USOO8141154B2
`
`(12) United States Patent
`Gruzman et a1.
`
`(10) Patent N0.:
`(45) Date of Patent:
`
`US 8,141,154 B2
`Mar. 20, 2012
`
`(54) SYSTEM AND METHOD FOR INSPECTING
`DYNAMICALLY GENERATED EXECUTABLE
`
`CODE
`
`(75) InvemOFSI David Grulmall, Ramat Gan (IL);
`Yuval Ben-Itzhak, Tel AViV (1L)
`
`(73) ASSlgnee~ F1111 “1 “1°- <1L>
`( * ) Notice:
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U_S_C_ 154(b) by 0 days'
`
`(21) Appl. No.: 12/814,584
`
`(22) Filed:
`
`Jun. 14, 2010
`
`(65)
`
`Prior Publication D am
`
`Us 2010/0251373 A1
`
`Sep- 30, 2010
`
`(51) Int- C1-
`(2006-01)
`G06F 11/00
`(52) U-s- Cl- ------------- -- 726/22; 726/23; 726/24; 713/188
`(58) Field of Classi?cation Search ...................... .. None
`See application ?le for complete search history.
`
`(56)
`
`References Cited
`
`U-S- PATENT DOCUMENTS
`5,359,659 A 10/1994 Rosenthal ..................... .. 726/24
`5,974,549 A 10/1999 Gown
`~~ 726/23
`5,983,348 A 11/1999 11 """" "
`" 726/13
`6,092,194 A
`7/2000 Touboul
`.. 726/24
`6,167,520 A 12/2000 Touboul
`N 72603
`6,272,641 Bl
`3/2001 Ji ,,,,,,,,,,,,,,, H
`H 726/24
`6,934,857 B1
`8/2005 Bartleson et al.
`7 26/ 5
`6,965,968 B1
`11/2005 TOUboul ~~~~~~~~ ~~
`711/118
`gg?g?gtegfl'
`
`..
`7,313,822 B2 12/2007 Ben-Ichak ..
`7,739,682 B1* 6/2010 Badenell .... ..
`.. 717/174
`7,836,504 B2 * 11/2010 Ray et al. ...................... .. 726/24
`
`72604
`
`2001/0005889 A1* 6/2001 Albrecht ..................... .. 713/201
`2002/0116635 A1
`8/2002 Sheymov
`.. 726/24
`2004/0133796 A1
`7/2004 Cohen etal. ....... ..
`726/24
`2004/0153644 A1
`8/2004 McCorkendale et al.
`.. 713/156
`2004/0158729 A1
`8/2004 Szor ........................ .. 713/190
`2005/0108562 A1
`5/2005 Khazan et al.
`726/23
`2005/0149749 A1 *
`7/2005 Van Brabant .
`.. 713/200
`2006/0015940 A1
`1/2006 Zamir et al. ..
`.. 726/22
`
`388385838 21
`* Cited by eXaminer
`
`1538? 1513110323 811'. ............ .. 352/35
`
`Primary Examiner * Ponnoreay Pich
`(74) Attorney, Agent, or Firm * Dawn-Marie Bey; King &
`Spalding LLP
`
`(57)
`
`ABSTRACT
`
`A method for protecting a client computer from dynamically
`generated mal101ous content, 1nclud1ng rece1vmg at a gateway
`computer content being sent to a client computer for process
`ing, the content including a call to an original function, and
`the call including an input, modifying the content at the
`gateway computer, including replacing the call to the original
`function with a corresponding call to a substitute function, the
`substitute function being operational to send the input to a
`security computer for inspection, transmitting the modi?ed
`content from the gateway computer to the client computer,
`processing the modi?ed content at the client computer, trans
`mitting the input to the security computer for inspection when
`the substitute function is invoked, determining at the security
`computer whether it is safe for the client computer to invoke
`the original function with the input, transmitting an indicator
`of whether it is safe for the client computer to invoke the
`.
`.
`.
`.
`.
`.
`ongmal funct1on W1th themput, from the'securlty computer to
`the chem computer, and 1nvok1ng the ongmal funct10n at the
`client computer with the input, only if the indicator received
`from the security computer indicates that such invocation is
`safe. A system and a computer-readable storage medium are
`also described and claimed.
