Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 1 of 21
`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 1 of 21
`
`
`
`
`
`EXHIBIT 1
`EXHIBIT 1
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`case 2:17-0v-05659-wHA DocumeFMI RIFTTARACTAEACAT
`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 2 of 21
`US006154844A
`
`United States Patent
`
`[19]
`
`[11] Patent Number:
`
`6,154,844
`[45] Nov. 28, 2000
`Date of Patent:
`Touboul etal.
`
`
`
`[54]
`
`SYSTEM AND METHOD FOR ATTACHING A
`DOWNLOADABLE SECURITY PROFILE TO
`A DOWNLOADABLE
`
`Primary Examiner—Robert W. Beausoliel, Jr.
`Assistant Examiner—Christopher A. Revak
`Attorney, Agent, or Firm—Squire, Sanders & Dempsey,
`L.LP.
`
`[75]
`
`Inventors: Shlomo Touboul, Kefar-Haim;
`Nachshon Gal, Tel-Aviv, both of Israel
`
`[57]
`
`ABSTRACT
`
`[73] Assignee: Finjan Software, Ltd., San Jose, Calif.
`
`[21] Appl. No.: 08/995,648
`
`[22]
`
`Filed:
`
`Dec. 22, 1997
`
`A system comprises an inspector and a protection engine.
`The inspector includes a content inspection engine that uses
`a set of rules to generate a Downloadable security profile
`corresponding to a Downloadable, e.g., Java™ applets,
`ActiveX™ controls, JavaScript™ scripts, or Visual Basic
`scripts. The content inspection engine links the Download-
`able security profile to the Downloadable. The set of rules
`Related U.S. Application Data
`may include a list of suspicious operations, or a list of
`[60]
`Provisional application No. 60/030,639, Nov. 8, 1996.
`suspicious code patterns. Thefirst content inspection engine
`[SD]
`Tint, C07 occcceseseeeeccccesssneeeseesssssnneneeeees HO4L 9/36
`maylink to the Downloadableacertificate that identifies the
`[52]
`713/201; 714/38; 713/164
`
`content inspection engine which created the Downloadable
`security profile. Additional content inspection engines may
`[58] Field of Search occ 713/201, 200,
`generate and link additional Downloadable security profiles
`713/202, 164, 165, 166, 167, 176; 714/38,
`to the Downloadable. Each additional Downloadable secu-
`704, 207, 33; 709/229; 380/4, 25, 24; 705/51,
`rity profile may also include a certificate that identifies its
`54, 55
`creating content inspection engine. Each content inspection
`engine preferably creates a Downloadable ID that identifies
`the Downloadable to which the Downloadable security
`profile corresponds. The protection includes a Download-
`able interceptor for receiving a Downloadable,afile reader
`5,077,677 12/1991 Murphyet al. oe 395/10
`
`coupled to the interceptor for determining whether the
`5,359,659
`10/1994 Rosenthal.......
`Downloadable includes a Downloadable security profile, an
`11/1994 Tajalli et al. oe 395/700
`5,361,359
`engine coupled to the file reader for determining whether to
`trust
`the Downloadable security profile, and a security
`policy analysis engine coupled to the verification engine for
`comparing the Downloadable security profile against a secu-
`rity policy if the engine determines that the Downloadable
`security profile is trustworthy. A Downloadable ID verifi-
`cation engine retrieves the Downloadable ID that identifies
`the Downloadable to which the Downloadable security
`profile corresponds, generates the Downloadable ID for the
`Downloadable and compares the generated Downloadable
`to the linked Downloadable. The protection engine further
`includes a certificate authenticator for authenticating the
`certificate that identifies a content inspection engine which
`created the Downloadable security profile as from a trusted
`source. The certificate authenticator can also authenticate a
`certificate that identifies a developer that created the Down-
`loadable.
`
`[56]
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`(List continued on next page.)
`OTHER PUBLICATIONS
`
`X.N. Zhang, “Secure Code Distribution,” Computer, pp.
`76-79, Jun. 1997.
`IBM AntiVirus User’s Guide Version 2.4, International
`Business Machines Corporation, Nov. 15, 1995, pp. 6-7.
`Jim K. Omura, “Novel Applications of Cryptography in
`Digital Communications”, IEEE Communications Maga-
`zine, May, 1990; pp. 21-27.
`Norvin Leachet al, “IE 3.0 Applets Will Earn Certification”,
`PC Week, v13, n29, 1998, 2 pages.
`Microsoft Authenticode Technology, “Ensuring Account-
`ability and Authenticity for Software Components on the
`Internet”, Microsoft Corporation, Oct. 1996, including con-
`tents, Introduction and pp. 1-10.
`
`(List continued on next page.)
`
`44 Claims, 7 Drawing Sheets
`
`100
`120
`, 126
`
`BCVTLOPER
`140
`INSPECTOR 160
`
`170
`
`CONTENT [NSPECTION ENGINE
`OOHNLOADABLE
`
`EVELOPMEN: ENGINE
`
`
` INSPECTOR CERTIFICATE]
`165
`195
`
`
`
`RUIFS RASE|)SIGNED
`Pad
`INSPECTED
`DEVELOPER CERTIFICATE
`
`DOWNLOADAALE
`
`150
`
`
`SIGNED DOWNLOADABLE
`
`
`wescLEnt}
`180 I
`
`
`COMPUTER CLIENT
`
`138
`
`
`COMPUTER FROILCTION
`ENGINE
`
`185
`
`BCERNAL
`105
`yee SERVER 190
`WES PAGE DATA
`
`COMPUTER NETWORK,
`
`
`
`
`158
`j
`NETWORK GATEWAY
`[- 110
`NETWORK PROTECTION
`
`
`
`iENGINE
`
`
`115
`
`TNTERNAL CCMPUTER
`NETWORK,
`
`

