(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2007/0113282 A1
`(43) Pub. Date:
`May 17, 2007
`Ross
`
`US 20070113282Al
`
`(54) SYSTEMS AND METHODS FOR DETECTING
`AND DISABLING MALICIOUS SCRIPT
`CODE
`
`(76) Inventor: Robert E. Ross, Rancho Santa
`Margarita, CA (U S)
`
`Correspondence Address:
`MACPHERSON KWOK CHEN & HEID LLP
`2033 GATEWAY PLACE
`SUITE 400
`SAN JOSE, CA 95110 (US)
`
`(21) Appl. No.:
`
`11/281,839
`
`(22) Filed:
`
`Nov. 17, 2005
`
`Publication Classi?cation
`
`(51) Int. CI.
`(2006.01)
`G06F 12/14
`(2006.01)
`G06F 11/00
`(52) U.s.CI. ............................................... ..726/22; 726/25
`
`(57)
`
`ABSTRACT
`
`In accordance With at least one embodiment of the present
`invention, a device for receiving and processing data content
`having at least one original function call includes a hook
`script generator and a script processing engine. The hook
`script generator is con?gured to generate a hook script
`having at least one hook function. Each hook function is
`con?gured to supersede a corresponding original function.
`The script processing engine is con?gured to receive and
`process a combination of the hook script and the data
`content. The hook function corresponding to the data content
`original function is executed When the original function is
`called. The hook function provides a run-time detection and
`control of the data content processing.
`
`/- 220
`DISPLAY
`
`f- 202
`
`CLIENT
`f. 230
`TRANSCEIVER
`232
`
`SERVER
`
`r 204
`
`r 250
`TRANSCEIVER
`
`257-
`PROCESSOR
`
`(254
`PROCESSOR
`MEMORY
`
`260
`r
`WEB SERVER
`
`WEB PAGE #1
`WEB PAGE #2
`*
`
`:
`
`WEB PAGE #N
`
`208
`
`2 l2
`
`f. 222
`
`KEYBOARD
`
`PROCESSOR
`
`r 234
`
`P020323“
`
`/_ 224
`SCRIPT
`PROCESSING
`ENGINE (WEB
`BROWSER)
`
`r- 240
`DETECTION ENGINE
`
`F 242
`SCRIPT INJECTOR
`(BROWSER PLUG-IN)
`r- 244
`HOOK SCRIPT GENERATOR
`
`F 246
`COMMUNICATION OBJECT
`
`|
`
`|
`
`\ 200
`
`000001
`
`Symantec 1002
`IPR of U.S. Pat. No. 7,757,289
`
`

`
`Patent Application Publication May 17, 2007 Sheet 1 0f 6
`
`US 2007/0113282 A1
`
`*
`
`*
`
`mw ‘WU/Nd mm;
`Wmwmwmmw 2 ~
`
`ymimm mm; d 5955
`
`wS
`
`$557:
`$5? E25
`of k i ................. : o2 k
`
`2: \ N2 L
`
`/ o2
`
`
`
`
`
` | Hw?w MOHWE | N @Hh
`
`*
`
`
`
`2% moi mm; N2 \
`
`QM<Om>mM
`
`
`
`mmmaOmm mm?
`
`000002
`
`

`
`Patent Application Publication May 17, 2007 Sheet 2 of 6
`
`US 2007/0113282 Al
`
`2%moimma
`
`>.mO_2m:2
`
`*
`
`*
`
`mmimmmma
`
`S.mo§mma
`
`*QmO<¢mm?