`
`12 Claims, 5 Drawing Sheets
`
`0
`O 5% \465
`E z
`-n -|
`g % 440
`E
`-1
`
`‘>‘
`g
`E
`i
`2
`(:0
`a
`I
`
`g
`2
`.i
`J“
`5
`é
`J“
`
`445
`
`V
`
`
`
`HOSSEOOHd MBLNOU
`
`INDICATOR T0 CLIENT
`z COMPUTER OF SAFE INF'UT
`
`MODlFlED CONTENT,
`MODIFIED INPUT
`
`:
`i
`1
`.;
`
`5
`r
`I
`
`425
`
`INPUT. CLIENT ID
`
`n
`1:
`2
`_,
`a
`z
`2
`"
`a
`:1
`
`e
`5|
`ORIGlNAL INCOMING
`E
`CONTENT
`1? '<
`e
`420
`91
`2
`m
`21
`
`
`
`! HOLDSdSNI .111le H
`
`__1
`
`DATABASE OF
`SECURITY POLICIES
`
`\415
`
`480
`
`GATEWAY COMPUTER
`
`CLIENT COMPUTER
`
`000001
`
`Symantec 1001
`IPR of U.S. Pat. No. 8,141,154
`
`

`
`US. Patent
`
`Mar. 20, 2012
`
`Sheet 1 015
`
`US 8,141,154 B2
`
`l CONTENT PROCESSOR I
`
`a
`t
`
`E
`
`A
`
`V
`
`A
`
`;=;
`
`V
`CONTENT msvscroa
`
`5
`g I
`8
`
`u 1
`
`
`
`FIG. 1 (PRIOR ART)
`
`140
`
`174
`l comm INSPECTOR I <
`
`
`
`\ GATEWAY comma: I
`
`a
`
`comm INSPECTOR I 3 - g
`
`K—J—
`
`k
`
`5
`
`l
`
`
`
`s O :
`
`5 z
`
`GATEWAY nscravza
`
`_
`
`GATEWAY RECENER
`
`GATBNAY RECEIVER
`
`f
`I
`8
`
`'
`
`
`
`ORIGINAL INCOMING
`
`CONTENT
`
`120
`
`105—
`
`CONTENT
`ORIGINAL INCOMING
`
`120
`
`
`
`ORIGiNAL \NOOMING
`
`CONTENT
`
`120
`
`000002
`
`

`
`US. Patent
`
`Mar. 20, 2012
`
`Sheet 2 015
`
`US 8,141,154 B2
`
`CLIENT musmrrrza
`
`INPUT. cusm‘m
`
`sacunmr RECEIVER
`
`r
`§
`
`2
`v
`
`N 1
`INPUT INSPECTOR
`
`I:
`
`g 2.
`g E >
`g
`z \ I
`3
`a
`v
`N
`\_
`schRn-Y musmn'rER
`
`i
`;_
`
`m
`'3
`EE
`
`
`n, _' U 13 2
`< ¢ 3; g
`0':
`==
`a
`F E a:
`g D m w
`‘
`
`f
`l m
`a
`
`FIG. 2
`
`
`r o
`."a
`
`m
`A
`E
`g
`1
`1
`comeur PROCESSOR 8
`A
`5
`a
`
`g
`
`momma) INPUT
`
`INDICATOR TO CLIENT
`f COMPUTER OF SAFE 1mm
`{
`2
`“
`
`2
`N
`k
`CLIENT RECEIVER
`9
`
`E
`E
`E
`O D \m
`'2
`&
`D
`D
`2
`
`GATEWAY TRANSMITTER
`
`A
`
`CONTENT MODIFIER
`
`II
`
`In g
`\.
`GATEWAY RECEIVER
`
`CONTENT
`ORIGINAL INCOMING
`
`220
`
`000003
`
`

`
`US. Patent
`
`Mar. 20, 2012
`
`Sheet 3 015
`
`US 8,141,154 B2
`
`l<~ GATEWAYCOMPUTER —>|
`
`l4— CLIENTCOIJIF'UTER —>l
`
`IQ— SECURITVCDMPUTER —>|
`
`Nav?i'?ngégfgggmzm
`COMPUTER
`\
`I
`304
`
`RECEIVE CONTENT FROM
`GATEWAY conume
`I
`
`N
`324
`
`A RECEIVE INPUT AND CLIENT ID
`FROM CUENT comma
`I
`
`\
`340
`
`SCAN CONTENT FOR PRESENCE
`UP FUNCTION CALLS
`
`\ —’
`
`cONnNUE TO PROCESS
`CONTENT
`
`SCAN INPUT FOR PRESENCE OF
`FUNCTION CALLS
`
`W
`
`FUNCTION CALLS FOUND
`m com."
