Symantec 1013
`IPR of U.S. Pat. No. 8,141,154
`
`000001
`
`

`
`Regular
`
`Utility
`
`COMPUTER SECURlTY METHOD AND
`
`SYSTEM WITH INPUT PARAMETER
`
`VALlDATlON
`
`60644-8021 .USO2
`
`No
`
`No
`
`No
`
`Fig. 1
`
`3 N
`
`/A
`
`lnventor
`
`lL
`
`Full Capacity
`
`Yuval
`
`BEN—lTZHAK
`
`Tel Aviv
`
`lL
`
`Application Data Sheet
`
`Application Information
`
`Application Type::
`
`Subject Matter::
`
`TitIe::
`
`Attorney Docket Number:
`
`Request for Early Publicationz:
`
`Request for Non—Publication::
`
`Small Entity?::
`
`Suggested Drawing Figure:
`
`Total Drawing Sheets:
`
`Secrecy Order in Parent Appl.?::
`
`Applicant Information
`
`Applicant Authority Typezz
`
`Primary Citizenship Country::
`
`Status::
`
`Given Name::
`
`Family Name::
`
`City of Residence::
`
`Country of Residence:
`
`Mailing Address::
`
`King David Boulevard 36/8
`
`City of Mailing Address::
`
`Country of Mailing Address::
`
`Tel Aviv
`
`lL
`
`Page 1
`
`Initial O7/16/2008
`
`000002
`
`000002
`
`

`
`Applicant Authority Type::
`
`Primary Citizenship Country:
`
`Status::
`
`Given Name::
`
`Family Name::
`
`City of Residence::
`
`Country of Residence::
`
`Mailing Address:
`
`City of Mailing Address::
`
`Inventor
`
`lL
`
`Full Capacity
`
`Golan
`
`YOSEF
`
`Rishon Le’Zion
`
`IL
`
`16 Ha’Oniya Street
`
`Rishon Le’Zion
`
`Country of Mailing Address::
`
`lL
`
`Applicant Authority Type::
`
`Primary Citizenship Country::
`
`Status::
`
`Given Name::
`
`Family Name::
`
`City of Residence::
`
`Country of Residence:
`
`Mailing Address::
`
`City of Mailing Address::
`
`Country of Mailing Address::
`
`Inventor
`
`IL
`
`Full Capacity
`
`Israel
`
`TAUB
`
`Nof Ayalon
`
`IL
`
`33 HaChoshen Street
`
`Nof Ayalon
`
`IL
`
`Correspondence information
`
`Correspondence Customer Number::
`
`25096
`
`Representative Information
`
`Representative Customer Number::
`
`25096
`
`Page 2
`
`initial 07/16/2008
`
`000003
`
`000003
`
`

`
`Domestic Priority information
`
`Applicationz:
`
`Continuity Type::
`
`
`
`‘ This application t Continuation~ln—Part of
`
`Parent
`
`Parent Filing
`
`Application::
`
`Date::
`
`11/354,893
`
`1 02/16/2006
`
`Assignee Information
`
`Name::
`
`FINJAN SOFTWNARE, LTD.
`
`Street of Mailing Address::
`
`Hamachshev St. 1
`
`City of Mailing Address::
`
`New Industrial Area
`
`State/Province of Mailing Address::
`
`Netanya
`
`Postal Code of Mailing Address::
`
`42504
`
`Country of Mailing Address::
`
`lL
`
`Page 3
`
`Initial 07/16/2008
`
`000004
`
`000004
`
`