`
`
`
`MOmmm—UO&m>MO$_mE2
`
`omm
`
`Emmommmoofi EE E
`
`mm>Eumz<E><uEm_Q
`
`zmiam
`
`ENSm
`
`HZEAU
`
`omm
`
`ONN
`
`com
`J
`
`NUHLN
`
`E28
`
`ozammuofi
`
`
`
`mm»:mz_ozm
`
`Emmaomm
`
`
`
`mzfizmzofiomemo
`
`MOFUEZHSE8
`
`
`
`A253;mmmaommv
`
`Sm
`
`
`
`mo,~<zmzmoEaomMOO:
`
`
`
`eumamoZO:.<n:ZDS:2OO
`
`OOOOO3
`
`000003
`
`
`
`
`
`
`
`

`
`Patent Application Publication May 17, 2007 Sheet 3 0f 6
`
`US 2007/0113282 A1
`
`mom
`
`m, @Hrm
`
`
`
`
`
`x2e 5:628 ioomzz?godé
`
`miimqzxaaeazeasoxoéé a2 u 3m
`
`$0M 5/
`
`
`
`
`
`
`
`.bmsoco?oimm E3 on EB : 85 $62; can QOUME :23 80.50 $038 05 5&0 \
`
`
`
`
`ArEEQmV
`
`000004
`
`

`
`Patent Application Publication May 17, 2007 Sheet 4 of 6
`
`US 2007/0113282 A1
`
`
`
`
`
`couosfl
`
`
`
`
`
`9E32canSofie3&8;nEL.Eu_EX.tomo._o_Eoomooovowoowoomoocomv\\VCoooiomcoofioboooEOQENNAE
`
`
`
`
`
`AofifiwxocoEEE_w€25Stowxoomcoomoocow\
`
`
`
`A:a_sm§£.,uow§w§_SE8
`
`€%_oxo>_5<uoxss
`
`
`
`cocoonooomxooaobcsoom89:o:H\\AoSo:3ovOX<_mooE38
`
`
`
`
`
`
`
`H2_§_3o:_AOX<_mo§ooEOAEXNAEBo:E38VnE.e5Ex.rs8s_E_.
`
`
`
`VasA
`
`ooo:owmxooso
`
`
`
` btsoom\\WGee.3e§3oxo>_s<_o8_oo:couaa«SA
`
`mHQD%£OxD>_w0<UO¥OO:”HOU&£oxU>_uO4A
`
`acom__§m:o\
`
`AS309
`
`
`
`A:Etomn>m?nowm:w:2Hndmumvmom
`
`000005
`
`000005
`
`

`
`Patent Application Publication May 17, 2007 Sheet 5 of 6
`
`US 2007/0113282 A1
`
`mmOH><Emm
`
`
`
`
`
`BmHmUmZH4BmmUBmHmUm
`
`m0ZOHHUZDm
`
`mOBODmBmZOU
`
`
`
`EZm2mO<QmmmEH2HEBmOEUDmBmZOUmOBUDmBmZOO
`
`
`
`EBH3mOBUDmHmZOUMOZOHHUZDmMOZOHBUZDm
`
`
`
`MOZOHBUZDmQ¢ZHOHmOHIEBZmZmO¢Hmmm
`
`
`
`M39mU<AmmmOEMUZmMmmmmQm>¢wBMZflmB¢mmU
`
`mom«omNow
`
`mQm¢mHQMO.%mHQOZM39WmQmQA<U
`
`
`BmHmUmHIEMEDUWXMBUMWQOZflmH<mmU
`HUMHMOBMZWEBIBH3BWZMIRZWEBBZmE%i%Qmmm
`
`
`4mflOZH>¢EmmDWHmHOOZ
`\3OQH<OHW¢BmH<OmHmOHUDmEmZOOZOBJTJFWZOU
`
`
`
`
`
`m
`
`OOOOO6
`
`000006
`
`
`
`

`
`Patent Application Publication May 17, 2007 Sheet 6 of 6
`
`US 2007/0113282 A1
`
`08Xe
`
`>:dm<mmzq:>
`
`pzm2mmmmm<
`
`m~::<zo_m
`
`mm<m<e<o
`
`
`
`mmzcmzazm
`
`Emmaomm
`
`
`
`
`
`E569Bmhmoozammuofi
`
`oflo
`
`N_m3.5.5
`
`ezmpzou
`
`So\.N8
`
`<55
`
`oz$
`
`meumao
`
`omzimomya
`
`
`
`avzofiozamoiamzmc
`
`MOOIEaomMOO:
`
`mgdzme
`
`<53
`
`
`eomao
`
`mmmaommvV—OMO._iDm=.7:.._.n=MUm
`
`zoifizzzzzou
`
`OOOOO7
`
`000007
`
`
`
`
`
`

`
`US 2007/0113282 A1
`
`May 17, 2007
`
`SYSTEMS AND METHODS FOR DETECTING AND
`DISABLING MALICIOUS SCRIPT CODE
`
`TECHNICAL FIELD
`
`[0001] The present invention relates generally to client
`and server network traf?c, and more particularly, for
`example, to detecting and disabling malicious script code.
