has become a major source of many system dam-
`aging and system fatal application programs, commonly
`referred to as “viruses.”
`
`Accordingly, programmers continue to design computer
`and computer network security systems for blocking these
`viruses from attacking both individual and network com-
`puters. On the most part, these security systems have been
`relatively successful. However, these security systems are
`not configured to recognize computer viruses which have
`been attached to or configured as Downloadable application
`programs, commonly referred to as “Downloadables.” A
`Downloadable is an executable application program, which
`is downloaded from a source computer and run on the
`destination computer. A Downloadableis typically requested
`by an ongoing process such as by an Internet browser or web
`client. Examples of Downloadables include Java™ applets
`designed for use in the Java™
`distributing environment
`developed by Sun Microsystems,Inc., JavaScript™ scripts
`also developed by Sun Microsystems, Inc., ActiveX™ con-
`trols designed for use in the ActiveX™distributing envi-
`ronment developed by the Microsoft Corporation, and
`Visual Basic also developed by the Microsoft Corporation.
`Downloadables may also include plugins, which add to the
`functionality of an already existing application program.
`‘Therefore, a system and method are needed to protect a
`network from hostile Downloadables.
`
`
`
`SUMMARYOF THE INVENTION
`
`The present invention provides systems for protecting a
`network from suspicious Downloadables, e.g., Java™
`applets, ActiveX™ controls, JavaScript™ scripts, or Visual
`Basic scripts. The network system includes an inspector for
`linking Downloadable security profiles to a Downloadable,
`and a protection engine for examining the Downloadable
`
`40
`
`45
`
`;
`
`60
`
`2
`and Downloadable security profiles to determine whether or
`not to trust the Downloadable security profiles.
`The inspector includes a content inspection engine that
`uses a set of rules to generate a Downloadable security
`profile corresponding to a Downloadable. The content
`inspection engine links the Downloadable security profile to
`the Downloadable. The set of rules may include a list of
`suspicious operations, or a list of suspicious code patterns.
`The first content inspection engine may link to the Down-
`loadable a certificate that identifies the content inspection
`engine which created the Downloadable security profile.
`The system may include additional content
`inspection
`engines for generating and linking additional Downloadable
`security profiles to the Downloadable. Each additional
`Downloadable security profile may also includea certificate
`that identifies its creating content inspection engine. Each
`content inspection engine may create a Downloadable ID
`that identifies the Downloadable to which the Downloadable
`
`security profile corresponds.
`The protection engine includes a Downloadable intercep-
`tor for receiving a Downloadable, a file reader coupled to the
`interceptor for determining whether the Downloadable
`includes a Downloadable security profile, an engine coupled
`to the file reader for determining whether to trust
`the
`Downloadable security profile, and a security policy analy-
`sis engine coupled to the verification engine for comparing
`the Downloadable security profile against a security policy
`if the engine determines that the Downloadable security
`profile is trustworthy. The engine preferably determines
`whetherthe first Downloadable security profile corresponds
`to the Downloadable. The system preferably includes a
`Downloadable ID verification engine for retrieving a Down-
`loadable ID that identifies the Downloadable to which the
`
`Downloadable security profile corresponds. To confirm the
`correspondence between the Downloadable security profile
`and the Downloadable,
`the Downloadable ID verification
`engine generates the Downloadable ID for the Download-
`able and compares the generated Downloadableto the linked
`Downloadable. The system may also include a content
`inspection engine for generating a Downloadable security
`profile for the Downloadable if the first Downloadable
`security profile is not
`trustworthy. The system further
`includes a certificate authenticator for authenticating a cer-
`tificate that
`identifies a content
`inspection engine which
`created the Downloadable security profile as from a trusted
`source. The certificate authenticator can also authenticate a
`
`certificate that identifies a developer that created the Down-
`loadable.
`
`invention provides a method in a first
`The present
`embodiment comprising the steps of receiving a
`Downloadable, generating a first Downloadable security
`profile for the received Downloadable, and linking the first
`Downloadable security profile to the Downloadable. The
`present invention further provides a method in a second
`embodiment comprising the steps of receiving a Download-
`able with a linked first Downloadable security profile, deter-
`mining whether to trust the first Downloadable security
`profile, and comparing the first Downloadable security pro-
`file against the security policy if the first Downloadable
`security profile is trustworthy
`It will be appreciated that the system and method of the
`present invention may provide computer protection from
`known hostile Downloadables. The system and method of
`the present
`invention may identify Downloadables that
`perform operations deemed suspicious. The system and
`method of the present invention may examine the Down-
`loadable code to determine whether the code contains any
`
`FINJAN-JN 000010
`
`

`

`Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 12 of 21
`Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 12 of 21
`
`6,154,844
`
`3
`suspicious operations, and thus may allow or block the
`Downloadable accordingly.