`
`Attorney Docket No. 60644-8021.USO2
`
`COMPUTER SECURITY METHOD AND SYSTEM
`WITH INPUT PARAMETER VALIDATION
`
`PRIORITY REFERENCE TO RELATED APPLICATIONS
`
`[0001]
`
`This application is a continuation-in~part of assignee’s pending U.S.
`
`Application No. 11/354,893, filed on February 16, 2006 entitled SYSTEM AND
`
`METHOD FOR ENFORCING A SECURITY CONTEXT ON A DOWNLOADABLE.
`
`FIELD OF THE INVENTION
`
`[0002]
`
`The field of the present invention is computer security.
`
`BACKGROUND OF THE INVENTION
`
`[0003]
`
`Computer security software and hardware are used to inspect
`
`downloadables, to determine if they are malicious. The term “downloadable” refers
`
`generally to an executable application program, which is downloaded from a source
`
`computer and run on a destination computer. There are many different types of
`
`malicious downloadables, including malware, phishing, spyware, Trojan horses,
`
`viruses and worms. Malicious downloadables often enter an internal computer
`
`network from an external network, and infect all or most of the computers in the
`
`internal network once they break in. As such, computer security systems often
`
`employ gateway computers to scan and filter incoming downloadables.
`
`[0004]
`
`Scanning downloadables at a gateway computer may be performed by
`
`running the programs; however, running the programs on the gateway computer
`
`instead of on the computer in the internal network for which the programs are
`
`intended, may result in the gateway computer failing to detect exploits in the
`
`downloadables.
`
`[0005]
`
`Scanning downloadables at a gateway computer may also be performed
`
`by analyzing the programs. Assignee’s U.S. Patent No. 6,092,194 describes such a
`
`gateway security system.
`
`OOOOO5
`
`000005
`
`

`
`Attorney Docket No. 60644-8021.USO2
`
`[0006] When analyzing downloadables, scanners generally search for computer
`
`operations that are potentially suspicious. For example, if a suspect downloadable
`
`invokes a function call that writes to a file system or opens a network connection or
`
`changes a registry entry, such behavior raises a warning flag for potentially
`
`malicious activity. A security system may block a downloadable from reaching an
`
`internal network if the downloadable includes a suspicious computer operation.
`
`However, most non-malicious downloadables use these same computer operations
`
`in an innocuous way, and such a security system may block both good and bad
`
`downloadables from reaching the internal network.
`
`[0007]
`
`Consider, for example, a function that deletes a file in the file system.
`
`Many safe programs, such as software installation programs, generate temporary
`
`files during execution, and delete the temporary files upon completion. However, a
`
`malicious program may delete critical operating system files. A security system that
`
`blocks downloadables which invoke a function to delete a file would block safe
`
`downloadables in addition to the malicious ones.
`
`[0008]
`
`Consider, for example, a downloadable that includes the following simple
`
`Javascript source code:
`
`<SCRlPT LANGUAGE="JavaScript">
`var b = new ActiveXObject("Msxml2.XMLHTTP");
`exploit data = "SSSSSSSSSSSSSSSSSSSSSS exploit";
`b.setRequestHeader(exploit data);
`</SCRlPT>
`
`This source code initiates a new Msxml2.XMLHTTP ActiveX object, and invokes the
`
`object's method setRequestHeader(). An Msxml2.XMLHTTP object is a standard
`
`object built into the Microsoft XML parser. The Msxml2.XMLHTTP object is an
`
`important part of the Ajax web development technique, and is used to implement
`
`responsive and dynamic web applications.
`
`It is used on a client side web page to
`
`grab information from the server, process it, and use the information on the current
`
`web page (as opposed to having to reload a web page).
`
`OOOOO6
`
`000006
`
`

`
`AfiorneylDocketNo.60644~8021lJSO2
`
`[0009]
`
`The method setRequestHeader() is generally a safe function that simply
`
`adds an HTTP header to a request. The following code snippet shows how
`
`setRequestHeader() is used, for example, to set the HTTP Content-Type header to
`
`‘text/xml' before sending a request body.
`
`var oReq = new XMLHttpRequest();
`oReq.open("POST", sURL, false);
`oReq.setRequestHeader(CONTENT, "text/xml");
`oReq.send(sRequestBody);
`
`As such, the example Javascript above appears innocuous.
`
`[0010]
`
`However, the input parameter to setRequestHeader() in the example
`
`JavaScript code above is only evaluated at run-time, and a code exploit may be
`
`triggered in the process of evaluating the input parameter. More generally, input
`
`parameters to function calls, even for safe functions, are potential hiding places for
`
`code exploits. Since input parameters may only be determined at run-time, such
`
`code exploits may go undetected when scanning downloadables.
`
`[0011]
`
`it would thus be of advantage for a security system to be able to validate
`
`input parameters that are evaluated at run-time.
`
`It would be of further advantage for
`
`a security system to be able to determine if a given input parameter will exploit a
`
`non—malicious function, prior to actually executing the non—malicious function with the
`
`given input parameter.
`
`SUMMARY OF THE DESCRlPTlON
`
`[0012]
`
`Aspects of the present invention relate to a computer security method and
`
`system that validates input parameters to computer operations when scanning a
`
`suspect downloadable.
`
`in one embodiment, the present invention overwrites
`
`suspicious computer operations, and appends special monitoring code to the
`
`suspect downloadable that, when invoked, validates input parameters to computer
`
`operations.
`
`[0013]
`
`The present invention may be embodied at a gateway computer, at a
`
`server computer, or at a client computer.
`
`OOOOO7
`
`000007
`
`

