`Case 4:18-cv-07229—YGR Document 195-7 Filed 05/10/21 Page 1 of 21
`
`
`
`
`
`
`
`
`
`
`
`
`
`EXHIBIT 2
`
`EXHIBIT 2
`
`
`
`Case 4:18-cv-07229-YGR Document 195-7 Filed 05/10/21 Page 2 of 21
`I 1111111111111111 11111 111111111111111 111111111111111 lllll 111111111111111111
`US006154844A
`[11] Patent Number:
`[45] Date of Patent:
`
`United States Patent [19J
`Touboul et al.
`
`6,154,844
`Nov. 28, 2000
`
`[54] SYSTEM AND METHOD FOR ATTACHING A
`DOWNLOADABLE SECURITY PROFILE TO
`A DOWNLOADABLE
`
`[75]
`
`Inventors: Shlomo Touboul, Kefar-Haim;
`Nachshon Gal, Tel-Aviv, both of Israel
`
`[73] Assignee: Finjan Software, Ltd., San Jose, Calif.
`
`[21] Appl. No.: 08/995,648
`
`[22] Filed:
`
`Dec. 22, 1997
`
`Related U.S. Application Data
`[60] Provisional application No. 60/030,639, Nov. 8, 1996.
`Int. Cl.7 ........................................................ H04L 9/36
`[51]
`[52] U.S. Cl. ............................. 713/201; 714/38; 713/164
`[58] Field of Search ..................................... 713/201, 200,
`713/202, 164, 165, 166, 167, 176; 714/38,
`704, 207, 33; 709/229; 380/4, 25, 24; 705/51,
`54, 55
`
`[56]
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`5,077,677 12/1991 Murphy et al. ........................... 395/10
`5,359,659 10/1994 Rosenthal .................................... 380/4
`5,361,359 11/1994 Tajalli et al. ............................ 395/700
`
`(List continued on next page.)
`
`OTHER PUBLICATIONS
`
`X.N. Zhang, "Secure Code Distribution," Computer, pp.
`76-79, Jun. 1997.
`IBM AntiVirus User's Guide Version 2.4, International
`Business Machines Corporation, Nov. 15, 1995, pp. 6-7.
`Jim K. Omura, "Novel Applications of Cryptography in
`Digital Communications", IEEE Communications Maga(cid:173)
`zine, May, 1990; pp. 21-27.
`Norvin Leach et al, "IE 3.0 Applets Will Earn Certification",
`PC Week, v13, n29, 1998, 2 pages.
`Microsoft Authenticode Technology, "Ensuring Account(cid:173)
`ability and Authenticity for Software Components on the
`Internet", Microsoft Corporation, Oct. 1996, including con(cid:173)
`tents, Introduction and pp. 1-10.
`
`Primary Examiner-Robert W. Beausoliel, Jr.
`Assistant Examiner-Christopher A. Revak
`Attorney, Agent, or Firm-Squire, Sanders & Dempsey,
`L.L.P.
`
`[57]
`
`ABSTRACT
`
`A system comprises an inspector and a protection engine.
`The inspector includes a content inspection engine that uses
`a set of rules to generate a Downloadable security profile
`corresponding to a Downloadable, e.g., Java™ applets,
`ActiveX™ controls, JavaScript™ scripts, or Visual Basic
`scripts. The content inspection engine links the Download(cid:173)
`able security profile to the Downloadable. The set of rules
`may include a list of suspicious operations, or a list of
`suspicious code patterns. The first content inspection engine
`may link to the Downloadable a certificate that identifies the
`content inspection engine which created the Downloadable
`security profile. Additional content inspection engines may
`generate and link additional Downloadable security profiles
`to the Downloadable. Each additional Downloadable secu(cid:173)
`rity profile may also include a certificate that identifies its
`creating content inspection engine. Each content inspection
`engine preferably creates a Downloadable ID that identifies
`the Downloadable to which the Downloadable security
`profile corresponds. The protection includes a Download(cid:173)
`able interceptor for receiving a Downloadable, a file reader
`coupled to the interceptor for determining whether the
`Downloadable includes a Downloadable security profile, an
`engine coupled to the file reader for determining whether to
`trust the Downloadable security profile, and a security
`policy analysis engine coupled to the verification engine for
`comparing the Downloadable security profile against a secu(cid:173)
`rity policy if the engine determines that the Downloadable
`security profile is trustworthy. A Downloadable ID verifi(cid:173)
`cation engine retrieves the Downloadable ID that identifies
`the Downloadable to which the Downloadable security
`profile corresponds, generates the Downloadable ID for the
`Downloadable and compares the generated Downloadable
`to the linked Downloadable. The protection engine further
`includes a certificate authenticator for authenticating the
`certificate that identifies a content inspection engine which
`created the Downloadable security profile as from a trusted
`source. The certificate authenticator can also authenticate a
`certificate that identifies a developer that created the Down(cid:173)
`loadable.