`
`RELATED ART
`
`[0002] Many computer applications today utiliZe com
`mand scripts to perform a variety of tasks. A command
`script, or script code, typically is a computer ?le containing
`a sequence of text commands and arguments that conform to
`a particular scripting language convention or standard. An
`interpreter typically parses (i.e. reads) the script and
`executes (interprets) the script commands in a sequential
`manner so that commands at the beginning of a script are
`parsed and executed before later commands are parsed.
`[0003] In contrast, compiled code is typically generated
`from one or more source code computer ?les containing a
`sequence of text commands and arguments that conform to
`a particular programming language, Where the entire
`sequence of text and arguments are parsed before any
`commands are executed. Compiled programs require a sepa
`rate compiling process Where the source code is converted to
`a non-human readable machine code that may be directly
`executed on a targeted computer platform. Script languages
`typically take longer to interpret and execute than a com
`piled language program that is merely executed after com
`pilation, but scripts can be very useful for shorter programs
`Where the sloWer interpreter speed offsets the compile time
`overhead for the compiled code.
`
`[0004] Java is the name of a general-purpose program
`ming language that is Well suited for use With clients and
`servers on the World Wide Web (WWW). Smaller Java
`programs or applications are called Java applets and can be
`doWnloaded from a Web server and run on a local computer
`by a java-enabled Web broWser such as Microsoft’s Internet
`Explorer (IE) or Netscape’s Navigator. JavaScript is the
`name of a common scripting language that Was developed
`originally by Netscape Communications and Sun Microsys
`tems for use in Internet broWser applications. JavaScript can
`be considered a client-side scripting language that is
`executed by an Internet broWser, sometimes knoWn as a Web
`client because it connects to a Web server to access Web
`pages. In reference to FIG. 1, a traditional client-server
`system 100 is shoWn including a client netWork device 102
`(client) and a server netWork device 104 (server) that can
`communicate With each other over a communications net
`Work 108 such as the Internet. Client 102 may be connected
`to Internet 108 through a sWitched-packet connection 110,
`While server 104 may be connected to Internet 108 through
`another sWitched-packet connection 112 Where Client 102
`and server 104 may exchange message packets comprising
`netWork data.
`
`[0005] Client 102 may include a display 120 such as a
`video monitor, a keyboard 122, and a Web broWser 124.
`Server 104 may include a Web server 160 con?gured to
`provide a plurality of Web pages in a doWnload mode to a
`requesting device such as client 102. Conversely, client 102
`may also upload information onto Web server 160. Web
`broWser 124 and Web-server 160 may each be an application
`
`program running on a suitably programmed computer sys
`tem. Web broWser 124 may load a Web page Written in a
`Hypertext Markup Language (HTML) that contains a por
`tion of embedded JavaScript code. The broWser typically
`includes a built-in interpreter that reads and executes the
`JavaScript code. JavaScript may be used to automatically
`change formatted information on the requested Web page,
`cause a linked page to appear in another broWser WindoW,
`and/or cause text and/or graphical images to change during
`a mouse rollover, for example.
`[0006] The number of client side JavaScript attacks is
`increasing against Java-enabled Web broWsers such as
`Microsoft’s Internet Explorer and/or Netscape’s Navigator
`applications. Many problems have been found With
`improper classi?cation of Web content into security Zones.