`
`300
`
`312
`
`I
`
`INVOKE SUBSTITUTE FUNCTION
`
`l
`
`325
`
`332
`
`REPLACE ORIGINAL FUNCTION
`CALLS IN CONTENT wrm
`SUBSTITUTE FUNCTION CALLS \
`I
`316
`
`TRANsmrr INPUT AND cuENT IO
`T0 SECURITY com PUTER FOR --
`INSPECTION
`
`335
`
`TRANSMIT cONTENT T0 CUENT
`FOR PROCESSING
`
`R"
`320
`
`RECEIVE SAFETY INDICATOR AND
`Momma, mpm. FROM SECURHY
`(:0me
`\‘_
`304
`
`__ INVOKE ORIGINAL FUNCTION
`WITH MODIFIED INPUT
`
`\
`
`392
`
`FUNCTION CALLS FOUND
`IN INPUT,
`
`344
`
`348
`
`REPLACE ORIGINAL FUNCTION
`ems m INPUT WITH
`SUBSTITUTE FUNCTION CALLS \
`I
`:52
`
`SCAN INPUT TO DETERMINE
`SECURITY PROFILE
`I
`
`QJ
`
`RETRIEVE SECURITY POLICY FOR
`CLIENT COMPUTER
`
`I
`COMPARE CONTENT SECURITY
`PRDFILE WITH CLIENT SECURITY
`FOLICY
`
`NO SAFE FOR CLIENT TO INVOKE
`ORIGINAL FUNCTION WITH
`INF JT?
`YES
`I
`
`SET INDICATOR = TRUE
`
`SET INDICATOR = FALSE
`
`I
`
`TRANSMIT INDICATOR AND
`MODIFIED INPUT TD CLIENT
`COMPUTER
`
`360
`
`\
`
`364
`
`368
`
`572
`
`>6
`
`\
`
`FIG. 3
`
`000004
`
`

`
`US. Patent
`
`Mar. 20, 2012
`
`Sheet 4 0f 5
`
`US 8,141,154 B2
`
`R
`
`E
`
`
`
`m 2 52.6 EH;
`
`lo;
`
`C % P
`
`W 512. 5:30:
`
`
`All! w m
`u 75. o m
`m R m? m
`
`
`
`E?) m S"? whim Lo mmszoo R
`
`
`
`w R 526 0.? moEQEE m
`
`m3\\ E N /l W
`
`w QM. A ..
`
`m .5550 amino: H
`
`a W 1%
`a m 2:. m m
`T T w H N M N m m 8v m o
`
`m c
`
`m r 1 R
`
`m “.0 ww<m<b<o \ m K
`
`T P D“?
`
`
`
`N $5301 Emnuww A r m
`
`2;
`I mu.
`
`v
`
`GATEWAY RECEIVER
`
`kzmhzou
`02-2007: .ZZRVEO
`
`IHKH
`
`000005
`
`

`
`US. Patent
`
`Mar. 20, 2012
`
`Sheet 5 015
`
`US 8,141,154 B2
`
`*4— GATEWAY COMPUTER —’1
`
`l.— CLIENT COMPUTER —>'
`
`RECEIVE CONTENT FROM
`NETWORK INTENDED FOR CLIENT
`COMPUTER
`I
`
`'\
`500
`
`SCAN CONTENITIINPUT FOR
`PRESENCE GF FUNCTION CALL$ \\
`
`FUNCTION CALLS FOUND?
`
`REPLACE ORIGINAL FUNCTION
`CALLS WITH SUBSTITUTE
`FUNCTION CALLS
`
`I
`
`r -‘
`
`TRANSMIT CONTENT TO CLIENT
`FDR PROCESSING
`
`RECEIVE INPUT AND CLIENT ID
`FROM CLIENT CGMPUTER
`
`,__
`
`EGAN INPUT TO GETEF'IMINE
`SECURITY PROFILE
`
`I
`
`\
`
`520
`
`“
`
`545
`
`In C! O
`
`I
`.
