(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2002/0066022 A1
`Calder et al.
`(43) Pub. Date:
`May 30, 2002
`
`US 20020066022A1
`
`(54) SYSTEM AND METHOD FOR SECURING AN
`APPLICATION FOR EXECUTION ON A
`COMPUTER
`
`(76) Inventors: Brad Calder, San Diego, CA (US);
`Andrew A. Chien, La Jolla, CA (US)
`
`Correspondence Address:
`KNOBBE MARTENS OLSON & BEAR LLP
`620 NEWPORT CENTER DRIVE
`SIXTEENTH FLOOR
`NEWPORT BEACH, CA 92660 (US)
`
`(21) Appl. No.:
`
`09/727,305
`
`(22) Filed:
`
`Nov. 29, 2000
`
`Publication Classi?cation
`
`(51) Int. Cl.7 ................................................... .. G06F 12/14
`
`(52) us. Cl. ............................................................ .. 713/200
`
`(57)
`
`ABSTRACT
`
`A system for securing an application for execution in a
`computer. In one embodiment, a preprocessor module modi
`?es an application binary such that the application invokes
`an interception module in response to invoking certain
`system calls. The interception module prevents the applica
`tion from adversely affecting the operating of a computer
`that is executing the application. Furthermore, the intercep
`tion module protects the contents of the application from
`improper access by a user of the computer. For example, the
`interception module transparently encrypts all ?les that are
`used by the application such that a user of the computer
`cannot improperly access these ?les.
`
`I
`
`BEGIN
`
`I
`
`V
`
`COMPILE SOURCE
`CODE INTO OBJECT CODE
`
`V
`
`510
`
`520
`
`PREPROCESS APPLICATION PACKAGE FOR
`EXECUTION IN THE SECURE CLIENT
`ENVIRONMENT
`
`V
`
`530
`
`APPLICATION MANAGER ON CLIENT RETRIEVES
`MODIFIED OBJECT CODE FROM SERVER
`
`\
`
`540
`
`INITIALIZE APPLICATION PACKAGE
`AND PATCH LIBRARIES
`
`ii VIRTUALIZE INTERCEF’TED CALLS
`
`V
`
`DURING EXECUTION
`
`V
`
`550
`
`560
`
`TRANSMIT RESULTS TO SERVER
`
`V
`
`I
`
`RETURN
`
`Symantec 1003
`IPR of U.S. Pat. No. 7,757,289
`
`000001
`
`
`(12) Patent Application Publication (10) Pub. No.: US 2002/0066022 A1
`Calder et al.
`(43) Pub. Date:
`May 30, 2002
`
`US 20020066022A1
`
`(54) SYSTEM AND METHOD FOR SECURING AN
`APPLICATION FOR EXECUTION ON A
`COMPUTER
`
`(76) Inventors: Brad Calder, San Diego, CA (US);
`Andrew A. Chien, La Jolla, CA (US)
`
`Correspondence Address:
`KNOBBE MARTENS OLSON & BEAR LLP
`620 NEWPORT CENTER DRIVE
`SIXTEENTH FLOOR
`NEWPORT BEACH, CA 92660 (US)
`
`(21) Appl. No.:
`
`09/727,305
`
`(22) Filed:
`
`Nov. 29, 2000
`
`Publication Classi?cation
`
`(51) Int. Cl.7 ................................................... .. G06F 12/14
`
`(52) us. Cl. ............................................................ .. 713/200
`
`(57)
`
`ABSTRACT
`
`A system for securing an application for execution in a
`computer. In one embodiment, a preprocessor module modi
`?es an application binary such that the application invokes
`an interception module in response to invoking certain
`system calls. The interception module prevents the applica
`tion from adversely affecting the operating of a computer
`that is executing the application. Furthermore, the intercep
`tion module protects the contents of the application from
`improper access by a user of the computer. For example, the
`interception module transparently encrypts all ?les that are
`used by the application such that a user of the computer
`cannot improperly access these ?les.