`Problems vary from cross-site scripting to the installation of
`neW programs on the exploited host. This proliferation of
`JavaScript attacks results in pervasive problems spanning
`?nancial fraud to spyWare installation. Some anti-spyWare
`and anti-adWare manufacturers attempted to introduce
`scripts to block broWser pop-up ads, but this approach
`quickly became obsolete, as the sophistication of modern
`spyWare/adWare has increased.
`[0007] Anti-virus and security companies have attempted
`to strike back, but the usual response is to create signatures
`for knoWn pieces of malicious program code including
`JavaScript. A signature is like a ?ngerprint of a particular
`portion of a program or portion of code that uniquely
`identi?es this code. To avoid detection, some attackers
`obfuscate their scripts so that the signatures do not match the
`resulting code. Another method of obfuscation includes
`string concatenation of the string fragments “ADO”, “DB.”,
`and “Stream” that may be concatenated into the string
`“ADODB.Stream”. Alternatively, some attackers have used
`a Microsoft Script Encoder (screnc.exe) tool to pass the
`entire script through a text-encoding cipher that replaces the
`original text of the script ?le. In this manner, script encoding
`requires a script vieWer to go through a speci?c decoding
`process to retrieve the original script code.
`[0008] Script-based code execution has many security
`vulnerabilities and traditional approaches to resolve these
`security problems have not been suf?ciently effective. Sig
`nature based detection is one of the strongest tools available
`other than simply setting a kill bit in the registry, but it is far
`too simple to circumvent signature based checks. While
`decoders have emerged to reverse the actions of screnc.exe,
`string concatenation and other simple programmatic obfus
`cation techniques have an in?nite number of variations With
`Which signatures cannot alWays keep up. In vieW of these
`issues and others, there remains a need in the art for methods
`and systems that reliably detect malicious script code With
`out relying on string and/or signature detection.
`
`SUMMARY
`[0009] Systems and methods are disclosed herein, in
`accordance With one or more embodiments of the present
`invention related to validating script code, such as JavaS
`cript, in a Way that checks the ?nal result of the code and
`doesn’t simply look for strings Within the code block. A
`hook-based detection engine, for example running as Java
`Script, may catch the actual method calls regardless of the
`formatting of the code text, thus providing a far greater
`ability to detect script-based attacks than traditional security
`systems and methods.
`
`000008
`
`

`
`US 2007/0113282 A1
`
`May 17, 2007
`
`[0010] More speci?cally, in accordance With an embodi
`ment of the present invention, a device for receiving and
`processing data content having at least one original function
`call includes a hook script generator and a script processing
`engine. The hook script generator is con?gured to generate
`a hook script having at least one hook function. Each hook
`function is con?gured to supersede a corresponding original
`function. The script processing engine is con?gured to
`receive and process a combination of the hook script and the
`data content. The hook function corresponding to the data
`content original function is executed When the original
`function is called. The hook function provides a run-time
`detection and control of the data content processing.
`
`[0011] In accordance With another embodiment of the
`present invention, a Web client device includes a transceiver,
`a detection engine, and a script processing engine. The
`transceiver is con?gured to receive a data content from a
`netWork. The data content includes at least one original
`function call. The detection engine includes a hook script
`generator con?gured to generate a hook script including at
`least one hook function. Each hook function is con?gured to
`supersede a corresponding original function. The script
`processing engine is con?gured to receive and process the
`hook script and the data content. The hook function corre
`sponding to the data content original function is executed
`When the original function is called. The hook function
`provides a run-time detection and control of the data content
`processing.
`[0012] In accordance With yet another embodiment of the
`present invention, a method of processing data content
`comprising the operations of generating a hook script having
`at least one hook function Where each hook function is
`con?gured to supersede a corresponding original function,
`loading the hook script into a script processing engine
`con?gured to call and execute one or more hook and original
`functions, loading data content having at least one original
`function into the script processing engine, and executing a
`hook function When a corresponding original function is
`called in the data content.
`
`[0013] A computer readable medium on Which is stored a
`computer program for executing instructions, comprising
`the operations of generating a hook script having at least one
`hook function Where each hook function is con?gured to
`supersede a corresponding original function, loading the
`hook script into a script processing engine con?gured to call
`and execute one or more hook and original functions,
`loading data content having at least one original function
`into the script processing engine, and executing a hook
`function When a corresponding original function is called in
`the data content.