`

`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 3 of 21
`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 3 of 21
`
`6,154,844
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`http://iel.ihs.com:80/cgi-bin/iel,
`page:
`Web
`cgi?se...2ehts%26ViewTemplate% 3ddocview% 5fb%2ehts,
`5,485,409
`1/1996 Gupta et al. eee 395/186
`Okamato, E. et al., “ID-Based Authentication System For
`1/1996 Chess et al.
`...
`. 395/183.14
`5,485,575
`Computer Virus Detection”, IEEE/IEE Electronic Library
`11/1996 Judson oe
`eeseeeetenceeceeeeneee 395/793
`5,572,643
`
`online, Electronics Letters, vol. 26,
`Issue
`15,
`ISSN
`5,623,600
`4/1997 Jietal.
`...
`. 395/187.01
`
`5,638,446 6/1997 RUBIN oeeeceeteteeecneeeeeeene 380/25
`
`0013-5194, Jul. 19, 1990, Abstract and pp. 1169-1170.
`
`5,692,047 ......itceeseeeecteeeneceeeee 380/411/1997 MecMamis
`
`
`
`“Finjan Announces a Personal Java™ Firewall for Web
`11/1997 Holdenet al.
`.
`. 395/187.01
`5,692,124
`
`Browsers—the SurfinShield™ 1.6”, Press Release of Finjan
`5,720,033=2/1998 Deo oo. eseccseectecessenceeceeseneee 395/186
`
`Releases SurfinShield, Oct. 21, 1996, 2 pages.
`w 380/25
`5,724,425
`3/1998 Changet al.
`..
`
`“Finjan Software Releases SurfinBoard, Industry’s First
`4/1998 Fieres etal. .......
`w- 380/25
`5,740,248
`
`JAVA Security Product For the World Wide Web”, Article
`. 395/200.53
`5,761,421
`6/1998 van Hoff et al.
`..
`
`published on the Internet by Finjan Software, Ltd., Jul. 29,
`6/1998 Breslau et al. oc...
`eeeeeeee 711/203
`5,765,205
`
`oes 380/4
`7/1998 Devarakondaet al.
`5,784,459
`1996, 1 page.
`
`8/1998 Davis et al. wien 395/200.54
`5,796,952
`
`“Powerful PC Security for the New World of Java™ and
`9/1998 Cohen et al. wee 395/200.32
`5,805,829
`Downloadables, Surfin Shield™” Article published on the
`
`11/1998 Chen et al. vee 395/187.01
`5,832,208
`Internet by Finjan Software Ltd., 1996, 2 pages.
`
`12/1998 Angelo et al. ue 395/750.03
`5,850,559
`“Company Profile Finjan—Safe Surfing, The Java Security
`1/1999 Hayman et al. wee 713/200
`5,859,966
`5,864,683
`1/1999 Boebert et al. we 395/200.79
`solutions Provider” Article published on the Internet by
`oo.
`eee ee 713/201
`5,892,904
`4/1999 Atkinson et al.
`Finjan Software Ltd., Oct. 31, 1996, 3 pages.
`
`..
`. 713/200
`5,956,481
`9/1999 Walsh et al.
`“Finjan Announces Major Power Boost and New Features
`. 713/200
`5,974,549
`10/1999 Golan.........
`
`for SurfinShield™ 2.0” Las Vegas Convention Center/Pa-
`11/1999 Ji sesstusitnsisvisiisitnsinsien 713/200
`5,983,348
`villion 5 P5551, Nov. 18, 1996, 3 pages.
`OTHER PUBLICATIONS
`“Java Security: Issues & Solutions” Article published on the
`Internet by Finjan Software Ltd., 1996, 8 pages.
`“Products” Article published on the Internet, 7 pages.
`Mark LaDue, “Online Business Consultant” Article pub-
`lished on the Internet, Home Page, Inc. 1996, 4 pages.
`
`Web Page, Article “Frequently Asked Questions About
`Authenticode”, Microsoft Corporation, last updated Feb. 17,
`1997, URL: http:/Awww.microsoft.com/workshop/security/
`authcode/signfaq.asp#9, pp. 1-13.
`
`