`
`(List continued on next page.)
`
`44 Claims, 7 Drawing Sheets
`
`r 125
`
`OOWNLOi\D~BLE
`DEVELOPMEN
`lNGINF
`
`DEVELOPERCEREFICATE
`
`'
`
`
`
`Case 4:18-cv-07229-YGR Document 195-7 Filed 05/10/21 Page 3 of 21
`
`6,154,844
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`5,485,409
`5,485,575
`5,572,643
`5,623,600
`5,638,446
`5,692,047
`5,692,124
`5,720,033
`5,724,425
`5,740,248
`5,761,421
`5,765,205
`5,784,459
`5,796,952
`5,805,829
`5,832,208
`5,850,559
`5,859,966
`5,864,683
`5,892,904
`5,956,481
`5,974,549
`5,983,348
`
`1/1996 Gupta et al. ............................ 395/186
`1/1996 Chess et al.
`....................... 395/183.14
`11/1996 Judson .................................... 395/793
`4/1997 Ji et al. .............................. 395/187.01
`6/1997 Rubin ........................................ 380/25
`11/1997 McManis .................................... 380/4
`11/1997 Holden et al. ..................... 395/187.01
`2/1998 Deo ......................................... 395/186
`3/1998 Chang et al.
`............................. 380/25
`4/1998 Fieres et al. ... ... ... ... ... ... .... ... ... .. 380/25
`6/1998 van Hoff et al. .................. 395/200.53
`6/1998 Breslau et al. .......................... 711/203
`7/1998 Devarakonda et al.
`.................... 380/4
`8/1998 Davis et al.
`....................... 395/200.54
`9/1998 Cohen et al.
`...................... 395/200.32
`11/1998 Chen et al.
`........................ 395/187.01
`12/1998 Angelo et al. ..................... 395/750.03
`1/1999 Hayman et al. ........................ 713/200
`1/1999 Boebert et al. .................... 395/200.79
`4/1999 Atkinson et al. ....................... 713/201
`9/1999 Walsh et al. ............................ 713/200
`10/1999 Golan ...................................... 713/200
`11/1999 Ji ............................................. 713/200
`
`OIBER PUBLICATIONS
`
`Web Page, Article "Frequently Asked Questions About
`Authenticode", Microsoft Corporation, last updated Feb. 17,
`1997, URL: http://www.microsoft.com/workshop/security/
`authcode/signfaq.asp#9, pp. 1-13.
`
`http://iel.ihs.com:80/cgi-bin/iel13
`page:
`Web
`cgi?se ... 2ehts%26ViewTemplate%3ddocview% 5fb%2ehts,
`Okamato, E. et al., "ID-Based Authentication System For
`Computer Virus Detection", IEEE/IEE Electronic Library
`online, Electronics Letters, vol. 26, Issue 15, ISSN
`0013-5194, Jul. 19, 1990, Abstract and pp. 1169-1170.
`"Finjan Announces a Personal Java™ Firewall for Web
`Browsers-the SurfinShield™ 1.6", Press Release of Finjan
`Releases SurfinShield, Oct. 21, 1996, 2 pages.
`"Finjan Software Releases SurfinBoard, Industry's First
`JAVA Security Product For the World Wide Web", Article
`published on the Internet by Finjan Software, Ltd., Jul. 29,
`1996, 1 page.
`"Powerful PC Security for the New World of Java™ and
`Downloadables, Surfin Shield™" Article published on the
`Internet by Finjan Software Ltd., 1996, 2 pages.
`"Company Profile Finjan-Safe Surfing, The Java Security
`solutions Provider" Article published on the Internet by
`Finjan Software Ltd., Oct. 31, 1996, 3 pages.
`"Finjan Announces Major Power Boost and New Features
`for SurfinShield™ 2.0" Las Vegas Convention Center/Pa(cid:173)
`villion 5 P5551, Nov. 18, 1996, 3 pages.
`"Java Security: Issues & Solutions" Article published on the
`Internet by Finjan Software Ltd., 1996, 8 pages.
`"Products" Article published on the Internet, 7 pages.
`Mark LaDue, "Online Business Consultant" Article pub(cid:173)
`lished on the Internet, Home Page, Inc. 1996, 4 pages.