`
`[0014] The scope of the present invention is de?ned by the
`claims, Which are incorporated into this section by reference.
`A more complete understanding of embodiments of the
`present invention Will be a?forded to those skilled in the art,
`as Well as a realiZation of additional advantages thereof, by
`a consideration of the folloWing detailed description. Ref
`erence Will be made to the appended sheets of draWings that
`Will ?rst be described brie?y.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0015] FIG. 1 shoWs a traditional client-server system
`including a client netWork device and a server netWork
`
`device that can communicate With each other over a com
`munications netWork such as the Internet.
`
`[0016] FIG. 2 shoWs an exemplary client-server system
`including a client netWork device (client) and a server
`netWork device (server) according to an embodiment of the
`present invention.
`
`[0017] FIG. 3 shoWs an example of original script code
`received as HTTP content, for example, doWnloading a Web
`page from a Web server.
`
`[0018] FIG. 4 shoWs a combined script including a gen
`erated hook script and the original script code shoWn in FIG.
`3, according to an embodiment of the present invention.
`
`[0019] FIG. 5 shoWs a script validation ?oW according to
`an embodiment of the present invention.
`
`[0020] FIG. 6 shoWs a data How block diagram illustrating
`both a structure and a process for detecting and selectively
`disabling potentially malicious script code according to an
`embodiment of the present invention.
`
`[0021] Embodiments of the present invention and their
`advantages are best understood by referring to the detailed
`description that folloWs. It should be appreciated that like
`reference numerals are used to identify like elements illus
`trated in one or more of the ?gures.
`
`DETAILED DESCRIPTION
`
`[0022] Systems and methods are disclosed herein, in
`accordance With one or more embodiments of the present
`invention, to detect and disable potentially malicious script
`code by the activation of a detection engine that can detect
`and control the behavior of suspected malicious script code
`to limit adverse program behaviors While promoting desir
`able program behaviors.
`
`[0023] FIG. 2 shoWs an exemplary client-server system
`200 including a client netWork device 202 (client) and a
`server netWork device 204 (server) according to an embodi
`ment of the present invention. Client 202 and server 204 can
`communicate With each other over a communications net
`Work 208 such as the Internet to exchange information
`including Web content comprising text, image, audio, and/or
`video data. Client 202, may be considered a Web client 202,
`and may include a display 220 for displaying graphical
`images and/or producing sound to a user constituting a user
`output device, a data entry device 222 for receiving data
`input from a user constituting a user input device, and/or a
`script processing engine 224, such as a Web broWser 224, for
`receiving the Web content and translating the Web content
`into one or more client actions. A client action may convey
`output data to a user include displaying or outputting the text
`data, image data, video data, interactive control data, and/or
`the audio data. In this manner, Web broWser 224 provides a
`graphical user interface (GUI) to locate and display Web
`pages in order to interactively access text, program, image,
`as Well as sound data available through the World Wide Web
`(WWW). The terms script processing engine 224 and Web
`broWser 224 may be used someWhat interchangeably since
`a Web broWser typically includes a script processing engine.
`Data entry device 222 may include a keyboard for text entry
`and/or a pointing device for point-and-click information
`entry by a user. Alternatively, data entry device 222 may be
`
`000009
`
`

`
`US 2007/0113282 A1
`
`May 17, 2007
`
`any combination of sensors to detect data entry by a user.
`Display 220 and keyboard/pointing device 222 comprise a
`user interface (UI).