`

`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 4 of 21
`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 4 of 21
`
`U.S. Patent
`
`Nov.28, 2000
`
`Sheet 1 of 7
`
`6,154,844
`
`FIG.
`
`1
`
`‘oo
`
`DEVELOPER
`
`INSPECTOR
`
`160
`
`
`
`DOWNLOADABLE
`DEVELOPMENT ENGINE
`
`155
`
`DEVELOPER CERTIFICATE
`750
`
`CONTENT INSPECTION ENGINE
`165
`795
`
`RULES BASE
`
`170
`
`SIGNED
`INSPECTED
`DOWNLOADABLE
`
`SIGNED DOWNLOADABLE
`
`INSPECTOR CERTIFICATE
`
`105
`
`
`
`
`EXTERNAL
`COMPUTER NETWORK
`
`
`
`135
`
`185
`WEB SERVER 790
`WEB PAGE DATA
`
`NETWORK GATEWAY
`
`
`
`NETWORK PROTECTION
`ENGINE
`
`110
`
`115
`
`INTERNAL COMPUTER
`NETWORK
`
`COMPUTER CLIENT
`
`135
`
`ENGINE
`
`COMPUTER PROTECTION
`
`

`

`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 5 of 21
`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 5 of 21
`
`6,154,844
`
`09¢
`
`oe
`
`U.S. Patent
`
`Nov.28, 2000
`
`Sheet 2 of 7
`
`FOVINAINIoeOseJOVYOLSTWNYBINIJOIAIGJOVYOLSvivaSNOLLVOINNNNOD
`
`
`
`
`
`
`OF!TIavavOINMOGoce
`
`Ozpoo----2-2-------------------,022!!|{|I|
`OozeGILGor.goe7]NSHSOl
`ove7]SavasWs||301dindino}|301A30indNTyoss3a0ud|Ole
`
`
`
`
`FNIONTSNOLLYOINAWWODSS!
`
`
`
`
`INIONSINFWdOT3ARGFVOLALLNION3d013A30
`AIWOTSTLY39Ol|SLVOISTLY3O
`
`
`WAISASSNLIYYad0GANOIS
`YOLISdSNIJISvavOINMOG|Yad013A30!I|
`
`OL!GZ1ogyG0Z!Loe7Wo4x0S!.
`S61CHd
`
`TI@¥aYOINMOG
`
`
`

`

`U.S. Patent
`
`Nov.28, 2000
`
`Sheet 3 of 7
`
`6,154,844
`
`SP
`
`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 6 of 21
`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 6 of 21
`
`osONILVYAdOcor{asvasain|SNL-steWAISAS
`
`
`og!NOLLOSASNI‘NaINODS6lOLD24SNICGNOIS
`
`
`
`
`
`
`
`gp7LNIONS_SNOLIVOINNIANOD¥O103dSNI]|yeyH1VOISTINIO
`
`
`
`
`
`OLFY4qV3YWSYOSJOIAIGLNdLNOJOTAIILAdNIYOSS300Ud
`odyaprOld
`
`
`
`
`JOVHOLSTWNYSLNIJOIAIFJOVHOLSVIVO
`OcGIPSOF
`
`Sél
`
`SNOLLYOINNWANOD
`
`Ole
`
`
`