`It will be appreciated that,
`because the system and method of the present invention link
`a verifiable Downloadable security profile to a
`Downloadable, the system and method may avoid decom-
`posing the Downloadable into the Downloadable security
`profile on the fly.
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`4
`Downloadable 150 received from the developer 120, for
`generating a Downloadable Security Profile (DSP) based on
`a rules base 165 for the Downloadable, and for attaching the
`DSP to the Downloadable. A DSP preferably includesa list
`of all potentially hostile or suspicious computer operations
`that may be attempted by the Downloadable, and may also
`include the respective arguments of these operations. Gen-
`erating a DSP includes searching the Downloadable code for
`any pattern, which is undesirable or suggests that the code
`was written by a hacker. The content inspection engine 160
`preferably performs a fall-content
`inspection.
`It will be
`appreciated that generating a DSP mayalso include com-
`paring a Downloadable against Downloadables which Origi-
`nal Equipment Manufacturers (OEMs) knowto be hostile,
`Downloadables which OEMs knowto be non-hostile, and
`Downloadables previously examined by the content inspec-
`tion engine 160. Accordingly, the rules base may include a
`list of operations and code patterns deemed suspicious,
`known hostile Downloadables, knownviruses,etc.
`
`10
`
`15
`
`An Example List of Operations Deemed Suspicious
`
`FIG. 1 is a block diagram illustrating a network system in
`accordance with the present invention;
`FIG. 2 is a block diagram illustrating details of an
`example inspected Downloadable of FIG. 1;
`FIG. 3 is a block diagram illustrating details of a devel-
`oper of FIG. 1;
`FIG. 4 is a block diagram illustrating details of an
`inspector of FIG. 1;
`FIG. 5 is a block diagram illustrating details of a generic
`protection engine of FIG. 1;
`FIG. 6 is a flowchart illustrating a method for attaching a
`Downloadable security profile to a Downloadable in accor-
`File operations: READafile, WRITE a file, DELETE a
`dance with the present invention;
`file, RENAMEa file;
`FIG. 7 is a flowchart illustrating a method for examining
`Network operations: LISTEN on a socket, CONNECTto
`a Downloadable in accordance with the present invention;
`a socket, SEND data, RECEIVE data, VIEW INTRANET;
`and
`Registry operations: READaregistry item, WRITE a
`FIG. 8 is a block diagram illustrating details of the web
`registry item;
`server of FIG. 1.
`Operating system operations: EXIT WINDOWS, EXIT
`BROWSER, START PROCESS/THREAD, KILL
`PROCESS/THREAD, CHANGE PROCESS/THREAD
`PRIORITY, DYNAMICALLY LOAD A CLASS/
`LIBRARY, etc.; and
`Resource usage thresholds: memory, CPU,graphics,etc.
`Further, the content inspection engine 160 generates and
`attaches a Downloadable ID to the Downloadable. The
`Downloadable ID is typically stored as part of the DSP, since
`multiple DSPs may be attached to a Downloadable and each
`may have a different Downloadable ID. Preferably, to gen-
`erate a Downloadable ID, the content inspection engine 160
`computesa digital hash of the complete Downloadable code.
`The content inspection engine 160 preferably prefetches all
`components embodied in or identified by the code for
`Downloadable ID generation. For example,
`the content
`inspection engine 160 mayprefetch all classes embodied in
`or identified by the Java™ applet bytecode, and then may
`perform a predetermined digital hash on the Downloadable
`code (and the retrieved components) to generate the Down-
`loadable ID. Similarly, the content inspection engine 160
`may retrieve all components listed in the INF file for an
`ActiveX™ control
`to compute a Downloadable ID.
`Accordingly, the Downloadable ID for the Downloadable
`will be the same each time the content inspection engine 160
`(or a protection engineas illustrated in FIG. 5) receives the
`same Downloadable and applies the same digital hash
`function. The downloadable components need not be stored
`with the Downloadable, but can be retrieved before each use
`or Downloadable ID generation.