`RETR'Eg'?g??g?gj?ggw FOR
`\
`555
`
`I
`
`COMPARE CQNTENT SECURITY
`,
`PROFILE WITH CLIENT SECURITY
`POLICY
`
`SAFE FOR CLIENT TO INVOKE
`ORIGINAL FUNCTION WITH
`INPUT?
`IVES
`
`565
`
`SET INDICATOR = TRUE
`
`SET INDICATOR = FAL$E
`
`I
`
`am
`
`575
`
`TRANSMIT INDICATOR TO CLIENT
`COMPUTER
`
`\
`
`'
`
`RECEIVE CONTENT FROM
`GATEWAY COMPUTER
`
`I
`
`CONTINUE To PROCESS
`CONTENT
`
`I
`
`INVOKE SUBSTITUTE FUNCTION
`
`I
`
`TRANSMIT INPUT AND CLIENT ID
`To GATEWAY COMPUTER FOR
`INSPECTION
`
`I
`RECEIVE SAFETY INDICATQR
`"-D' FROM GATEWAY COMPUTER
`
`INDICATOR = TRUE?
`
`2
`
`in
`
`"W ‘ KE ??'mkuiumwm
`
`‘
`
`\525
`
`"""
`
`530
`
`535
`
`\
`540
`
`\
`
`595
`
`580
`
`FIG. 5
`
`000006
`
`

`
`US 8,141,154 B2
`
`1
`SYSTEM AND METHOD FOR INSPECTING
`DYNAMICALLY GENERATED EXECUTABLE
`CODE
`
`FIELD OF THE INVENTION
`
`The present invention relates to computer security, and
`more particularly to protection against malicious code such as
`computer viruses.
`
`BACKGROUND OF THE INVENTION
`
`2
`contents of which are hereby incorporated by reference,
`describes gateway level behavioral analysis. Such behavioral
`analysis scans and parses content received at a gateway and
`generates a security pro?le for the content. A security pro?le
`is a general list or delineation of suspicious, or potentially
`malicious, operations that executable content may perform.
`The derived security pro?le is then compared with a security
`policy for the computer being protected, to determine
`whether or not the content’ s security pro?le violates the com
`puter’s security policy. A security policy is a general set of
`simple or complex rules, that may be applied logically in
`series or in parallel, which determine whether or not a speci?c
`operation is permitted or forbidden to be performed by the
`content on the computer being protected. Security policies are
`generally con?gurable, and set by an administrator of the
`computer that is being protected.
`Assignee’s US. Pat. No. 6,167,520 entitled SYSTEM
`AND METHOD FOR PROTECTING A CLIENT DURING
`RUNTIME FROM HOSTILE DOWNLOADABLES, the
`contents of which are hereby incorporated by reference,
`describes desktop level behavioral analysis. Desktop level
`behavioral analysis is generally implemented during run
`time, while a computer’s web browser is processing web
`content received over the Internet. As the content is being
`processed, desktop security applications monitor calls made
`to critical systems of the computer, such as the operating
`system, the ?le system and the network system. Desktop
`security applications use hooks to intercept calls made to
`operating system functions, and allow or block the calls as
`appropriate, based on the computer’s security policy.
`Each of the various anti-virus technologies, gateway vs.
`desktop, reactive vs. proactive, has its pros and cons. Reactive
`anti-virus protection is computationally simple and fast; pro
`active virus protection is computationally intensive and
`slower. Reactive anti-virus protection cannot protect against
`new “?rst-time” viruses, and cannot protect a user if his
`signature ?le is out of date; proactive anti-virus protection can
`protect against new “?rst-time” viruses and do not require
`regular downloading of updated signature ?les. Gateway
`level protection keeps computer viruses at a greater distance
`from a local network of computers; desktop level protection is
`more accurate. Desktop level protection is generally available
`in the consumer market for hackers to obtain, and is suscep
`tible to reverse engineering; gateway level protection is not
`generally available to hackers.