`

`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 7 of 21
`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 7 of 21
`
`U.S. Patent
`
`Nov.28, 2000
`
`Sheet 4 of 7
`
`6,154,844
`
`FIG. 5
`
`S
`
`DOWNLOADABLE FILE INTERCEPTOR 9°
`
`040
`
`FILE READER
`
`CERTIFICATE AUTHENTICATOR
`
`ID
`DOWNLOADABLE.
`VERIFICATION ENGINE
`CONTENT INSPECTION ENGINE
`
`LOCAL SECURITY POLICY
`ANALYSIS ENGINE
`
`LOCAL SECURITY POLICIES
`
`RE-TRANSMISION ENGINE
`
`910
`
`[72/9
`
`520
`
`“°9
`
`530
`
`555
`
`

`

`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 8 of 21
`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 8 of 21
`
`U.S. Patent
`
`Nov.28, 2000
`
`Sheet 5 of 7
`
`6,154,844
`
`FIG. 6
`
`SO
`
`OBTAIN UNINSPECTED DOWNLOADABLE
`
`INCLUDE ALL COMPONENTS IN|,670
`AN ARCHIVE FILE
`
`ATTACH DEVELOPER CERTIFICATE TO THE FILE
`
`
`SEND FILE TO THE INSPECTOR
`
`620
`
`GENERATE DSP AND DOWNLOADABLE ID} 49
`
`ATTACH THE DSP AND DOWNLOADABLE ID TO FILE
`
`ATTACH THE INSPECTOR CERTIFICATE TO THE FILE
`
`650
`
`659
`
`
`
`
`
`
`?
`
` ANOTHER
`
`CONTENT INSPECTION
`
`NO
`
`FORWARD THE SIGNED INSPECTED DOWNLOADABLE
`TO THE WEB SERVER FOR DEPLOYMENT
`
`645
`
`

`

`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 9 of 21
`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 9 of 21
`
`U.S. Patent
`
`Nov.28, 2000
`
`Sheet 6 of 7
`
`6,154,844
`
`(sive) RECEIVE DOWNLOADABLE FILE~79
`
`FIG. / EXTRACT THE DOWNLOADABLEL-~770
`
`
`won
`y
`
`715
`
`NO
`
`PREVIOUSLY INSPECTED
`
`AUTHENTICATE THE INSPECTOR CERTIFICATE
`
`
`
`EXTRACT THE DSP
`
`AUTHENTICATE THE DOWNLOADABLE ID
`
`
`
`AUTHENTICATE THE DEVELOPER CERTIFICATE
`720
`?
`
`
`
` ANOTHER DSP
`?
`
`GENERATE DSPey
`
`
`ATTACHED
`
`745
`
`PASS ALL
`AUTHENTICATION
`9
`
`THE ATTACHED DOWNLOADABLE
`
`YES
`
`755
`
`COMPARE DSP AGAINST LOCAL SECURITY POLICIES
`
`PASS ALL
`
`SECURITY POLICIES
`?
`
`760
`NO
` SEND NON-HOSTILE
`
`DOWNLOADABLE 10
`
`
`INFORM THE CLIENT
`
`
`OF THE FAILURE
`
`
`YES
`PASS THE DOWNLOADABLE
`
`770
`
`