`
`Attorney Docket No. 60644-8021 .USO2
`
`[0014]
`
`There is thus provided in accordance with an embodiment of the present
`
`invention a method for identifying suspicious downloadables, including receiving a
`
`downloadable, scanning the downloadable to identify suspicious computer
`
`operations therein, and if at least one suspicious computer operation is identified,
`
`then over\Nriting the suspicious computer operations with substitute computer
`
`operations, and appending monitoring program code to the downloadable thereby
`
`generating a modified downloadable, wherein the monitoring program code includes
`
`program instructions for validating input parameters for the suspicious computer
`
`operations during run-time of the downloadable.
`
`[0015]
`
`There is additionally provided in accordance with an embodiment of the
`
`present invention a computer security system, including a receiver for receiving a
`
`downloadable, a scanner, coupled with the receiver, for scanning the downloadable
`
`to identify suspicious computer operations therein, a code modifier, coupled with the
`
`scanner, for overwriting the suspicious computer operations with substitute computer
`
`operations, if at least one suspicious computer operation is identified by the scanner,
`
`and for appending monitoring program code to the downloadable thereby generating
`
`a modified downloadable, if at least one suspicious computer operation is identified
`
`by the scanner, and a processor, coupled with the code modifier, for executing
`
`programmed instructions, wherein the monitoring program code includes program
`
`instructions for the processor to validate input parameters for the suspicious
`
`computer operations during run-time of the downloadable.
`
`[0016]
`
`There is further provided in accordance with an embodiment of the
`
`present invention a method for identifying suspicious downloadables, including
`
`receiving a downloadable, and appending monitoring program code to the
`
`downloadable thereby generating a modified downloadable, wherein the monitoring
`
`program code includes program instructions for identifying suspicious computer
`
`operations during run-time of the downloadable, for overwriting the suspicious
`
`computer operations with substitute computer operations during run—time of the
`
`000008
`
`000008
`
`

`
`Attorney Docket No. 60644-8021.USO2
`
`downioadable, and for validating input parameters for the suspicious operations
`
`during run—time of the downloadable.
`
`[0017]
`
`There is yet further provided in accordance with an embodiment of the
`
`present invention a computer security system, including a receiver for receiving a
`
`downloadable, a code modifier, coupled with the scanner, for appending monitoring
`
`program code to the downloadable thereby generating a modified downioadable,
`
`and a processor, coupled with the code modifier, for executing programmed
`
`instructions, wherein the monitoring program code includes program instructions for
`
`the processor to identify suspicious computer operations during run—time of the
`
`downloadable, to overwrite the suspicious computer operations with substitute
`
`computer operations during run—time of the downloadable, and to validate input
`
`parameters for the suspicious computer operations during run time of the
`
`downloadable.
`
`[0018]
`
`There is moreover provided in accordance with an embodiment of the
`
`present invention a method for identifying suspicious downloadables, including
`
`scanning a downloadable to detect the presence of at least one suspicious computer
`
`operation, dynamically generating during run—time of the downloadable at least one
`
`input parameter for the at least one suspicious computer operation detected by the
`
`scanning, and determining whether or not the dynamically generated at least one
`
`input parameter corresponds to a safe input parameter for the at least one
`
`suspicious computer operation.
`
`[0019]
`
`There is additionally provided in accordance with an embodiment of the
`
`present invention a computer security system, including a scanner for scanning a
`
`downloadable to detect the presence of at least one suspicious computer operation,
`
`and a processor that executes programmed instructions for dynamically generating
`
`during run—time of the downloadable at least one input parameter for the at least one
`
`suspicious computer operation detected by the scanner, and for determining
`
`OOOOO9
`
`000009
`
`