`
`
`
`Case 4:18-cv-07229-YGR Document 195-7 Filed 05/10/21 Page 4 of 21
`
`U.S. Patent
`
`Nov. 28, 2000
`
`Sheet 1 of 7
`
`6,154,844
`
`FIG. 1
`
`120
`
`;/0
`DEVELOPER
`, - - - - - - - - -
`DOWNLOADABLE
`DEVELOPMENT ENGINE
`155
`
`DEVELOPER CERTIFICATE
`150
`
`100 j
`
`125
`
`INSPECTOR
`
`160
`
`CONTENT INSPECTION ENGINE
`165
`195
`,;
`.--------I..____,.
`
`I RULES BASE I SIGNED
`
`INSPECTED
`DOWNLOADABLE
`170-------
`
`SIGNED DOWNLOADABLE
`
`INSPECTOR CERTIFICATE
`
`185
`
`105
`
`135
`
`110
`
`EXTERNAL
`PUTER NE
`
`NETWORK GATEWAY
`
`NETWORK PROTECTION
`ENGINE
`
`115
`
`NAL COMP
`NETWORK
`
`COMPUTER CLIENT
`
`135
`
`WEB CLIENT
`
`180
`
`\
`
`■
`
`130
`
`COMPUTER PROTECTION
`ENGINE
`
`
`
`Case 4:18-cv-07229-YGR Document 195-7 Filed 05/10/21 Page 5 of 21
`
`"'-'
`"'-'
`00
`....
`"'-'
`Ul
`~
`....
`0--,
`
`-..J
`0 ....,
`N
`~ ....
`'JJ. =(cid:173)~
`
`N 8
`
`0
`
`z 0
`
`~CIO
`N
`~
`
`~ = ......
`~ ......
`~
`•
`r:JJ.
`d •
`
`360
`
`140
`
`350
`
`COMMUNICATIONS ENGINE
`
`155
`
`DEVELOPMENT ENGINE
`
`DOWNLOADABLE
`
`OPERATING SYSTEM
`
`INTERNAL STORAGE
`
`DEVELOPER CERTIFICATE
`
`~ 150
`
`DOWNLOADABLE
`I SIGNED
`DATA STORAGE DEVICE
`
`330
`
`COMMUNICATIONS
`
`INTERFACE
`
`325-1
`
`335
`
`370
`
`CRSM READER
`
`OUTPUT DEVICE
`
`INPUT DEVICE
`
`PROCESSOR
`
`310
`
`)20
`
`375
`
`CRSM
`
`320
`
`315
`
`305
`
`FIG. 3
`
`220
`
`\
`
`CERTIFICATE
`INSPECTOR
`
`DOWNLOADABLE
`
`IO
`
`170
`
`)95
`
`DSP
`
`215
`
`I
`:
`I
`I
`I
`I
`
`L ___________________________ _
`I
`I
`I
`I
`I
`I
`I
`I
`I
`
`CERTIFICATE
`DEVELOPER
`
`DOWNLOADABLE
`
`155
`
`205
`
`r-------------------/ -----7
`FIG. 2
`
`150
`
`
`
`Case 4:18-cv-07229-YGR Document 195-7 Filed 05/10/21 Page 6 of 21
`
`"'-'
`"'-'
`00
`....
`"'-'
`Ul
`~
`....
`0--,
`
`~
`
`-..J
`0 ....,
`~ ....
`'JJ. =-~
`
`0
`8
`
`N
`~CIO
`N
`~
`
`z 0
`
`435
`
`160
`
`CONTENT INSPECTION
`
`ENGINE
`
`SIGNED INSPECTED 1195
`
`Ii
`
`DOWNLOADABLE
`
`COMMUNICATIONS ENGINE
`
`INSPECTOR CERTIFICATE
`
`430
`
`OPERATING SYSTEM
`
`INTERNAL STORAGE
`
`I RULES BASE V, ;gs
`
`DATA STORAGE DEVICE
`
`COMMUNICATIONS
`
`INTERFACE
`
`425-"7
`
`470
`
`CRSM READER
`
`OUTPUT DEVI CE
`
`INPUT DEVICE
`
`PROCESSOR
`
`420
`
`415
`
`405
`
`410
`
`~ = ......
`~ ......
`~
`•
`r:JJ.