`Reference is now made to FIG. 1, which is a simpli?ed
`block diagram of prior art systems for blocking malicious
`content, as described hereinabove. The topmost system
`shown in FIG. 1 illustrates a gateway level security applica
`tion. The middle system shown in FIG. 1 illustrates a desktop
`level security application, and the bottom system shown in
`FIG. 1 illustrates a combined gateway+desktop level security
`application.
`The topmost system shown in FIG. 1 includes a gateway
`computer 105 that receives content from the Internet, the
`content intended for delivery to a client computer 110. Gate
`way computer 105 receives the content over a communication
`channel 120, and gateway computer communicates with cli
`ent computer 110 over a communication channel 125. Gate
`way computer 105 includes a gateway receiver 135 and a
`gateway transmitter 140. Client computer 110 includes a
`client receiver 145. Client computer generally also has a
`client transmitter, which is not shown.
`Client computer 110 includes a content processor 170,
`such as a conventional web browser, which processes Internet
`content and renders it for interactive viewing on a display
`monitor. Such Internet content may be in the form of execut
`
`20
`
`25
`
`30
`
`35
`
`Computer viruses have been rampant for over two decades
`now. Computer viruses generally come in the form of execut
`able code that performs adverse operations, such as modify
`ing a computer’s operating system or ?le system, damaging a
`computer’s hardware or hardware interfaces, or automati
`cally transmitting data from one computer to another. Gener
`ally, computer viruses are generated by hackers willfully, in
`order to exploit computer vulnerabilities. However, viruses
`can also arise by accident due to bugs in software applica
`tions.
`Originally computer viruses were transmitted as execut
`able code inserted into ?les. As each new virus was discov
`ered, a signature of the virus was collected by anti-virus
`companies and used from then on to detect the virus and
`protect computers against it. Users began routinely scanning
`their ?le systems using anti-virus software, which regularly
`updated its signature database as each new virus was discov
`ered.
`Such anti-virus protection is referred to as “reactive”, since
`it can only protect in reaction to viruses that have already been
`discovered.
`With the advent of the Internet and the ability to run execut
`able code such as scripts within Internet browsers, a new type
`of virus formed; namely, a virus that enters a computer over
`the Internet and not through the computer’s ?le system. Such
`Internet viruses can be embedded within web pages and other
`web content, and begin executing within an Internet browser
`as soon as they enter a computer. Routine ?le scans are not
`able to detect such viruses, and as a result more sophisticated
`anti-virus tools had to be developed.
`Two generic types of anti-virus applications that are cur
`rently available to protect against such Internet viruses are (i)
`gateway security applications, and (ii) desktop security appli
`cations. Gateway security applications shield web content
`before the content is delivered to its intended destination
`computer. Gateway security applications scan web content,
`and block the content from reaching the destination computer
`if the content is deemed by the security application to be
`potentially malicious. In distinction, desktop security appli
`cations shield against web content after the content reaches its
`intended destination computer.
`Moreover, in addition to reactive anti-virus applications,
`that are based on databases of known virus signatures,
`recently “proactive” antivirus applications have been devel
`oped. Proactive anti-virus protection uses a methodology
`known as “behavioral analysis” to analyze computer content
`for the presence of viruses. Behavior analysis is used to auto
`matically scan and parse executable content, in order to detect
`which computer operations the content may perform. As
`such, behavioral analysis can block viruses that have not been
`previously detected and which do not have a signature on
`record, hence the name “proactive”.
`Assignee’s US. Pat. No. 6,092,194 entitled SYSTEM
`65
`AND METHOD FOR PROTECTING A COMPUTER AND
`A NETWORK FROM HOSTILE DOWNLOADABLES, the
`
`40
`
`45
`
`50
`
`55
`
`60
`
`000007
`
`

`
`US 8,141,154 B2
`
`3
`able code, JavaScript, VBScript, Java applets, ActiveX con
`trols, which are supported by web browsers.
`Gateway computer 105 includes a content inspector 174
`which may be reactive or proactive, or a combination of
`reactive and proactive. Incoming content is analyzed by con
`tent inspector 174 before being transmitted to client computer
`110. If incoming content is deemed to be malicious, then
`gateway computer 105 preferably prevents the content from
`reaching client computer 110. Alternatively, gateway com
`puter 105 may modify the content so as to render it harmless,
`and subsequently transmit the modi?ed content to client com
`puter 110.