`
`Attorney Docket No. 60644-8021.US02
`
`whether or not the dynamically generated at least one input parameter corresponds
`
`to a safe input parameter for the at least one suspicious computer operation.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0020]
`
`The present invention will be more fully understood and appreciated from
`
`the following detailed description, taken in conjunction with the drawings in which:
`
`[0021]
`
`FIG. 1 is a simplified block diagram of a computer security system with
`
`input parameter validation, in accordance with an embodiment of the present
`
`invention;
`
`[0022]
`
`FIG. 2 is a method for computer security with input parameter validation,
`
`in accordance with an embodiment of the present invention; and
`
`[0023]
`
`FIG. 3 is an alternative method for computer security with input parameter
`
`validation, in accordance with an embodiment of the present invention.
`
`DETAILED DESCRIPTION
`
`[0024]
`
`Aspects of the present invention relate to a computer security method and
`
`system that receives as input a downloadable, and detects whether or not the
`
`downloadable is potentially malicious by inter alia validating input parameters to
`
`computer operations.
`
`[0025]
`
`Reference is now made to FIG. 1, which is a simplified block diagram of a
`
`computer security system with input parameter validation, in accordance with an
`
`embodiment of the present invention. The embodiment of the security system
`
`shown in FIG. 1 includes a gateway computer 100 and two destination computers
`
`110. Downloadables transmitted to destination computers 110 first pass through
`
`gateway 100.
`
`[0026]
`
`Downloadables may be inter alia in the form of source code, such as
`
`Javascript, or in the form of complied code, such as Java applets, that is de-
`
`compiled in order to derive its source code.
`
`000010
`
`000010
`
`

`
`Attorney Docket No. 60644-8021 .USO2
`
`[0027]
`
`One of the responsibilities of gateway computer 100 is to run security
`
`checks on downloadables prior to their reaching destination computers 110.
`
`if
`
`gateway computer 100 identifies a potentially malicious downloadable, then it either
`
`blocks the downloadable from reaching destination computers 110, or neutralizes
`
`the potentially malicious portions of the downioadable prior to forwarding the
`
`downloadable to destination computers 110.
`
`[0028]
`
`As shown in FIG. 1, gateway computer 100 includes a processor 120, for
`
`executing programmed instructions, a receiver 130 for receiving a downloadable in
`
`transit to one or both of destination computers 110, and a transmitter 140 for
`
`forwarding the received downioadable to one or both of destination computers 110.
`
`Gateway computer 100 further includes a scanner 150, for scanning a downloadable
`
`received by receiver 130, and a code modifier 160 for appending special modification
`
`code to the downloadable received by receiver 130.
`
`[0029]
`
`Generally, scanner 150 inspects downioadable source code for the
`
`presence of suspicious computer operations.
`
`if the downioadable is in compiled
`
`object code form, the scanner 150 first de—compiles the object code to derive
`
`downioadable source code therefrom, and then inspects the downloadable source
`
`code for the presence of suspicious operations.
`
`[0030]
`
`if no suspicious computer operations are detected, then the downloadable
`
`is deemed to be safe, and is forwarded to one or both of destination computers 110
`
`via transmitter 140. However, if scanner 150 detects one or more suspicious
`
`computer operations, then processor 120 appends special modification code 170 to
`
`the downloadable, thereby generating a modified downloadable, Modification code
`
`170 includes instructions for overwriting the suspicious computer operations
`
`detected by scanner 150, and for validating their input parameters.
`
`if all input
`
`parameters to all suspicious computer operations are validated, then the
`
`downloadable is deemed to be safe, and is fon/varded to one or both of destination
`
`computers 110. Otherwise, the downloadable is deemed to be potentially malicious.
`
`00001 1
`
`000011
`
`