`d •
`
`475
`
`)25
`
`FIG. 4
`
`
`
`Case 4:18-cv-07229-YGR Document 195-7 Filed 05/10/21 Page 7 of 21
`
`U.S. Patent
`
`Nov. 28, 2000
`
`Sheet 4 of 7
`
`6,154,844
`
`FIG. 5
`
`DOWNLOADABLE FILE INTERCEPTOR
`
`FILE READER
`
`CERTIFICATE AUTHENTICATOR
`
`DOWNLOADABLE ID
`VERIFICATION ENGINE
`
`505
`l/
`
`510
`
`V
`
`515
`
`V
`
`520
`
`V
`
`CONTENT INSPECTION ENGINE
`
`/
`
`525
`
`LOCAL SECURITY POLICY
`ANALYSIS ENGINE
`
`LOCAL SECURITY POLICIES
`
`RE-TRANSMISION ENGINE
`
`530
`
`V
`
`535
`
`V
`
`540
`
`V
`
`
`
`Case 4:18-cv-07229-YGR Document 195-7 Filed 05/10/21 Page 8 of 21
`
`U.S. Patent
`
`Nov. 28, 2000
`
`Sheet 5 of 7
`
`6,154,844
`
`FIG. 6
`
`~600
`
`OBTAIN UNINSPECTED DOWNLOADABLE
`
`INCLUDE ALL COMPONENTS IN
`AN ARCHIVE FILE
`
`610
`
`ATTACH DEVELOPER CERTIFICATE TO THE FILE
`
`SEND FILE TO THE INSPECTOR
`
`620
`
`GENERATE DSP AND DOWNLOADABLE ID 625
`
`ATTACH THE DSP AND DOWNLOADABLE ID TO FILE
`
`ATTACH THE INSPECTOR CERTIFICATE TO THE FILE
`
`630
`
`635
`
`YES
`
`FORWARD THE SIGNED INSPECTED DOWNLOADABLE
`TO THE WEB SERVER FOR DEPLOYMENT
`
`645
`
`
`
`Case 4:18-cv-07229-YGR Document 195-7 Filed 05/10/21 Page 9 of 21
`
`U.S. Patent
`
`Nov. 28, 2000
`
`Sheet 6 of 7
`
`6,154,844
`
`FIG. 7
`
`RECEIVE DOWNLOADABLE FILE
`
`EXTRACT THE DOWNLOADABLE
`
`705
`
`710
`
`700
`
`~
`
`AUTHENTICATE THE DEVELOPER CERTIFICATE
`720
`
`715
`
`NO
`
`AUTHENTICATE THE INSPECTOR CERTIFICATE
`
`EXTRACT THE DSP
`
`730
`
`AUTHENTICATE THE DOWNLOADABLE ID
`
`725
`
`735
`
`YES
`
`NO
`
`750
`GENERATE DSP FOR
`THE ATTACHED DOWNLOADABLE-----
`
`755
`COMPARE DSP AGAINST LOCAL SECURITY POLICIES
`
`NO
`
`760
`
`SEND NON-HOSTILE
`PASS THE DOWNLOADABLE
`DOWNLOADABLE TO
`INFORM THE CLIENT l--~====r-----
`OF THE FAILURE
`
`770
`
`
`
`Case 4:18-cv-07229-YGR Document 195-7 Filed 05/10/21 Page 10 of 21
`
`"'-'
`"'-'
`00
`....
`"'-'
`Ul
`~
`....
`0--,
`
`-..J
`0 ....,
`-..J
`~ ....
`'JJ. =(cid:173)~
`
`1 COMMUNICATIONS ENGINE r
`v-8
`'60
`1 WEB SERVER ENGINE r
`~o
`v8
`I OPERATING SYSTEM r
`:s
`~84
`
`INTERNAL STORAGE
`/
`835
`
`-840
`~
`i,-190
`
`DOWNLOADABLES ~ ~
`
`WEB PAGE DATA
`
`DATA STORAGE DEVICE
`
`COMMUNICATIONS
`
`INTERFACE
`
`0
`8
`
`N
`~CIO
`N
`~
`
`z 0
`
`~ = ......
`~ ......
`~
`•
`r:JJ.
`d •
`
`CRSM READER
`/
`8 '65
`
`CRSM
`
`870
`
`OUTPUT DEVI CE
`
`INPUT DEVICE
`
`/
`820
`
`,
`
`185
`
`/
`815
`
`/
`830
`
`/
`825
`
`CPU
`/
`805
`
`\
`810
`
`rtb. 0
`
`
`
`Case 4:18-cv-07229-YGR Document 195-7 Filed 05/10/21 Page 11 of 21
`
`6,154,844
`
`1
`SYSTEM AND METHOD FOR ATTACHING A
`DOWNLOADABLE SECURITY PROFILE TO
`A DOWNLOADABLE
`
`PRIORITY REFERENCE TO RELATED
`APPLICATIONS
`
`This application claims benefit of and hereby incorporates
`by reference provisional application Ser. No. 60/030,639,
`entitled "System and Method for Protecting a Computer
`from Hostile Downloadables," filed on Nov. 8, 1996, by
`inventor Shlomo Touboul; patent application Ser. No.