`
`I
`
`BEGIN
`
`I
`
`V
`
`COMPILE SOURCE
`CODE INTO OBJECT CODE
`
`V
`
`510
`
`520
`
`PREPROCESS APPLICATION PACKAGE FOR
`EXECUTION IN THE SECURE CLIENT
`ENVIRONMENT
`
`V
`
`530
`
`APPLICATION MANAGER ON CLIENT RETRIEVES
`MODIFIED OBJECT CODE FROM SERVER
`
`\
`
`540
`
`INITIALIZE APPLICATION PACKAGE
`AND PATCH LIBRARIES
`
`ii VIRTUALIZE INTERCEF’TED CALLS
`
`V
`
`DURING EXECUTION
`
`V
`
`550
`
`560
`
`TRANSMIT RESULTS TO SERVER
`
`V
`
`I
`
`RETURN
`
`Symantec 1003
`IPR of U.S. Pat. No. 7,757,289
`
`000001
`
`
`
`Patent Application Publication May 30, 2002 Sheet 1 0f 51
`
`US 2002/0066022 A1
`
`110
`
`120
`
`PREPROCESSING
`MODULE
`
`/ 11s
`' APPLICATION PACKAGE —>
`
`SERVER
`
`130
`
`140
`
`150
`
`'
`
`160
`
`CLlENT
`
`CLIENT
`
`CLIENT
`
`FIG.1
`
`000002
`
`
`
`Patent Application Publication May 30, 2002 Sheet 2 0f 51
`
`US 2002/0066022 A1
`
`210
`
`215
`
`APPLICATION BINARY ————>
`
`————+ MODIFIED BINARIES
`
`110
`
`220
`
`225
`
`LIBRARIES —>
`230
`CONFIGURATION FILES ___>
`
`PREPROCESSOR
`MODULE
`
`——> MODIFIED LIBRARIES
`4 235
`—_} MCLDIIEDéFIED CO FIGURATION
`
`240
`
`245
`
`DATA FILEs —>
`
`~——> MODIFIED DATA FILES
`
`‘I RRRRRRRRRRRRRRRRRRRRRRR if? 250
`\ EXECUTION ENvIRONMEN 1
`INFORMATION
`DIRECTORY STRUCTURES
`1
`SECURITY INFORMATION
`2 I 60
`NEW ——>' SYSTEM INFORMATION/
`
`‘
`I
`I
`I
`
`FIG. 2
`
`000003
`
`
`
`Patent Application Publication May 30, 2002 Sheet 3 0f 51
`
`US 2002/0066022 A1
`
`NORMAL EXECUTION
`
`APPLICATION
`
`310
`
`320
`
`SYSTEM
`INTERFACE
`
`340
`
`350
`
`SYSTEM
`DLL's
`
`33°
`
`360
`
`370
`
`380
`
`390
`
`RESOURCE
`ALLOCATION
`AND
`DEALLOCATION
`
`REG'STRY
`
`FILE
`SYSTEM
`
`OTHER
`ENVIRONMENT
`
`NETWORK
`
`GRAPHICS
`INTERFACES
`
`OPERATING SYSTEM
`
`FIG. 3
`
`000004
`
`
`
`Patent Application Publication May 30, 2002 Sheet 4 0f 51
`
`US 2002/0066022 A1
`
`SECURE EXECUTION
`
`405
`
`410
`
`PREPROCESSED
`APPLICATION
`
`k
`
`APPLICATION
`MANAGER
`
`415
`
`VIRTUALIZED SYSTEM INTERFACE
`(RESOURCES. FILES. DATA, NAMES
`
`425
`
`RESOURCE
`ALLOCATION
`AND
`DEALLOCAHON
`
`INTERCEPTED
`SYSTEM CALLS
`430
`
`42°
`
`435
`
`440
`
`445
`
`450
`
`VIRTUALIZED
`REGISTRY
`
`VIRTUALIZED
`FILE SYSTEM
`
`V'RCT)¥QE'€ED
`ENVI
`MENT
`RON
`
`VIRTUALIZED
`NETWORK
`
`vggzl??llégo
`C
`INTERFA Es
`
`320
`
`[/ SYSTEM
`
`INTERFACE
`
`SYSTEM
`DLL's
`
`340
`
`350
`
`33°
`
`360
`
`370
`
`380
`
`390
`
`RESOURCE
`ALLOCATION
`AND
`EJEALLOCATION
`
`REG'STRY
`
`FILE
`SYSTEM
`
`OTHER
`ENVIRONMENT
`
`NETWORK
`
`GRAPHICS
`INTERFACES
`
`FIG. 4
`
`000005
`
`
`
`Patent Application Publication May 30, 2002 Sheet 5 0f 51
`
`US 2002/0066022 A1
`
`I
`
`BEGIN
`
`I
`
`V
`
`COMPILE
`SOURCE
`CODE INTO 0
`BJECT CODE
`
`V
`
`510
`
`520
`
`PREPROCESS APPLICATION PACKAGE FOR
`EXECUTION IN THE SECURE CLIENT
`ENVIRO NMENT
`
`530
`
`APPLICATION MANAGER ON CLIENT RETRIEVES
`MODIFIED OBJECT C ODE FROM SERVER
`
`540
`
`INITIALIZE APPLICATION PACKAGE
`AND PATCH LIBRARIES
`
`ii VIRTUALIZE INTE RC EPTED CALLS
`
`V
`
`DURING EXECUTION
`
`550
`
`560
`
`TRANSMIT RESU LTS TO SERVER
`
`V
`I RETURN I
`
`FIG. 5
`
`000006
`
`
`
`Patent Application Publication May 30, 2002 Sheet 6 0f 51
`
`US 2002/0066022 A1
`
`520
`
`I
`
`BEGIN
`
`I
`
`9”)
`
`REWRITE BINARIES
`
`6?