`
`Attorney Docket No. 60644-8021.USO2
`
`[0031]
`
`For a downloadable deemed to be potentially malicious, processor 120
`
`may neutralize the suspicious computer operations by eliminating such operations,
`
`or by replacing their input parameters with valid input parameters, and then
`
`forwarding the remedied downloadable to one or both of destination computers 110.
`
`Further, processor 120 may first execute the remedied downloadable within a secure
`
`environment and inspect the execution results, prior to forwarding the downloadable.
`
`Alternatively, processor 120 may block the downloadable from being forwarded to
`
`destination computers 110. Further details of operation of scanner 150 and code
`
`modifier 160 are provided in the discussion of FIG. 2 hereinbelow.
`
`[0032]
`
`Reference is now made to FIG. 2, which is a method for computer security
`
`with input parameter validation, in accordance with an embodiment of the present
`
`invention.
`
`In conjunction with FIG. 2, reference is also made to the following
`
`example downloadable, used to supplement the description of various steps in FIG.
`
`2 by way of example.
`
`OOOO12
`
`000012
`
`

`
`Attorney Docket No. 60644-8021 .USO2
`
`Original Javascrigt source grogram code:
`
`<SCRlPT LANGUAGE="JavaScript">
`var b = new ActiveXObject("Msxm|2.XMLHTTP");
`b.setRequestHeader("SSSSSSSSSSSSSSSSSSSSSS");
`</SCRiPT>
`
`Modified grogram code:
`
`<SCRlPT LANGUAGE="JavaScript">
`VuinAcxStruct=[["Msxmi2.XMLHTTP”, [['setRequestHeader',
`function(){aIIow=["GET", "POST", "HEAD", "DELETE", "PUT",
`"CONNECT","OPTiONS"]; for(i in aIiow){if
`(arguments[O]==aiiow[i])return;}aiert("maIicious!")}]],[]]]
`
`function makeVuinObjDict(arr)
`{
`
`dict=new Objeot();
`for(i in arr){
`dict[arr[i][O]]=[arr[i]{2],arr[i][3]];
`dict[arr[i][1]]=[arr[i][2],arr[i][3]];
`
`} r
`
`eturn dict;
`
`} V
`
`uln_Obj__Dict=makeVuinObjDict(VuinAcxStruct);
`
`function checkAcx(aoxid)
`{
`
`if (acxld in Vuin__Obj__Dict){
`obj = new Object();
`for(i in Vuin_Obj_DiCt[acxId][O])
`{
`
`obj[Vuln_Obj_Diot[aoxld][O][i][O}] =
`Vu|n_Obj_Dict[aox|d][O][i][1];
`
`} o
`
`bj['mylD'] = acxid;
`return obj;
`
`} r
`
`eturn new Object();
`
`} w
`
`indow.ActiveXObject = checkAox;
`var b = new AotiveXObject("MsxmI2.XMLHTTP");
`b,setRequestHeader("SSSSSSSSSSSSSSSSSSSSSS");
`</SCRiPT>
`
`i.!>(,n.)!\>l-3
`
`F-‘CD\OOC)~Q{YxU1
`
`}...l
`
`13
`14
`15
`
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`26
`27
`28
`
`29
`30
`31
`32
`
`33
`
`35
`
`36
`37
`38
`
`39
`40
`41
`
`000013
`
`000013
`
`

`
`Attorney Docket No.: 60644—8021.US02
`
`[0033]
`
`_FIG. 2 begins at step 210, whereat an original downloadable is received in
`
`transit to one or more destination computers. Referring to the example JavaScript
`
`code hereinabove, the downloadable received at step 210 includes lines 1 ~— 4.
`
`These lines of code cause a browser to create an ActiveX object named
`
`“Msxml2.XMLHTTP”, and assign the created object to variable b. The
`
`setRequestHeader() method of object b is called using an input parameter
`
`"SSSSSSSSSSSSSSSSSSSSSS". At this stage it is unclear if the input parameter
`
`is legitimate for this method, or if it abuses the method call in a malicious way.
`
`[0034]
`
`At step 220, the received downloadable is scanned, to detect the
`
`presence of suspicious computer operations. Referring further to the example code,
`
`the function call setRequestHeader() is identified as being suspicious.
`
`in one
`
`embodiment of the present invention, a dictionary of suspicious operations is
`
`accessed and consulted by scanner 150, in order to detect which computer
`
`operations are potentially malicious. Such a dictionary is included in lines 6 — 9 of
`
`the example program code, as described below with reference to step 270.
`
`in an
`
`alternative embodiment of the present invention, a dictionary of non-malicious
`
`computer operations is accessed and consulted by scanner 150, in order to detect
`
`malicious computer operations.
`
`[0035]
`
`At step 230 a determination is made whether or not suspicious computer
`
`operations have been detected in the downloadable.
`
`If not, then the downloadable
`
`is deemed safe and is fon/vardecl to its destination at step 240. Othen/vise, if one or
`
`more suspicious computer operations have been detected, then at step 250
`
`monitoring program code is appended to the original downloadable. Referring to the
`
`example above, the monitoring code includes lines 11 — 36, and has two functions;
`
`namely, makeVulnDict(Arr) and checkAcx(acxld).
`
`[0036]
`
`At line 21 the function makeVulnDict() is called with array parameter
`
`VuinAcxStruct[], to build a dictionary, Vuln_Obj_Dict, of potentially malicious function
`
`calls. As seen at lines 6 - 9, VulnAcxStruct[] is an array of three—element arrays,
`
`000014
`
`10
`
`000014
`
`