`Generating a DSP and generating a Downloadable ID are
`described in great detail with reference to the patent appli-
`cation Ser. No. 08/964,388, entitled “System and Method for
`Protecting a Computer and a Network from Hostile
`Downloadables,”filed on Nov. 6, 1997, by inventor Shlomo
`Touboul, which has been incorporated byreference above.
`After performing content inspection, the inspector 125
`attaches an inspector certificate 170 to the Downloadable.
`The inspectorcertificate 170 verifies the authenticity of the
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`
`FIG. 1 is a block diagram illustrating a computer network
`system 100 in accordance with the present invention. The
`computer network system 100 includes an external computer
`network 105, such as the Wide Area Network (WAN)
`commonly referred to as the Internet, coupled via a network
`gateway 110 to an internal computer network 115, such as a
`Local Area Network (LAN) commonlyreferred to as an
`intranet. The network system 100 further includes a devel-
`oper 120 coupled to the external computer network 105, an
`tospector 125 also coupled to the external computer network
`105, a web server 185 also coupled to the external computer
`network 105, and a computer client 130 coupled to the
`internal computer network 115. One skilled in the art will
`recognize that connections to external or internal network
`systems are merely exemplary, and alternative embodiments
`may have other connections. Further, although the developer
`120, inspector 125 and web server 185 are being described
`as distinct sites, one skilled in the art will recognize that
`these elements may be a part of an integral site, may each
`include components of multiple sites, or may include com-
`binations of single and multiple sites.
`The developer 120 includes a Downloadable development
`engine 140 for generating a signed (yet uninspected) Down-
`loadables 150. The developer 120 may obtain an unin-
`spected Downloadable or mayinitially use the Download-
`able development engine 140 to generate an uninspected
`Downloadable. The developer 120 can then use the Down-
`loadable development engine 140 to transmit
`the signed
`Downloadable to the inspector 125 for hostility inspection.
`The developer 120 includes a developer certificate 155,
`which the Downloadable development engine 140 attaches
`to each uninspected Downloadableso that the inspector 125,
`the network gateway 110 and the computer client 130 can
`authenticate the developer 120.
`The inspector 125 includes a content inspection engine
`160 for examining a received Downloadable, e.g., the signed
`
`;
`
`40
`
`45
`
`5
`
`60
`
`65
`
`FINJAN-JN 000011
`
`

`

`Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 13 of 21
`Case 3:17-cv-05659-WHA Document 111-14 Filed 06/15/18 Page 13 of 21
`
`6,154,844
`
`5
`DSPattached to the Downloadable. Details of an example
`signed inspected Downloadable 150 arc illustrated and
`described with reference to FIG. 2. The inspector 125 then
`transmits the signed inspected Downloadable 195 to the web
`server 185 for addition to web page data 190 and web page
`deployment. Accordingly, the computer client 130 includes
`a web client 175 for accessing the web page data 190
`provided by the web server 185. As is knowninthe art, upon
`recognition of a Downloadable call,
`the web client 175
`requests the web server 185 to forward the corresponding
`Downloadable. The web server 185 then transmits the
`
`Downloadable via the network gateway 110 to the computer
`client 130.
`
`The network gateway 110 includes network protection
`engine 135, and the computer client 130 includes a computer
`protection engine 180. Both the network protection engine
`135 and the computer protection engine 180 examine all
`incoming Downloadables and stop all Downloadables
`deemed suspicious.It will be appreciated that a Download-
`able is deemed suspiciousif it performs or may perform any
`undesirable operation, or if it threatens or may threaten the
`integrity of any computer component.It is to be understood
`that
`the term “suspicious” includes hostile, potentially
`hostile, undesirable, potentially undesirable, etc. Thus, if the
`incoming Downloadable includes a signed inspected Down-
`loadable 195, then the network protection engine 135 and
`the computer protection engine 180 can review the attached
`certificates to verify the authenticity of the DSP. If the
`incoming Downloadable doesnot include a signed inspected
`Downloadable 195,
`then each of the network protection
`engine 135 and the computer protection engine 180 must
`generate the DSP, and compare the DSP against
`local
`security policies (535, FIG. 5).
`Components and operation of the network protection
`engine 135 and the computer protection engine 180 are
`described in greater detail with reference to FIG. 5. It will be
`appreciated that the network gateway 110 may include the
`components described in the patent-application Ser. No.