`
`[0024] Client 202 may include a transceiver 230 for send
`ing and receiving messages on network 210, a processor 232
`for executing computations and operations to move and/or
`transform data Within client 202 and control client opera
`tions, and a processor memory 234 for storing and retrieving
`data relevant to client operations. Transceiver 230 may
`include a device such as a netWork interface card (NIC)
`and/or related softWare for providing communications
`betWeen client 202 and netWork 210. Processor 232 may
`include one or more suitably programmed microprocessors,
`While processor memory 234 may be any data storage and
`retrieval system including any combination of a Random
`Access Memory (RAM), a Read Only Memory (ROM), a
`register ?le, a disc drive including magnetic media, and/or
`an optical memory device as a computer readable medium
`on Which is stored a computer program for executing
`instructions. Some portion of processor memory 234 may be
`removable from client 202. Web broWser 224 may be
`implemented as an application program or collection of
`programs running at least partially on a computer such as
`processor 232.
`[0025] To detect potentially malicious script code, client
`202 includes a hook-based detection engine 240 that is
`con?gured to catch actual script method calls regardless of
`the formatting of the code text. Detection engine 240 may be
`implemented by a script, such as a JavaScript, executing on
`a computer such as processor 232. The JavaScript language
`uses late binding Which refers to the linking or calling of a
`process, routine, or object at runtime based on current
`conditions. Since JavaScript uses late binding, it is possible
`to replace or modify arguments and functions, thus effec
`tively replacing objects by changing their class constructor
`function. For the purposes of this disclosure, a constructor is
`a function that is used to instantiate a neW object and returns
`the neWly created instance of that object.
`
`[0026] In one embodiment, detection engine 240 includes
`a script injector 242, a hook script generator 244, and/or a
`communication object 246. Script injector 242 may intercept
`incoming data content, such as HTTP data, and introduce the
`incoming data to script processing engine 224. Incoming
`data may be, for example, a requested Web page delivered
`over netWork 208. Script injector 242 may be implemented
`as a broWser plug-in, such as a Multipurpose Internet Mail
`Extensions (MIME) plug-in, for Web broWser 224. Hook
`script generator 244 creates neW functions, including con
`structor functions, Which replace the standard JavaScript
`functions. Alternatively, hook script generator 244 may
`create a generic hook script olf-line for archive or reading in
`to a remote client through a netWork 208 or other delivery
`means. In this manner, a script manufacturer may design and
`distribute a hook script for use by a plurality of client
`end-users. The distributed hook script may be read in to a
`Web broWser prior to reading in any Web page in order to
`provide run-time detection and control of the data content
`processing for the remote client. In another embodiment,
`some portion or all of detection engine 240 may be physi
`cally located aWay from client 202. Some portion or all of
`detection engine 240 may be moved onto another platform
`termed a third device, and may be implemented as another
`client device (not shoWn), an auxiliary device operationally
`
`connected to client 202 (not shoWn), and/or a netWork
`device that intercepts messages up to an including all traf?c
`betWeen connection netWorks 208 and 210. In one example,
`the script injection and generation could be accomplished by
`the third device.
`
`[0027] Communication object 246 is con?gured to pro
`vide a run-time exchange of messages (data) betWeen vari
`ous processes or threads for programs running on processor
`232. In this manner, the output of a particular hooked
`function and/or routine may be directed toWards a particular
`message receiver, such as another process or a device Within
`client 202 or connected to client 202 via netWork 210. In one
`example, communication object 246 can relay data betWeen
`the script code executing on script processing engine 224
`and another process or service including a virus scanning or
`a security management service.
`
`[0028] One example of this type of security management
`service is a netWork security application Blink® produced
`by eEye Digital Security of Aliso V1ejo, Calif. Blink®
`provides an endpoint vulnerability solution that addresses
`security challenges by preventing a successful attack. The
`Blink service typically runs in parallel With detection engine
`240 and uses one or more communication objects 246 to
`relay data back and forth betWeen detection engine 240 and
`the Blink service.
`
`[0029] Script injector 242 can be a Multipurpose Internet
`Mail Extensions (MIME) ?lter plug-in for use With a tradi
`tional broWser such as Microsoft’s Internet Explorer (IE)
`and/or Netscape’s Netscape Navigator. Script injector 242
`may also be considered a “pluggable” MIME ?lter since it
`may be implemented as a broWser plug-in or extension.