`Content inspector 174 can be used to inspect incoming
`content, on its way to client computer 110 as its destination,
`and also to inspect outgoing content, being sent from client
`computer 110 as its origin.
`The middle system shown in FIG. 1 includes a gateway
`computer 105 and a client computer 110, the client computer
`110 including a content inspector 176. Content inspector 176
`may be a conventional Signature-based anti-virus applica
`tion, or a run-time behavioral based application that monitors
`run-time calls invoked by content processor 170 to operating
`system, ?le system and network system functions.
`The bottom system shown in FIG. 1 includes both a content
`inspector 174 at gateway computer 105, and a content inspec
`tor 176 at client computer 110. Such a system can support
`conventional gateway level protection, desktop level protec
`tion, reactive anti-virus protection and proactive anti-virus
`protection.
`As the hacker vs. anti-virus protection battle continues to
`wage, a newer type of virus has sprung forward; namely,
`dynamically generated viruses. These viruses are themselves
`generated only at run-time, thus thwarting conventional reac
`tive analysis and conventional gateway level proactive behav
`ioral analysis. These viruses take advantage of features of
`dynamic HTML generation, such as executable code or
`scripts that are embedded within HTML pages, to generate
`themselves on the ?y at runtime.
`For example, consider the following portion of a standard
`HTML page:
`
`<1DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0
`Transitional//EN”>
`<HTML>
`<SCRIPT LANGUAGE=“JavaScript”>
`document.write(“<hl>text that is generated at run—time</hl>”);
`</SCRIPT>
`<BODY>
`</BODY>
`</HTML>
`
`The text within the <SCRIPT> tags is JavaScript, and
`includes a call to the standard function document.write( ),
`which generates dynamic HTML. In the example above, the
`function document.write( ) is used to generate HTML header
`text, with a text string that is generated at run-time. If the text
`string generated at run-time is of the form
`<SCRIPT>malicious JavaScript</SCRIPT>
`then the document.write( ) function will insert malicious
`JavaScript into the HTML page that is currently being ren
`dered by a web browser. In turn, when the web browser
`processes the inserted text, it will perform malicious opera
`tions to the client computer.
`Such dynamically generated malicious code cannot be
`detected by conventional reactive content inspection and con
`ventional gateway level behavioral analysis content inspec
`
`4
`tion, since the malicious JavaScript is not present in the con
`tent prior to run-time. A content inspector will only detect the
`presence of a call to Document.write( ) with input text that is
`yet unknown. If such a content inspector were to block all
`calls to Document.write( ) indiscriminately, then many harm
`less scripts will be blocked, since most of the time calls to
`Document.write( ) are made for dynamic display purposes
`only.
`US. Pat. Nos. 5,983,348 and 6,272,641, bothto Ji, describe
`reactive client level content inspection, that modi?es down
`loaded executable code within a desktop level anti-virus
`application. However, such inspection can only protect
`against static malicious content, and cannot protect against
`dynamically generated malicious content.
`Desktop level run-time behavioral analysis has a chance of
`shielding a client computer against dynamically generated
`malicious code, since such code will ultimately make a call to
`an operating system function. However, desktop anti-virus
`protection has a disadvantage of being widely available to the
`hacker community, which is always eager to ?nd vulnerabili
`ties. In addition, desktop anti-virus protection has a disadvan
`tage of requiring installation of client software.
`As such, there is a need for a new form of behavioral
`analysis, which can shield computers from dynamically gen
`erated malicious code without running on the computer itself
`that is being shielded.
`
`SUMMARY OF THE DESCRIPTION
`
`The present invention concerns systems and methods for
`implementing new behavioral analysis technology. The new
`behavioral analysis technology affords protection against
`dynamically generated malicious code, in addition to conven
`tional computer viruses that are statically generated.