`08/964,388, entitled "System and Method for Protecting a
`Computer and a Network from Hostile Downloadables,"
`filed on Nov. 6, 1997, by inventor Shlomo Touboul; and
`patent application Ser. No. 08/790,097, entitled "System and
`Method for Protecting a Client from Hostile
`Downloadables," filed on Jan. 29, 1997, also by inventor
`Shlomo Touboul.
`
`BACKGROUND OF THE INVENTION
`
`20
`
`2
`and Downloadable security profiles to determine whether or
`not to trust the Downloadable security profiles.
`The inspector includes a content inspection engine that
`uses a set of rules to generate a Downloadable security
`5 profile corresponding to a Downloadable. The content
`inspection engine links the Downloadable security profile to
`the Downloadable. The set of rules may include a list of
`suspicious operations, or a list of suspicious code patterns.
`The first content inspection engine may link to the Down-
`10 loadable a certificate that identifies the content inspection
`engine which created the Downloadable security profile.
`The system may include additional content inspection
`engines for generating and linking additional Downloadable
`security profiles to the Downloadable. Each additional
`15 Downloadable security profile may also include a certificate
`that identifies its creating content inspection engine. Each
`content inspection engine may create a Downloadable ID
`that identifies the Downloadable to which the Downloadable
`security profile corresponds.
`The protection engine includes a Downloadable intercep-
`tor for receiving a Downloadable, a file reader coupled to the
`interceptor for determining whether the Downloadable
`includes a Downloadable security profile, an engine coupled
`to the file reader for determining whether to trust the
`25 Downloadable security profile, and a security policy analy(cid:173)
`sis engine coupled to the verification engine for comparing
`the Downloadable security profile against a security policy
`if the engine determines that the Downloadable security
`profile is trustworthy. The engine preferably determines
`30 whether the first Downloadable security profile corresponds
`to the Downloadable. The system preferably includes a
`Downloadable ID verification engine for retrieving a Down(cid:173)
`loadable ID that identifies the Downloadable to which the
`Downloadable security profile corresponds. To confirm the
`35 correspondence between the Downloadable security profile
`and the Downloadable, the Downloadable ID verification
`engine generates the Downloadable ID for the Download(cid:173)
`able and compares the generated Downloadable to the linked
`Downloadable. The system may also include a content
`40 inspection engine for generating a Downloadable security
`profile for the Downloadable if the first Downloadable
`security profile is not trustworthy. The system further
`includes a certificate authenticator for authenticating a cer(cid:173)
`tificate that identifies a content inspection engine which
`45 created the Downloadable security profile as from a trusted
`source. The certificate authenticator can also authenticate a
`certificate that identifies a developer that created the Down(cid:173)
`loadable.
`The present invention provides a method in a first
`embodiment comprising the steps of receiving a
`Downloadable, generating a first Downloadable security
`profile for the received Downloadable, and linking the first
`Downloadable security profile to the Downloadable. The
`present invention further provides a method in a second
`embodiment comprising the steps of receiving a Download(cid:173)
`able with a linked first Downloadable security profile, deter-
`mining whether to trust the first Downloadable security
`profile, and comparing the first Downloadable security pro(cid:173)
`file against the security policy if the first Downloadable
`60 security profile is trustworthy
`It will be appreciated that the system and method of the
`present invention may provide computer protection from
`known hostile Downloadables. The system and method of
`the present invention may identify Downloadables that
`65 perform operations deemed suspicious. The system and
`method of the present invention may examine the Down(cid:173)
`loadable code to determine whether the code contains any
`
`1. Field of the Invention
`This invention relates generally to computer networks,
`and more particularly provides a system and method for
`attaching a Downloadable security profile to a Download(cid:173)
`able to facilitate the protection of computers and networks
`from a hostile Downloadable.
`2. Description of the Background Art
`The Internet is currently a collection of over 100,000
`individual computer networks owned by governments,
`universities, nonprofit groups and companies, and is expand(cid:173)
`ing at an accelerating rate. Because the Internet is public, the
`Internet has become a major source of many system dam(cid:173)
`aging and system fatal application programs, commonly
`referred to as "viruses."