`

`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 10 of 21
`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 10 of 21
`
`Sheet 7 of 7
`
`U.S. Patent
`
`0L8
`
`G8!
`
`S98068Sl8S08
`
`Nov.28, 2000
`
`
`
`
`
`430VIYWSOFOIALAdLNOJOIAIGLAdNIAdd
`
`So8OssSoe
`
`018
`
`
`OREW3LSAS061IV3OVdGamSOVRMINIONILVY3d0
`
`
`JOVYOLSWNYSINIFJOIAIGJOVYOLSV1VGSNOTLVOINAWNOD
`
`
`
`
`
`6,154,844
`
`098
`
`
`
`INTONASNOLLYOINNWNOD
`
`0S809
`
`SNTIONSYSAddSGMSITavVaVOINMOd
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 11 of 21
`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 11 of 21
`
`6,154,844
`
`1
`SYSTEM AND METHOD FOR ATTACHING A
`DOWNLOADABLESECURITY PROFILE TO
`A DOWNLOADABLE
`
`2
`and Downloadable security profiles to determine whether or
`not to trust the Downloadable security profiles.
`The inspector includes a content inspection engine that
`uses a set of rules to generate a Downloadable security
`PRIORITY REFERENCE TO RELATED
`profile corresponding to a Downloadable. The content
`APPLICATIONS
`inspection engine links the Downloadable security profile to
`the Downloadable. The set of rules may includealist of
`This application claims benefit of and hereby incorporates
`suspicious operations, or a list of suspicious code patterns.
`by reference provisional application Ser. No. 60/030,639,
`The first content inspection engine may link to the Down-
`entitled “System and Method for Protecting a Computer
`loadable a certificate that identifies the content inspection
`from Hostile Downloadables,” filed on Nov. 8, 1996, by
`engine which created the Downloadable security profile.
`inventor Shlomo Touboul; patent application Ser. No.
`The system may include additional content
`inspection
`08/964,388, entitled “System and Method for Protecting a
`engines for generating and linking additional Downloadable
`Computer and a Network from Hostile Downloadables,”
`security profiles to the Downloadable. Each additional
`filed on Nov. 6, 1997, by inventor Shlomo Touboul; and
`Downloadable security profile may also includea certificate
`patent application Ser. No. 08/790,097,entitled “System and
`that identifies its creating content inspection engine. Each
`Method for Protecting a Client
`from Hostile
`content inspection engine may create a Downloadable ID
`that identifies the Downloadable to which the Downloadable
`Downloadables,” filed on Jan. 29, 1997, also by inventor
`Shlomo Touboul.
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`BACKGROUND OF THE INVENTION
`
`1. Field of the Invention
`
`This invention relates generally to computer networks,
`and more particularly provides a system and method for
`attaching a Downloadable security profile to a Download-
`able to facilitate the protection of computers and networks
`from a hostile Downloadable.
`
`2. Description of the Background Art
`The Internet is currently a collection of over 100,000
`individual computer networks owned by governments,
`universities, nonprofit groups and companies, and is expand-
`ing at an accelerating rate. Because the Internet is public, the
`Internet has become a major source of many system dam-
`aging and system fatal application programs, commonly
`referred to as “viruses.”
`
`Accordingly, programmers continue to design computer
`and computer network security systems for blocking these
`viruses from attacking both individual and network com-
`puters. On the most part, these security systems have been
`relatively successful. However, these security systems are
`not configured to recognize computer viruses which have
`been attached to or configured as Downloadable application
`programs, commonly referred to as “Downloadables.” A
`Downloadable is an executable application program, which
`is downloaded from a source computer and run on the
`destination computer. A Downloadable is typically requested