`The present invention operates through a security com
`puter that is preferably remote from a client computer that is
`being shielded while processing network content. During
`run-time, while processing the network content, but before
`the client computer invokes a function call that may poten
`tially dynamically generate malicious code, the client com
`puter passes the input to the function to the security computer
`for inspection, and suspends processing the network content
`pending a reply back from the security computer. Since the
`input to the function is being passed at run-time, it has already
`been dynamically generated and is thus readily inspected by
`a content inspector. Referring to the example above, were the
`input to be passed to the security computer prior to run-time,
`it would take the form of indeterminate text; whereas the
`input passed during run-time takes the determinate form
`<SCRIPT>malicious JavaScript</SCRIPT>,
`which can readily be inspected. Upon receipt of a reply from
`the security computer, the client computer resumes process
`ing the network content, and knows whether to by-pass the
`function call invocation.
`To enable the client computer to pass function inputs to the
`security computer and suspend processing of content pending
`replies from the security computer, the present invention
`operates by replacing original function calls with substitute
`function calls within the content, at a gateway computer, prior
`to the content being received at the client computer.
`The present invention also provides protection against
`arbitrarily many recursive levels of dynamic generation of
`malicious code, whereby such code is generated via a series
`of successive function calls, one within the next.
`By operating through the medium of a security computer,
`the present invention overcomes the disadvantages of desktop
`anti-virus applications, which are available to the hacker
`
`20
`
`25
`
`30
`
`40
`
`45
`
`50
`
`65
`
`000008
`
`

`
`US 8,141,154 B2
`
`5
`community for exploit. Security applications embodying the
`present invention are concealed securely within managed
`computers.
`There is thus provided in accordance with a preferred
`embodiment of the present invention a method for protecting
`a client computer from dynamically generated malicious con
`tent, including receiving at a gateway computer content being
`sent to a client computer for processing, the content including
`a call to an original function, and the call including an input,
`modifying the content at the gateway computer, including
`replacing the call to the original function with a correspond
`ing call to a substitute function, the substitute function being
`operational to send the input to a security computer for
`inspection, transmitting the modi?ed content from the gate
`way computer to the client computer, processing the modi?ed
`content at the client computer, transmitting the input to the
`security computer for inspection when the substitute function
`is invoked, determining at the security computer whether it is
`safe for the client computer to invoke the original function
`with the input, transmitting an indicator of whether it is safe
`for the client computer to invoke the original function with the
`input, from the security computer to the client computer, and
`invoking the original function at the client computer with the
`input, only if the indicator received from the security com
`puter indicates that such invocation is safe.
`There is further provided in accordance with a preferred
`embodiment of the present invention a system for protecting
`a client computer from dynamically generated malicious con
`tent, including a gateway computer, including a gateway
`receiver for receiving content being sent to a client computer
`for processing, the content including a call to an original
`function, and the call including an input, a content modi?er
`for modifying the received content by replacing the call to the
`original function with a corresponding call to a substitute
`function, the substitute function being operational to send the
`input to a security computer for inspection, and a gateway
`transmitter for transmitting the modi?ed content from the
`gateway computer to the client computer, a security com
`puter, including a security receiver for receiving the input
`from the client computer, an input inspector for determining
`whether it is safe for the client computer to invoke the original
`function with the input, and a security transmitter for trans
`mitting an indicator of the determining to the client computer,
`and a client computer communicating with the gateway com
`puter and with the security computer, including a client
`receiver for receiving the modi?ed content from the gateway
`computer, and for receiving the indicator from the security
`computer, a content processor for processing the modi?ed
`content, and for invoking the original function only if the
`indicator indicates that such invocation is safe; and a client
`transmitter for transmitting the input to the security computer
`for inspection, when the substitute function is invoked.
`There is yet further provided in accordance with a preferred
`embodiment of the present invention a computer-readable
`storage medium storing program code for causing at least one
`computing device to receive content including a call to an
`original function, and the call including an input, replace the
`call to the original function with a corresponding call to a
`substitute function, the substitute function being operational
`to send the input for inspection, thereby generating modi?ed
`content, process the modi?ed content, transmit the input for
`inspection, when the substitute function is invoked while
`processing the modi?ed content, and suspend processing of
`the modi?ed content, determine whether it is safe to invoke
`the original function with the input, transmit an indicator of
`whether it is safe for a computer to invoke the original func
`tion with the input, and resume processing of the modi?ed
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`content after receiving the indicator, and invoke the original
`function with the input only if the indicator indicates that such
`invocation is safe.