`Accordingly, programmers continue to design computer
`and computer network security systems for blocking these
`viruses from attacking both individual and network com(cid:173)
`puters. On the most part, these security systems have been
`relatively successful. However, these security systems are
`not configured to recognize computer viruses which have
`been attached to or configured as Downloadable application
`programs, commonly referred to as "Downloadables." A
`Downloadable is an executable application program, which
`is downloaded from a source computer and run on the
`destination computer. A Downloadable is typically requested
`by an ongoing process such as by an Internet browser or web
`client. Examples of Downloadables include Java™ applets
`designed for use in the Java™ distributing environment 50
`developed by Sun Microsystems, Inc., JavaScript™ scripts
`also developed by Sun Microsystems, Inc., ActiveX™ con(cid:173)
`trols designed for use in the ActiveX™ distributing envi(cid:173)
`ronment developed by the Microsoft Corporation, and
`Visual Basic also developed by the Microsoft Corporation. 55
`Downloadables may also include plugins, which add to the
`functionality of an already existing application program.
`Therefore, a system and method are needed to protect a
`network from hostile Downloadables.
`
`SUMMARY OF THE INVENTION
`
`The present invention provides systems for protecting a
`network from suspicious Downloadables, e.g., Java™
`applets, ActiveX™ controls, JavaScript™ scripts, or Visual
`Basic scripts. The network system includes an inspector for
`linking Downloadable security profiles to a Downloadable,
`and a protection engine for examining the Downloadable
`
`
`
`Case 4:18-cv-07229-YGR Document 195-7 Filed 05/10/21 Page 12 of 21
`
`6,154,844
`
`4
`Downloadable 150 received from the developer 120, for
`generating a Downloadable Security Profile (DSP) based on
`a rules base 165 for the Downloadable, and for attaching the
`DSP to the Downloadable. A DSP preferably includes a list
`5 of all potentially hostile or suspicious computer operations
`that may be attempted by the Downloadable, and may also
`include the respective arguments of these operations. Gen(cid:173)
`erating a DSP includes searching the Downloadable code for
`any pattern, which is undesirable or suggests that the code
`10 was written by a hacker. The content inspection engine 160
`preferably performs a fall-content inspection. It will be
`appreciated that generating a DSP may also include com(cid:173)
`paring a Downloadable against Downloadables which Origi(cid:173)
`nal Equipment Manufacturers (OEMs) know to be hostile,
`15 Downloadables which OEMs know to be non-hostile, and
`Downloadables previously examined by the content inspec(cid:173)
`tion engine 160. Accordingly, the rules base may include a
`list of operations and code patterns deemed suspicious,
`known hostile Downloadables, known viruses, etc.
`
`20
`
`An Example List of Operations Deemed Suspicious
`
`3
`susp1c10us operations, and thus may allow or block the
`Downloadable accordingly. It will be appreciated that,
`because the system and method of the present invention link
`a verifiable Downloadable security profile to a
`Downloadable, the system and method may avoid decom(cid:173)
`posing the Downloadable into the Downloadable security
`profile on the fly.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`FIG. 1 is a block diagram illustrating a network system in
`accordance with the present invention;
`FIG. 2 is a block diagram illustrating details of an
`example inspected Downloadable of FIG. 1;
`FIG. 3 is a block diagram illustrating details of a devel(cid:173)
`oper of FIG. 1;
`FIG. 4 is a block diagram illustrating details of an
`inspector of FIG. 1;
`FIG. 5 is a block diagram illustrating details of a generic
`protection engine of FIG. 1;
`FIG. 6 is a flowchart illustrating a method for attaching a
`Downloadable security profile to a Downloadable in accor(cid:173)
`dance with the present invention;
`FIG. 7 is a flowchart illustrating a method for examining
`a Downloadable in accordance with the present invention;
`and
`FIG. 8 is a block diagram illustrating details of the web
`server of FIG. 1.
`
`30
`
`File operations: READ a file, WRITE a file, DELETE a
`file, RENAME a file;
`Network operations: LISTEN on a socket, CONNECT to
`25 a socket, SEND data, RECEIVE data, VIEW INTRANET;
`Registry operations: READ a registry item, WRITE a
`registry item;
`Operating system operations: EXIT WINDOWS, EXIT
`BROWSER, START PROCESS/THREAD, KILL
`PROCESS/THREAD, CHANGE PROCESS/THREAD
`PRIORITY, DYNAMICALLY LOAD A CLASS/
`LIBRARY, etc.; and
`Resource usage thresholds: memory, CPU, graphics, etc.