`by an ongoing process such as by an Internet browser or web
`client. Examples of Downloadables include Java™ applets
`designed for use in the Java™ distributing environment
`developed by Sun Microsystems, Inc., JavaScript™ scripts
`also developed by Sun Microsystems,Inc., ActiveX™ con-
`trols designed for use in the ActiveX™ distributing envi-
`ronment developed by the Microsoft Corporation, and
`Visual Basic also developed by the Microsoft Corporation.
`Downloadables may also include plugins, which add to the
`functionality of an already existing application program.
`Therefore, a system and method are needed to protect a
`network from hostile Downloadables.
`
`SUMMARYOF THE INVENTION
`
`The present invention provides systems for protecting a
`network from suspicious Downloadables, e.g., Java™
`applets, ActiveX™controls, JavaScript™ scripts, or Visual
`Basic scripts. The network system includes an inspector for
`linking Downloadable security profiles to a Downloadable,
`and a protection engine for examining the Downloadable
`
`security profile corresponds.
`The protection engine includes a Downloadable intercep-
`tor for receiving a Downloadable, a file reader coupledto the
`interceptor for determining whether the Downloadable
`includes a Downloadable security profile, an engine coupled
`to the file reader for determining whether to trust
`the
`Downloadable security profile, and a security policy analy-
`sis engine coupled to the verification engine for comparing
`the Downloadable security profile against a security policy
`if the engine determines that the Downloadable security
`profile is trustworthy. The engine preferably determines
`whetherthe first Downloadable security profile corresponds
`to the Downloadable. The system preferably includes a
`Downloadable ID verification engine for retrieving a Down-
`loadable ID that identifies the Downloadable to which the
`Downloadable security profile corresponds. To confirm the
`correspondence between the Downloadable security profile
`and the Downloadable, the Downloadable ID verification
`engine generates the Downloadable ID for the Download-
`able and compares the generated Downloadableto the linked
`Downloadable. The system may also include a content
`inspection engine for generating a Downloadable security
`profile for the Downloadable if the first Downloadable
`security profile is not
`trustworthy. The system further
`includesa certificate authenticator for authenticating a cer-
`tificate that identifies a content
`inspection engine which
`created the Downloadable security profile as from a trusted
`source. The certificate authenticator can also authenticate a
`
`certificate that identifies a developer that created the Down-
`loadable.
`
`invention provides a method in a first
`The present
`embodiment comprising the steps of receiving a
`Downloadable, generating a first Downloadable security
`profile for the received Downloadable, and linking the first
`Downloadable security profile to the Downloadable. The
`present invention further provides a method in a second
`embodiment comprising the steps of receiving a Download-
`able with a linked first Downloadable security profile, deter-
`mining whether to trust
`the first Downloadable security
`profile, and comparing the first Downloadable security pro-
`file against the security policy if the first Downloadable
`security profile is trustworthy
`It will be appreciated that the system and method of the
`present invention may provide computer protection from
`known hostile Downloadables. The system and method of
`the present
`invention may identify Downloadables that
`perform operations deemed suspicious. The system and
`method of the present invention may examine the Down-
`loadable code to determine whether the code contains any
`
`