`
`AfiorneylDocketNo.60644-8021lJSO2
`
`each three-element array corresponding to a potentially malicious function. For
`
`purposes of clarity, only one three—element array is defined in lines 6 —— 9,
`
`corresponding to the method setRequestHeader() of object Msxml2.XMLHTTP, but it
`
`will be appreciated by those skilled in the art that additional three—element arrays
`
`may be defined. The first element of the three—element array in VulnAcxStruct[] is
`
`the name of the object containing the potentially malicious function; i.e.
`
`“Msxml2.XMLHTTP”. The second element of this array is the name of the
`
`suspicious method, setRequestHeader(), together with the function to be used for
`
`input validation of the method; namely,
`
`function()
`{
`
`allow = [“GET”, “POST”, “HEAD”, “DELETE”, “PUT”,
`“CONNECT”, “OPTlONS”];
`
`for (i in aIlow){
`if (arguments[O]==allow[i] return;
`
`} a
`
`lert(“malicious!”)
`
`} T
`
`hus to validate input parameters for the method setRequestHeader(), the input
`
`parameter is matched against six expected non-malicious parameter values GET,
`
`POST, HEAD, DELETE, PUT, CONNECT and OPTIONS.
`
`if no match is found then
`
`an alert is made.
`
`It will be appreciated by those skilled in the art that the function
`
`given above is but one of many methods for validating input parameters. Other such
`
`methods to validate input parameters and to issue a notification when input
`
`parameters are not validated, are also within the scope of the present invention.
`
`[0037]
`
`The third element of the three~e|ement array in VulnAcxStruct[], shown
`
`empty at line 9, is reserved for a definition of vulnerable properties.
`
`In summary
`
`form, VulnAcxStruct[] holds a list of vulnerabilities, where a “vulnerability” is of the
`
`form
`
`[object name, list of [method name, definition], properties].
`
`[0038]
`
`Referring back to FlG. 2, at step 260 the suspicious computer operations
`
`are oven/vritten. Referring to the example Javascript, the over—writing is performed
`
`000015
`
`11
`
`000015
`
`

`
`Attorney Docket No. 60644-8021 .US02
`
`at lines 29 and 30. Specifically, lines 28 — 31 loop over the list of [method name,
`
`definition] and associate each method name with its corresponding definition.
`
`[0039]
`
`in addition, at line 38 the function window.ActiveXObject() is overwritten
`
`by the function checkAcx(). As such, instead of invoking ActiveXObject() during run~
`
`time when an ActiveX object is created, the function checkAcx() is invoked.
`
`[0040]
`
`Subsequently the modified downloadable is executed. At step 270 the
`
`input parameters for each of the suspicious computer operations are validated
`
`during run—time. Referring to the example code, the function checkAcx(), defined at
`
`lines 23 —— 36, performs the validation. Specifically, if the ActiveX object to be
`
`created, as identified by acxld, is listed in the dictionary Vuln_Obj__Dict[], then the
`
`corresponding input validation function is performed.
`
`It the validation fails, then the
`
`call to alert(“malicious!”) is made. Otherwise, the desired ActiveX object is created
`
`and returned.
`
`it will be appreciated by those skilled in the art that other forms of
`
`notification of failed validation are within the scope of the present invention. For
`
`example, checkAcx() may generate a warning text message.
`
`[0041]
`
`For the example provided above, when the input parameter
`
`"SSSSSSSSSSSSSSSSSSSSSS" to setRequestHeader() is validated, the
`
`validation fails since the input parameter does not match any of the expected input
`
`parameters GET, POST, HEAD, DELETE, PUT, CONNECT and OPTlONS.
`
`if the
`
`input parameter to setRequestHeader() had instead been valid, the desired ActiveX
`
`object, Msxml2.XMLHTTP, would have been created by checkAcx() and returned.
`
`[0042]
`
`At step 280 a determination is made whether or not the input parameters
`
`to each of the suspicious computer operations have been validated.
`
`if so, then the
`
`downloadable is deemed safe and is forwarded to its destination at step 240.
`
`Otherwise, the downloadable is deemed suspicious, an alert is made, and various
`
`preventive actions may be taken. One such action, at step 291, is simply not to
`
`forward the downloadable to the destination computer. Another such action, at step
`
`292, is to neutralize the input parameters that were not validated, by replacing them
`
`000016
`
`12
`
`000016
`
`