`MIME capability permits the formatting of non-ASCII
`(American Standard Code for Information Interchange)
`messages so that they can be sent over a communications
`link such as the Internet 208. Many e-mail clients and
`broWsers support various MIME types that alloW them to
`send and receive graphics, audio ?les, video ?les, and use
`character sets other than standard ASCII. Further, MIME
`enabled broWsers can typically display or output ?les that
`are not in HTML format. MIME is continually evolving as
`a standard and includes various types With many differences.
`For reference, an early MIME protocol is de?ned by an
`Internet Engineering Task Force (IETF) request for com
`ments (RFC) No. 2045 “Multipurpose Internet Mail Exten
`sions”, also denoted IETF-RFC2045. A neW version called
`S/MIME supports encrypted messages and is referenced in
`IETF-RFC2633 “S/MIME Version 3 Message Speci?ca
`tion”. Script injector 242 is con?gured to inject the JavaS
`cript that hooks the critical functions and methods before
`any other HTML in a loading page. In this manner, the script
`?lter injects the JavaScript created by script generator 244.
`For the purposes of this disclosure, a method is associated
`With a class in an obj ect-oriented programming environment
`and is analogous to a procedure, function, or routine that is
`executed When a method object receives a message. Further,
`a method argument is an input to a method. A constructor
`de?nes actions that are performed When an object is created.
`A class de?nition can contain Zero or more constructors.
`
`[0030] FIG. 3 shoWs an example of original script code
`302 received as data (HTTP) content, for example, doWn
`loading a Web page from a Web server. In one example, an
`original constructor can be an ActiveXObject ( ) function
`
`000010
`
`

`
`US 2007/0113282 A1
`
`May 17, 2007
`
`that enables and returns a reference to an automation object.
`In this example, there are tWo exemplary actions that the
`Microsoft.XMLHTTP ActiveXObject can perform; method
`calls de?ned as Open and SaveToFile. A client computer can
`use a Microsoft.XMLHTTP object to send an arbitrary
`HTTP request, receive the response, and/or have the
`Microsoft extensible markup language @(ML) document
`object model (DOM) parse that response.
`[0031] FIG. 4 shoWs an example ofa combined script 402
`including a generated hook script 404 and original script
`code 302 shoWn in FIG. 3, according to an embodiment of
`the present invention. Although shoWn as a single, combined
`script 402, generated hook script 404 and original script
`code 302 may be introduced, or injected, into script pro
`cessing engine 618 individually by any means as long as a
`hook script function corresponding to an original script
`function is processed ?rst. The combination of hook script
`404 and original script 302 into combined script 402 is not
`intended as a limitation. In this example, since the requested
`automation object in the script is “MicrosoftXMLHTTP”,
`then instead of returning an automation object directly a neW
`object can be created as a Wrapper for the automation object.
`All properties and methods of the XMLHTTP object are
`present in the neW Wrapper object, and any method calls may
`be passed on to the original automation object. In this
`manner, validity checks can be performed to validate
`method arguments before alloWing the function call. With
`XMLHTTP, the Wrapper could ?lter out doWnloads refer
`enced by a ?le path that includes a uniform resource locator
`(URL) on an untrusted hosts. Also, a Wrapper object around
`ADODB.Stream could alloW validation of the ?le path
`before alloWing a SaveToFile or other method to execute.
`This could prevent ?les from being Written into the Win
`doWs system directory, for example, While still alloWing use
`of the object for other purposes.
`
`[0032] Code generation Will be used to simplify the pro
`cess of creating neW Wrappers for one or more ActiveXOb
`jects. The input to the code generator consists of a descrip
`tion of the object to be Wrapped. Some portions of this input
`include the name of the automation object, the properties of
`the object, and the methods of the object. Since properties
`cannot be hooked, they may be loaded and/or set before
`and/or after calls to various methods. Each method shall be
`marked With Whether it should set properties before the real
`method call or load them after a method call completes.
`Some more exotic methods may have custom code provided
`for them instead of a simple description of hoW to proxy a
`speci?c method call or class. These custom methods Will be
`the key check points for the detection engine. Examples
`include the SaveToFile method of ADODB.Stream and the
`Open method of Microsoft.XMLHTTP.