`

`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 12 of 21
`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 12 of 21
`
`6,154,844
`
`3
`suspicious operations, and thus may allow or block the
`Downloadable accordingly.
`It will be appreciated that,
`because the system and methodof the present invention link
`a verifiable Downloadable security profile to a
`Downloadable, the system and method may avoid decom-
`posing the Downloadable into the Downloadable security
`profile on the fly.
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`4
`Downloadable 150 received from the developer 120, for
`generating a Downloadable Security Profile (DSP) based on
`a rules base 165 for the Downloadable, and for attaching the
`DSPto the Downloadable. A DSP preferably includesa list
`of all potentially hostile or suspicious computer operations
`that may be attempted by the Downloadable, and may also
`include the respective arguments of these operations. Gen-
`erating a DSP includes searching the Downloadable codefor
`any pattern, which is undesirable or suggests that the code
`was written by a hacker. The content inspection engine 160
`preferably performs a fall-content
`inspection.
`It will be
`appreciated that generating a DSP may also include com-
`paring a Downloadable against Downloadables which Origi-
`nal Equipment Manufacturers (OEMs) know to be hostile,
`Downloadables which OEMs knowto be non-hostile, and
`Downloadables previously examined by the content inspec-
`tion engine 160. Accordingly, the rules base may include a
`list of operations and code patterns deemed suspicious,
`knownhostile Downloadables, known viruses,etc.
`
`An Example List of Operations Deemed Suspicious
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`FIG. 1 is a block diagram illustrating a network system in
`accordance with the present invention;
`FIG. 2 is a block diagram illustrating details of an
`example inspected Downloadable of FIG. 1;
`FIG. 3 is a block diagram illustrating details of a devel-
`oper of FIG. 1;
`FIG. 4 is a block diagram illustrating details of an
`inspector of FIG. 1;
`FIG. 5 is a block diagram illustrating details of a generic
`protection engine of FIG. 1;
`FIG. 6 is a flowchartillustrating a method for attaching a
`Downloadable security profile to a Downloadable in accor-
`File operations: READafile, WRITE a file, DELETE a
`dance with the present invention;
`file, RENAMEa file;
`FIG. 7 is a flowchartillustrating a method for examining
`Network operations: LISTEN on a socket, CONNECTto
`a Downloadable in accordance with the present invention;
`a socket, SEND data, RECEIVE data, VIEW INTRANET;
`and
`Registry operations: READ a registry item, WRITE a
`registry item;
`Operating system operations: EXIT WINDOWS, EXIT
`BROWSER, START PROCESS/THREAD, KILL
`PROCESS/THREAD, CHANGE PROCESS/THREAD
`PRIORITY, DYNAMICALLY LOAD A CLASS/
`LIBRARY, etc.; and
`Resource usage thresholds: memory, CPU, graphics,etc.
`Further, the content inspection engine 160 generates and
`attaches a Downloadable ID to the Downloadable. The
`DownloadableID is typically stored as part of the DSP, since
`multiple DSPs may be attached to a Downloadable and each
`may have a different Downloadable ID. Preferably, to gen-
`erate a Downloadable ID, the content inspection engine 160
`computes a digital hash of the complete Downloadable code.
`The content inspection engine 160 preferably prefetches all
`components embodied in or identified by the code for
`Downloadable ID generation. For example,
`the content
`inspection engine 160 may prefetch all classes embodied in
`or identified by the Java™ applet bytecode, and then may
`perform a predetermined digital hash on the Downloadable
`code (and the retrieved components) to generate the Down-
`loadable ID. Similarly, the content inspection engine 160
`may retrieve all components listed in the .NF file for an
`ActiveX™ control
`to compute a Downloadable ID.
`Accordingly, the Downloadable ID for the Downloadable
`will be the same each time the content inspection engine 160
`(or a protection engine as illustrated in FIG. 5) receives the
`same Downloadable and applies the same digital hash
`function. The downloadable components need not be stored
`with the Downloadable, but can be retrieved before each use
`or Downloadable ID generation.
`Generating a DSP and generating a Downloadable ID are
`described in great detail with reference to the patent appli-
`cation Ser. No. 08/964,388, entitled “System and Method for
`Protecting a Computer and a Network from Hostile
`Downloadables,” filed on Nov. 6, 1997, by inventor Shlomo
`Touboul, which has been incorporated by reference above.
`After performing content inspection, the inspector 125
`attaches an inspector certificate 170 to the Downloadable.
`The inspector certificate 170 verifies the authenticity of the
`
`FIG. 8 is a block diagram illustrating details of the web
`server of FIG. 1.
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`
`FIG. 1 is a block diagram illustrating a computer network
`system 100 in accordance with the present invention. The
`computer network system 100 includes an external computer
`network 105, such as the Wide Area Network (WAN)
`commonly referred to as the Internet, coupled via a network
`gateway 110 to an internal computer network 115, such as a
`Local Area Network (LAN) commonly referred to as an
`intranet. The network system 100 further includes a devel-
`oper 120 coupled to the external computer network 105, an
`inspector 125 also coupled to the external computer network
`105, a web server 185 also coupled to the external computer
`network 105, and a computer client 130 coupled to the
`internal computer network 115. One skilled in the art will
`recognize that connections to external or internal network
`systems are merely exemplary, and alternative embodiments
`may haveother connections. Further, although the developer
`120, inspector 125 and web server 185 are being described
`as distinct sites, one skilled in the art will recognize that
`these elements may be a part of an integral site, may each
`include components of multiple sites, or may include com-
`binations of single and multiplesites.
`The developer 120 includes a Downloadable development
`engine 140 for generating a signed (yet uninspected) Down-
`loadables 150. The developer 120 may obtain an unin-
`spected Downloadable or may initially use the Download-
`able development engine 140 to generate an uninspected
`Downloadable. The developer 120 can then use the Down-
`loadable development engine 140 to transmit the signed
`Downloadable to the inspector 125 for hostility inspection.
`The developer 120 includes a developer certificate 155,
`which the Downloadable development engine 140 attaches
`to each uninspected Downloadableso that the inspector 125,
`the network gateway 110 and the computer client 130 can
`authenticate the developer 120.
`The inspector 125 includes a content inspection engine
`160 for examining a received Downloadable, e.g., the signed
`
`