`Further, the content inspection engine 160 generates and
`attaches a Downloadable ID to the Downloadable. The
`Downloadable ID is typically stored as part of the DSP, since
`multiple DSPs may be attached to a Downloadable and each
`may have a different Downloadable ID. Preferably, to gen-
`erate a Downloadable ID, the content inspection engine 160
`computes a digital hash of the complete Downloadable code.
`The content inspection engine 160 preferably prefetches all
`components embodied in or identified by the code for
`Downloadable ID generation. For example, the content
`inspection engine 160 may prefetch all classes embodied in
`or identified by the Java™ applet bytecode, and then may
`perform a predetermined digital hash on the Downloadable
`code (and the retrieved components) to generate the Down(cid:173)
`loadable ID. Similarly, the content inspection engine 160
`may retrieve all components listed in the .INF file for an
`ActiveX™ control to compute a Downloadable ID.
`Accordingly, the Downloadable ID for the Downloadable
`will be the same each time the content inspection engine 160
`(or a protection engine as illustrated in FIG. 5) receives the
`same Downloadable and applies the same digital hash
`function. The downloadable components need not be stored
`with the Downloadable, but can be retrieved before each use
`or Downloadable ID generation.
`Generating a DSP and generating a Downloadable ID are
`described in great detail with reference to the patent appli(cid:173)
`cation Ser. No. 08/964,388, entitled "System and Method for
`Protecting a Computer and a Network from Hostile
`Downloadables," filed on Nov. 6, 1997, by inventor Shlomo
`Touboul, which has been incorporated by reference above.
`After performing content inspection, the inspector 125
`attaches an inspector certificate 170 to the Downloadable.
`The inspector certificate 170 verifies the authenticity of the
`
`65
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`FIG. 1 is a block diagram illustrating a computer network
`system 100 in accordance with the present invention. The
`computer network system 100 includes an external computer
`network 105, such as the Wide Area Network (WAN) 35
`commonly referred to as the Internet, coupled via a network
`gateway 110 to an internal computer network 115, such as a
`Local Area Network (LAN) commonly referred to as an
`intranet. The network system 100 further includes a devel(cid:173)
`oper 120 coupled to the external computer network 105, an 40
`inspector 125 also coupled to the external computer network
`105, a web server 185 also coupled to the external computer
`network 105, and a computer client 130 coupled to the
`internal computer network 115. One skilled in the art will
`recognize that connections to external or internal network 45
`systems are merely exemplary, and alternative embodiments
`may have other connections. Further, although the developer
`120, inspector 125 and web server 185 are being described
`as distinct sites, one skilled in the art will recognize that
`these elements may be a part of an integral site, may each 50
`include components of multiple sites, or may include com(cid:173)
`binations of single and multiple sites.
`The developer 120 includes a Downloadable development
`engine 140 for generating a signed (yet uninspected) Down(cid:173)
`loadables 150. The developer 120 may obtain an unin- 55
`spected Downloadable or may initially use the Download(cid:173)
`able development engine 140 to generate an uninspected
`Downloadable. The developer 120 can then use the Down(cid:173)
`loadable development engine 140 to transmit the signed
`Downloadable to the inspector 125 for hostility inspection. 60
`The developer 120 includes a developer certificate 155,
`which the Downloadable development engine 140 attaches
`to each uninspected Downloadable so that the inspector 125,
`the network gateway 110 and the computer client 130 can
`authenticate the developer 120.
`The inspector 125 includes a content inspection engine
`160 for examining a received Downloadable, e.g., the signed
`
`
`
`Case 4:18-cv-07229-YGR Document 195-7 Filed 05/10/21 Page 13 of 21
`
`6,154,844
`
`10
`
`5
`DSP attached to the Downloadable. Details of an example
`signed inspected Downloadable 150 are illustrated and
`described with reference to FIG. 2. The inspector 125 then
`transmits the signed inspected Downloadable 195 to the web
`server 185 for addition to web page data 190 and web page
`deployment. Accordingly, the computer client 130 includes
`a web client 175 for accessing the web page data 190
`provided by the web server 185. As is known in the art, upon
`recognition of a Downloadable call, the web client 175
`requests the web server 185 to forward the corresponding
`Downloadable. The web server 185 then transmits the
`Downloadable via the network gateway 110 to the computer
`client 130.