`There is additionally provided in accordance with a pre
`ferred embodiment of the present invention a method for
`protecting a client computer from dynamically generated
`malicious content, including receiving content being sent to a
`client computer for processing, the content including a call to
`an original function, and the call including an input, modify
`ing the content, including replacing the call to the original
`function with a corresponding call to a substitute function, the
`substitute function being operational to send the input to a
`security computer for inspection, and transmitting the modi
`?ed content to the client computer for processing.
`There is moreover provided in accordance with a preferred
`embodiment of the present invention a system for protecting
`a client computer from dynamically generated malicious con
`tent, including a receiver for receiving content being sent to a
`client computer for processing, the content including a call to
`an original function, and the call including an input, a content
`modi?er for modifying the received content by replacing the
`call to the original function with a corresponding call to a
`substitute function, the substitute function being operational
`to send the input to a security computer for inspection, and a
`transmitter for transmitting the modi?ed content to the client
`computer.
`There is further provided in accordance with a preferred
`embodiment of the present invention a computer-readable
`storage medium storing program code for causing a comput
`ing device to receive content including a call to an original
`function, and the call including an input, and replace the call
`to the original function with a corresponding call to a substi
`tute function, the substitute functionbeing operational to send
`the input for inspection.
`There is yet further provided in accordance with a preferred
`embodiment of the present invention a method for protecting
`a client computer from dynamically generated malicious con
`tent, including receiving content being sent to a client com
`puter for processing, the content including a call to an original
`function, and the call including an input, modifying the con
`tent, including replacing the call to the original function with
`a corresponding call to a substitute function, the substitute
`function being operational to send the input for inspection,
`transmitting the modi?ed content to the client computer for
`processing, receiving the input from the client computer,
`determining whether it is safe for the client computer to
`invoke the original function with the input, and transmitting
`to the client computer an indicator of whether it is safe for the
`client computer to invoke the original function with the input.
`There is additionally provided in accordance with a pre
`ferred embodiment of the present invention a system for
`protecting a client computer from dynamically generated
`malicious content, including a receiver (i) for receiving con
`tent being sent to a client computer for processing, the content
`including a call to an original function, and the call including
`an input, and (ii) for receiving the input from the client com
`puter, a content modi?er for modifying the received content
`by replacing the call to the original function with a corre
`sponding call to a substitute function, the substitute function
`being operational to send the input for inspection, an input
`inspector for determining whether it is safe for the client
`computer to invoke the original function with the input, and a
`transmitter (i) for transmitting the modi?ed content to the
`client computer, and (ii) for transmitting an indicator of the
`determining to the client computer.
`There is moreover provided in accordance with a preferred
`embodiment of the present invention a computer-readable
`
`000009
`
`

`
`US 8,141,154 B2
`
`7
`storage medium storing program code for causing a comput
`ing device to receive content including a call to an original
`function, and the call including an input, replace the call to the
`original function with a corresponding call to a substitute
`function, the substitute function being operational to send the
`input for inspection, and determine whether it is safe for a
`computer to invoke the original function with the input.
`There is further provided in accordance with a preferred
`embodiment of the present invention a method for protecting
`a computer from dynamically generated malicious content,
`including processing content received over a network, the
`content including a call to a ?rst function, and the call includ
`ing an input, transmitting the input to a security computer for
`inspection, when the ?rst function is invoked, receiving from
`the security computer an indicator of whether it is safe to
`invoke a second function with the input, and invoking the
`second function with the input, only if the indicator indicates
`that such invocation is safe.
`There is yet further provided in accordance with a preferred
`embodiment of the present invention a system for protecting
`a computer from dynamically generated malicious content,
`including a content processor (i) for processing content
`received over a network, the content including a call to a ?rst
`function, and the call including an input, and (ii) for invoking
`a second function with the input, only if a security computer
`indicates that such invocation is safe, a transmitter for trans
`mitting the input to the security computer for inspection,
`when the ?rst function is invoked, and a receiver for receiving
`an indicator from the security computer whether it is safe to
`invoke the second function with the input.
`There is additionally provided in accordance with a pre
`ferred embodiment of the present invention a computer-read
`able storage medium storing program code for causing a
`computing device to process content received over a network,
`the content including a call to a ?rst function, and the call
`including an inp