`
`Attorney Docket No. 60644—8021.USO2
`
`with valid input parameters, and then forwarding the remedied downloadable to the
`
`destination computers. Another such action, at step 293, is to consult a computer
`
`security policy to determine whether or not to fon/vard the downloadable to the
`
`destination computer, based on the suspicious computer operations that were
`
`detected.
`
`[0043]
`
`It will be appreciated by those skilled in the art that step 260, of overwriting
`
`suspicious computer operations may be performed either in a pre~scan phase, prior
`
`to executing the loop around step 270, as indicated in FlG. 2, or instead may be
`
`performed in real-time, within the loop. Specifically, referring to the example
`
`JavaScript code provided hereinabove, the structure VulnAcxStruct[], defined at
`
`lines 6 — 9, which pre-identifies the suspicious computer operations, may be
`
`appendedtothernonflonngcode.lntunxthernonfionngcodeovenmfiesthepn+
`
`identified operations in real-time at lines 29 and 30.
`
`in this regard, reference is now
`
`made to FIG. 3, which is an alternative method for computer security with input
`
`parameter validation, with the overwriting being performed during run~time, in
`
`accordance with an embodiment of the present invention.
`
`[0044]
`
`FIG. 3 begins at step 310, whereat an original downloadable is received in
`
`transit to one or more destination computers. At step 350 monitoring program code
`
`is appended to the original downloadable, to generate a modified downloadable.
`
`[0045]
`
`Subsequent to step 350 the modified downloadable is executed. At step
`
`355 suspicious computer operations are identified at run—time. Step 355 may be
`
`performed by referencing a structure, such as the VulnAcxStruct[] structure in the
`
`example JavaScript, that lists pre—designated suspicious computer operations.
`
`Alternatively, step 355 may be performed by referencing structure that lists pre-
`
`designated safe computer non-malicious computer operations.
`
`[0046]
`
`At step 360 the suspicious computer operations are overwritten at run-
`
`flme.RdammHomem@mmeJamSmmtmHm$29mm30meomafimmmm
`
`obj[Vuln__Obj_Dict[acxld][O][i][O]]
`
`OOOO17
`
`13
`
`000017
`
`

`
`Attorney Docket No. 60644-8021 .USO2
`
`is oven/vritten with the function
`
`obj[Vuln__Obj_Dict[acxld][O][i][t]].
`
`Based on lines 15 and 16, this corresponds to overwriting the method
`
`setRequestHeader() of object l\/1sxmk2.XMLHTTP with the function in lines 7 — 9;
`
`namely,
`
`function()
`{
`
`allow = [“GET”, “POST”, “HEAD”, “DELETE”, “PUT”,
`“CONNECT”, “OPTlONS”];
`
`for (i in allow){
`if (arguments[O}==al|ow[i] return;
`
`} a
`
`lert(“malicious!”)
`
`} [
`
`0047]
`
`At step 370 the input parameters for the suspicious computer operations
`
`are validated at run~time. Referring to the Javascript example, input parameter
`
`validation is performed by the function in lines 7 — 9.
`
`If the input parameters are
`
`validated then the function returns normally; otherwise, the function invokes
`
`alert(“malicious!”). Other such methods to validate input parameters and to issue a
`
`notification when input parameters are not validated, are also within the scope of the
`
`present invention.
`
`[0048]
`
`At step 380 a determination is made whether or not the input parameters
`
`to each of the suspicious computer operations have been validated.
`
`if so, then the
`
`downloadable is deemed safe and is fon/varded to its destination at step 340.
`
`Otherwise, the downloadable is deemed malicious, an alert is made, and various
`
`preventive actions may be taken. One such action, at step 391, is simply not to
`
`fon/vard the downloadable to the destination computer. Another such action, at step
`
`392, is to neutralize the input parameters that were not validated, by replacing them
`
`with valid input parameters, and then forwarding the remedied downloadable to the
`
`destination computers. Another such action, at step 393, is to consult a computer
`
`security policy to determine whether or not to fon/vard the downloadable to the
`
`000018
`
`14
`
`000018
`
`