`

`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 13 of 21
`Case 3:17-cv-05659-WHA Document 88-1 Filed 05/18/18 Page 13 of 21
`
`6,154,844
`
`5
`DSPattached to the Downloadable. Details of an example
`signed inspected Downloadable 150 are illustrated and
`described with reference to FIG. 2. The inspector 125 then
`transmits the signed inspected Downloadable 195 to the web
`server 185 for addition to web page data 190 and web page
`deployment. Accordingly, the computer client 130 includes
`a web client 175 for accessing the web page data 190
`provided by the web server 185. As is knowninthe art, upon
`recognition of a Downloadable call,
`the web client 175
`requests the web server 185 to forward the corresponding
`Downloadable. The web server 185 then transmits the
`
`Downloadable via the network gateway 110 to the computer
`client 130.
`
`The network gateway 110 includes network protection
`engine 135, and the computer client 130 includes a computer
`protection engine 180. Both the network protection engine
`135 and the computer protection engine 180 examineall
`incoming Downloadables and stop all Downloadables
`deemed suspicious.It will be appreciated that a Download-
`able is deemed suspiciousif it performs or may perform any
`undesirable operation,or if it threatens or may threaten the
`integrity of any computer component.It is to be understood
`that
`the term “suspicious” includes hostile, potentially
`hostile, undesirable, potentially undesirable, etc. Thus, if the
`incoming Downloadable includes a signed inspected Down-
`loadable 195, then the network protection engine 135 and
`the computer protection engine 180 can review the attached
`certificates to verify the authenticity of the DSP. If the
`incoming Downloadable does not include a signed inspected
`Downloadable 195,
`then each of the network protection
`engine 135 and the computer protection engine 180 must
`generate the DSP, and compare the DSP against
`local
`security policies (535, FIG. 5).
`Components and operation of the network protection
`engine 135 and the computer protection engine 180 are
`described in greater detail with reference to FIG. 5. It will be
`appreciated that the network gateway 110 may include the
`components described in the patent-application Ser. No.
`08/964,388, entitled “System and Method for Protecting a
`Computer and a Network from Hostile Downloadables,”
`filed on Nov. 6, 1997, by inventor Shlomo Touboul, which
`has been incorporated by reference above. It will be further
`appreciated that the computer protection engine 180 may
`include the components described in the patent application
`Ser. No. 08/790,097, entitled “System and Method for
`Protecting a Client from Hostile Downloadables,”filed on
`Jan. 29, 1997, also by inventor Shlomo Touboul.
`It will be appreciated that the network system 100 may
`include multiple inspectors 125, wherein each inspector 125
`may provide a different content inspection. For example, one
`inspector 125 may examine for suspicious operations,
`another inspector 125 may examine for knownvirusesthat
`may beattached to the Downloadable 150, etc. Each inspec-
`tor 125 would attach a corresponding DSPanda certificate
`verifying the authenticity of the attached DSP. Alternatively,
`a single inspector 125 may include multiple content inspec-
`tion engines 160, wherein each engine provides a different
`content inspection.
`FIG. 2 is a block diagram illustrating details of a signed
`inspected Downloadable 195, which includes a Download-
`able 205, a developer certificate 155, a DSP 215 which
`includes a Downloadable ID 220, and an inspector certifi-
`cate 170. The Downloadable 205 includes the downloadable
`and executable code that a web client 175 receives and
`
`executes. The Downloadable 205 may be encrypted using
`the developer’s private key. The attached developer certifi-
`cate 155 may include the developer’s public key, the devel-
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`oper’s name, an expiration date of the key, the name of the
`certifying authority that issued the certificate, and a serial
`number. The signed Downloadable 150 comprises the
`Downloadable 205 and the developer certificate 155. The
`DSP 215 and Downloadable ID 220 may be encrypted by the
`inspector’s private key. The Downloadable ID 220is illus-
`trated as part of the DSP 215 for simplicity, since each
`signed inspected Downloadable 195 may include multiple
`DSPs 215 (and each DSP 215 may include a separate and
`distinct Downloadable ID 220). The inspectorcertificate 170
`may includethe inspector’s public key, an expiration date of
`the key, the nameof the certifying authority that issued the
`certificate, and a Ser. No.
`Although the signed inspected Downloadable 195 illus-
`trates the DSP 215 (and Downloadable ID 220) as an
`attachment, one skilled in the art will recognize that the DSP
`215 can be linked to the Downloadable 205 using other
`techniques. For example, the DSP 215 can be stored in the
`network system 100, and alternatively a pointer to the DSP
`215 can be attached to the signed inspected Downloadable
`195. The term “linking” herein will be used to indicate an
`association between the Downloadable 205 and the DSP 215
`(including using a pointer from the Downloadable 195 to the
`DSP 215, attaching the DSP 215 to the Downloadable 205,
`etc.)
`FIG. 3 is a block diagram illustrating details of the
`developer 120, which includes a processor 305, such as an
`Intel Pentium® microprocessor or a Motorola Power PC®
`microprocessor, coupled to a signal bus 310. The developer
`120 further includes an input device 315 such as a keyboard
`and mouse, an output device 320 such as a Cathode Ray
`Tube (CRT) display, a data storage device 330 such as a
`magnetic disk, and an internal storage 335 such as Random-
`Access Memory (RAM), each coupledto the signal bus 310.
`Acommunications interface 325 couples the signal bus 325
`to the external computer network 105, as shown in FIG. 1.
`An operating system 350 controls processing by processor
`305, and is typically stored in the data storage device 330
`and loaded into internal storage 335 (as illustrated) for
`execution by processor 305. The Downloadable develop-
`ment engine 140 generates signed Downloadables 150 as
`described above, and also maybe stored in the data storage
`device 330 and loaded into internal storage 335 (as
`illustrated) for execution by processor 305. The data storage
`device 330 stores the signed Downloadables 150 and the
`developer certificate 155. A communications engine 360
`controls communications via the communications interface
`
`325 with the external computer network 105, and also may
`be stored in the data storage device 330 and loaded into
`internal storage 335 (as illustrated) for execution by proces-
`sor 305.
`
`Oneskilled in the art will understand that the developer
`120 mayalso include additional information, such as net-
`work connections, additional memory, additional
`processors, LANs, input/output lines for transferring infor-
`mation across a hardware channel,
`the Int