`
`[0033] FIG. 5 shoWs an exemplary script validation How
`500 according to an embodiment of the present invention.
`FloW 500 shoWs a process of hooking one or more functions
`in the received content and selectively disabling potentially
`malicious methods or function by validating the method or
`function arguments and/or run-time conditions before alloW
`ing the execution of a potentially malicious function call.
`FloW 500 includes the operations of creating 502 a neW
`replacement function or constructor, saving 504 a reference
`to the original function or constructor, and replacing 506 the
`original function or constructor With a neW replacement
`function or constructor that acts as a Wrapper for the original
`
`function or constructor. FloW 500 continues in operation 508
`depending on Whether the neW replacement (hook) function
`is a constructor. If the neW replacement function is a
`constructor, How 500 continues With creating 510 a neW
`Wrapper object When called, and executing 512 the modi?ed
`script With the neW object behaving as a gateWay to alloW,
`modify, or disable certain script behaviors. Operation 512
`may occur Without operation 510 in cases Where the hooked
`function is a simple non-constructor function. These alloWed
`or inhibited behaviors can include particular script com
`mands, script command argument combinations, and/or
`method, argument, and property combinations.
`[0034] FIG. 6 shoWs an exemplary data How block dia
`gram 600 illustrating both a structure and a process for
`detecting and selectively disabling potentially malicious
`script code according to an embodiment of the present
`invention. As a structure, data (HTTP) content 602, such as
`doWnloaded from a Web page, is received by a script
`injector/?lter (broWser plug-in) 604 Which is an exemplary
`embodiment of script ?lter 242 (FIG. 2). Data content 602
`may include a script program With one or more original
`functions for execution on the receiving client. Ahook script
`generator 606 may receive some portion or all of data
`content 602 and supply a generated script code including
`one or more hook functions con?gured to replace corre
`sponding original functions. Hook script generator 606 is an
`exemplary embodiment of script generator 244 (FIG. 2).
`This process of substituting an original function or method
`With a ?ltered function can be denoted instantiating a
`“hooked” processes. Alternatively, data content 602 that
`does not include a script and/or an original function corre
`sponding to a hook function Would simply be received and
`processed Without modi?cation.
`
`[0035] Hook script generator 606 may receive input from
`one or more simple hook templates 610, one or more
`predetermined hook functions and objects 612, and/ or object
`template data 614. Using one or more of these as input, hook
`script generator 606 produces a hook script, such as a
`JavaScript output that may consist of hook functions, neW
`objects that Will be used as replacements When the appro
`priate constructor is invoked, and/or neW constructors that
`Will return the hooked objects in place of the standard
`objects. These hooks are installed before any other script on
`the Web page loads, ensuring that any script provided as a
`part of the data content 602, such as a Web page, Will call the
`neW hooked functions. The generated (hooked) script code
`supplied to script ?lter 604 may be passed to a script
`processing engine 618 may be implemented as a stand-alone
`computer program running as an executed script. Altema
`tively, script processing engine 618 may be included as an
`operational portion of a Web broWser, Which may be imple
`mented as an application program running on a computer
`such as processor 232 (FIG. 2). Script processing engine 618
`may communicate to a script relay interface 622 by passing
`messages through a communications object Which is an
`exemplary embodiment of communications object 246 (FIG.
`2).
`[0036] The information passed to the decision service may
`include the method name, the object name, any parameters
`passed to the method, as Well as relevant object properties or
`global variable values. In one embodiment, the decision
`service is the Blink service. Script relay interface 622 passes
`messages betWeen Web broWser 618 and a decision service
`
`000011
`
`

`
`US 2007/0113282 A1
`
`May 17, 2007
`
`624 that can be a security service such as Blink, produced by
`eEye Digital Security. A relay interface is necessary to
`provide a means for JavaScript running in an untrusted
`domain to communicate With the decision service using
`normal mechanisms of Inter-Process Communication (IPC).
`Decision service 624 can receive messages describi