`
`AflorneylDocketNo.60644~8021lJSO2
`
`destination computer, based on the suspicious computer operations that were
`
`detected.
`
`[0049]
`
`in the foregoing specification, the invention has been described with
`
`reference to specific exemplary embodiments thereof.
`
`it will, however, be evident
`
`that various modifications and changes may be made to the specific exemplary
`
`embodiments without departing from the broader spirit and scope of the invention as
`
`set forth in the appended claims. Accordingly, the specification and drawings are to
`
`be regarded in an illustrative rather than a restrictive sense.
`
`OOOO19
`
`15
`
`000019
`
`

`
`Attorney Docket No. 60644-8021 .USO2
`
`CLAIMS
`
`What is claimed is:
`
`1.
`
`A method for handling suspicious downloadables, comprising:
`
`receiving a downloadable;
`
`scanning the downloadable to identify suspicious computer operations
`
`therein; and
`
`if at least one suspicious computer operation is identified, then:
`
`overwriting the suspicious computer operations with
`
`substitute computer operations; and
`
`appending monitoring program code to the downloadable
`
`thereby generating a modified downloadable, wherein the monitoring program code
`
`includes program instructions for validating input parameters for the suspicious
`
`computer operations during run—time of the downloadable.
`
`2.
`
`The method of claim 1, wherein the substitute computer operations
`
`validate their input parameters, and indicate if their input parameters are not
`
`successfully validated.
`
`3.
`
`The method of claim 2, wherein the substitute computer operations
`
`indicate if their input parameters are not successfully validated by invoking an alert.
`
`4.
`
`The method of claim 2, wherein the substitute computer operations
`
`indicate if their input parameters are not successfully validated by generating a
`
`warning text message.
`
`000020
`
`16
`
`000020
`
`

`
`AfiorneylDocketNo.60644-8021lJSO2
`
`5.
`
`The method of claim 1, wherein the monitoring code further includes
`
`program instructions for replacing invalid input parameters with valid input
`
`parameters in the suspicious computer operations.
`
`6.
`
`The method of claim 1, further comprising executing the modified
`
`downioadabie.
`
`7.
`
`The method of claim 6, wherein said executing comprises executing the
`
`modified downioadabie in a secure environment.
`
`8.
`
`The method of claim 1, wherein said receiving comprises receiving the
`
`downloadable in transit to an intended destination computer, the method further
`
`comprising transmitting the modified downioadabie to the destination computer.
`
`9.
`
`The method of claim 1, wherein said receiving comprises receiving the
`
`downloadable in transit to an intended destination computer, the method further
`
`comprising preventing the downloadable from executing on the destination computer
`
`if said validating fails.
`
`10.
`
`The method of claim 1, wherein said receiving comprises receiving the
`
`downloadable in transit to an intended destination computer, the method further
`
`comprising consulting a security policy to determine whether to forward the
`
`downloadable to the destination computer if said validating fails.
`
`11.
`
`The method of claim 1, wherein said validating input parameters
`
`comprises comparing actual input parameters to the suspicious computer operations
`
`with at least one descriptor of valid input parameters for the suspicious computer
`
`operations.
`
`000021
`
`17
`
`000021
`
`

`
`Attorney Docket No. 60644-8021 U802
`
`12.
`
`The method of claim 1, wherein said validating input parameters
`
`comprises comparing actual input parameters to the suspicious computer operations
`
`with at least one descriptor of invalid input parameters for the suspicious computer
`
`operations.
`
`13.
`
`The method of claim 1, wherein said scanning comp