`The network gateway 110 includes network protection
`engine 135, and the computer client 130 includes a computer
`protection engine 180. Both the network protection engine
`135 and the computer protection engine 180 examine all
`incoming Downloadables and stop all Downloadables
`deemed suspicious. It will be appreciated that a Download(cid:173)
`able is deemed suspicious if it performs or may perform any
`undesirable operation, or if it threatens or may threaten the
`integrity of any computer component. It is to be understood
`that the term "suspicious" includes hostile, potentially
`hostile, undesirable, potentially undesirable, etc. Thus, if the
`incoming Downloadable includes a signed inspected Down- 25
`loadable 195, then the network protection engine 135 and
`the computer protection engine 180 can review the attached
`certificates to verify the authenticity of the DSP. If the
`incoming Downloadable does not include a signed inspected
`Downloadable 195, then each of the network protection
`engine 135 and the computer protection engine 180 must
`generate the DSP, and compare the DSP against local
`security policies (535, FIG. 5).
`Components and operation of the network protection
`engine 135 and the computer protection engine 180 are
`described in greater detail with reference to FIG. 5. It will be
`appreciated that the network gateway 110 may include the
`components described in the patent-application Ser. No.
`08/964,388, entitled "System and Method for Protecting a
`Computer and a Network from Hostile Downloadables,"
`filed on Nov. 6, 1997, by inventor Shlomo Touboul, which
`has been incorporated by reference above. It will be further
`appreciated that the computer protection engine 180 may
`include the components described in the patent application
`Ser. No. 08/790,097, entitled "System and Method for
`Protecting a Client from Hostile Downloadables," filed on
`Jan. 29, 1997, also by inventor Shlomo Touboul.
`It will be appreciated that the network system 100 may
`include multiple inspectors 125, wherein each inspector 125
`may provide a different content inspection. For example, one
`inspector 125 may examine for suspicious operations,
`another inspector 125 may examine for known viruses that
`may be attached to the Downloadable 150, etc. Each inspec-
`tor 125 would attach a corresponding DSP and a certificate
`verifying the authenticity of the attached DSP. Alternatively, 55
`a single inspector 125 may include multiple content inspec(cid:173)
`tion engines 160, wherein each engine provides a different
`content inspection.
`FIG. 2 is a block diagram illustrating details of a signed
`inspected Downloadable 195, which includes a Download- 60
`able 205, a developer certificate 155, a DSP 215 which
`includes a Downloadable ID 220, and an inspector certifi(cid:173)
`cate 170. The Downloadable 205 includes the downloadable
`and executable code that a web client 175 receives and
`executes. The Downloadable 205 may be encrypted using
`the developer's private key. The attached developer certifi(cid:173)
`cate 155 may include the developer's public key, the devel-
`
`6
`oper's name, an expiration date of the key, the name of the
`certifying authority that issued the certificate, and a serial
`number. The signed Downloadable 150 comprises the
`Downloadable 205 and the developer certificate 155. The
`5 DSP 215 and Downloadable ID 220 may be encrypted by the
`inspector's private key. The Downloadable ID 220 is illus(cid:173)
`trated as part of the DSP 215 for simplicity, since each
`signed inspected Downloadable 195 may include multiple
`DSPs 215 (and each DSP 215 may include a separate and
`distinct Downloadable ID 220). The inspector certificate 170
`may include the inspector's public key, an expiration date of
`the key, the name of the certifying authority that issued the
`certificate, and a Ser. No.
`Although the signed inspected Downloadable 195 illus(cid:173)
`trates the DSP 215 (and Downloadable ID 220) as an
`15 attachment, one skilled in the art will recognize that the DSP
`215 can be linked to the Downloadable 205 using other
`techniques. For example, the DSP 215 can be stored in the
`network system 100, and alternatively a pointer to the DSP
`215 can be attached to the signed inspected Downloadable
`20 195. The term "linking" herein will be used to indicate an
`association between the Downloadable 205 and the DSP 215
`(including using a pointer from the Downloadable 195 to the
`DSP 215, attaching the DSP 215 to the Downloadable 205,
`etc.)
`FIG. 3 is a block diagram illustrating details of the
`developer 120, which includes a processor 305, such as an
`Intel Pentium® microprocessor or a Motorola Power PC®
`microprocessor, coupled to a signal bus 310. The developer
`120 further includes an input device 315 such as a keyboard
`30 and mouse, an output device 320 such as a Cathode Ray
`Tube (CRT) display, a data storage device 330 such as a
`magnetic disk, and an internal storage 335 such as Random(cid:173)
`Access Memory (RAM), each coupled to the signal bus 310.
`A communications interface 325 couples the signal bus 325
`35 to the external c