`08/964,388, entitled “System and Method for Protecting a
`Computer and a Network from Hostile Downloadables,”
`filed on Nov. 6, 1997, by inventor Shlomo Touboul, which
`has been incorporated by reference above. It will be further
`appreciated that the computer protection engine 180 may
`include the components described in the patent application
`Ser. No. 08/790,097, entitled “System and Method for
`Protecting a Client from Hostile Downloadables,” filed on
`Jan. 29, 1997, also by inventor Shlomo Touboul.
`It will be appreciated that the network system 100 may
`include multiple inspectors 125, wherein each inspector 125
`mayprovide a different content inspection. For example, one
`inspector 125 may examine for suspicious operations,
`another inspector 125 may examine for known virusesthat
`maybe attached to the Downloadable 150, etc. Each inspec-
`tor 125 would attach a corresponding DSPanda certificate
`verifying the authenticity of the attached DSP. Alternatively,
`a single inspector 125 mayinclude multiple content inspec-
`tion engines 160, wherein each engine provides a different
`content inspection.
`FIG. 2 is a block diagram illustrating details of a signed
`inspected Downloadable 195, which includes a Download-
`able 205, a developer certificate 155, a DSP 215 which
`includes a Downloadable ID 220, and an inspector certifi-
`cate 170. The Downloadable 205 includes the downloadable
`and executable code that a web client 175 receives and
`executes. The Downloadable 205 may be encrypted using
`the developer’s private key. The attached developercertifi-
`cate 155 may include the developer’s public key, the devel-
`
`6
`oper’s name, an expiration date of the key, the name of the
`certifying authority that issucd the certificate, and a scrial
`oumber. The signed Downloadable 150 comprises the
`Downloadable 205 and the developer certificate 155. The
`DSP 215 and Downloadable ID 220 maybe encrypted by the
`inspector’s private key. The Downloadable ID 220is illus-
`trated as part of the DSP 215 for simplicity, since each
`signed inspected Downloadable 195 mayinclude multiple
`DSPs 215 (and each DSP 215 mayinclude a separate and
`distinct Downloadable ID 220). The inspector certificate 170
`may include the inspector’s public key, an expiration date of
`the key, the nameof the certifying authority that issued the
`certificate, and a Ser. No.
`Although the signed inspected Downloadable 195 illus-
`trates the DSP 215 (and Downloadable ID 220) as an
`attachment, one skilled in the art will recognize that the DSP
`215 can be linked to the Downloadable 205 using other
`techniques. For example, the DSP 215 can be stored in the
`network system 100, and alternatively a pointer to the DSP
`215 can be attached to the signed inspected Downloadable
`195. The term “linking” herein will be used to indicate an
`association between the Downloadable 205 and the DSP 215
`(including using a pointer from the Downloadable 195to the
`DSP 215, attaching the DSP 215 to the Downloadable 205,
`etc.)
`FIG. 3 is a block diagram illustrating details of the
`developer 120, which includes a processor 305, such as an
`Intel Pentium® microprocessor or a Motorola Power PC®
`microprocessor, coupled to a signal bus 310. ‘he developer
`120 further includes an input device 315 such as a keyboard
`and mouse, an output device 320 such as a Cathode Ray
`Tube (CRT) display, a data storage device 330 such as a
`magnetic disk, and an internal storage 335 such as Random-
`Access Memory (RAM), each coupled to the signal bus 310.
`Acommunications interface 325 couples the signal bus 325
`to the external computer network 105, as shown in FIG. 1.
`An operating system 350 controls processing by processor
`305, and is typically stored in the data storage device 330
`and loaded into internal storage 335 (as illustrated) for
`execution by processor 305. The Downloadable develop-
`ment engine 140 generates signed Downloadables 150 as
`described above, and also may be stored in the data storage
`device 330 and loaded into internal storage 335 (as
`illustrated) for execution by processor 305. The data storage
`device 330 stores the signed Downloadables 150 and the
`developer certificate 155. A communications engine 360
`controls communications via the communications interface
`
`325 with the external computer network 105, and also may
`be stored in the data storage device 330 and loaded into
`internal storage 335(asillustrated) for execution by proces-
`sor 305.
`
`Oneskilled in the art will understand that the developer
`120 may also include additional information, such as net-
`work connections, additional memory, additional
`processors, LANs, input/output lines for transferring infor-
`mation across a hardware channe