`
`v
`MODIFY AND ADD ADDITIONAL
`EXECUTION
`ENVIRONMENT INFORMATION
`OF PACKAGE
`
`V
`
`ENCRYPT FILES
`OF APPLICATION PACKAGE
`
`620
`
`630
`
`640
`
`ENCRYPT FILENAMES
`
`V
`
`650
`
`ENCRYPT FILENAMES IN IMPORT
`TABLE
`
`v
`
`660
`/
`
`ENCRYPT AND SIGN APPLICATION
`PACKAGE
`
`\
`
`I
`
`RETURN I
`
`FIG. 6
`
`000007
`
`
`
`Patent Application Publication May 30, 2002 Sheet 7 0f 51
`
`US 2002/0066022 A1
`
`610
`
`I
`
`BEGIN
`
`I
`
`V
`
`/ 710
`
`SCAN FOR IMPROPER
`INSTRUCTIONS OR SEQUENCES
`
`730
`
`REWRITE APPLICATION
`BINARY TO
`INTERCEPT IMPROPER
`SEQUENCES
`
`720
`
`IMPROPER
`INSTRUCTIONS
`AND SEQUENCES
`IDENTIFIED?
`
`REWRITE IMPORT TABLE OF
`BINARIES TO ADD INTERCEPTION
`MODULE
`
`V
`
`STORE MODIFIED
`APPLICATION BINARY
`
`v
`RETURN I
`
`|
`
`FIG. 7
`
`000008
`
`
`
`Patent Application Publication May 30, 2002 Sheet 8 0f 51
`
`US 2002/0066022 A1
`
`620
`
`I
`
`BEGIN
`
`I
`
`T
`
`810
`
`ADD INTERCEPTION
`MODULE TO APPLICATION
`PACKAGE
`
`V
`
`820
`
`ADD SECURITY
`INFORMATION TO
`APPLICATION PACKAGE
`
`830
`
`PROVIDE VIRTUAL
`ENVIRONMENTAL SETTINGS
`FOR SYSTEM DATABASE
`
`840
`
`V
`PROVIDE VIRTUAL SYSTEM
`MODULES TO ALLOW
`APPLICATION PACKAGE TO
`EXECUTE ON NON-NATIVE
`PLATFORMS
`
`f
`
`850
`
`REMOVE SELECTED FILES
`FROM APPLICATION
`PACKAGE
`
`860
`
`OBFUSCATE DIRECTORY
`STRUCTURE
`
`END
`
`FIG, 8
`
`000009
`
`
`
`Patent Application Publication May 30, 2002 Sheet 9 0f 51
`
`US 2002/0066022 A1
`
`540
`
`I
`
`BEGIN
`
`I
`
`V
`APPLICATION MANAGER REQUESTS
`OPERATING SYSTEM TO EXECUTE
`APPLICATION PACKAGE
`
`V
`
`910
`
`920
`
`OPERATING SYSTEM LOADS ALL LIBRARIES
`IDENTIFIED BY IMPORT TABLES INTO MEMORY
`
`V
`OPERATING SYSTEM EXECUTES
`INITIALIZATION ROUTINE OF DEFAULT
`SYSTEM LIBRARIES
`
`930
`
`T
`OPERATING SYSTEM EXAMINES IMPORT
`TABLE AND EXECUTES INITIALIZATION
`ROUTINE OF THE INTERCEPT MODULE FIRST
`
`940
`
`T
`
`950
`
`PATCH LOADED LIBRARIES
`
`V
`MAKE ALL CODE PAGES EXECUTE ONLY AND
`REMOVE ALL EXECUTION PRIVILEGES FROM
`REMAINING PAGES
`
`960
`
`V
`
`INITIALIZE VIRTUAL SYSTEM DATABASE
`
`B? START VIRTUAL MACHINE COMMUNICATION
`
`970
`
`980
`
`990
`
`V
`
`THREAD
`
`V
`OPERATING SYSTEM EXECUTES
`INITIALIZATION ROUTINES OF OTHER
`LIBRARIES IN THE IMPORT TABLE
`
`END
`
`FIG. 9
`
`000010
`
`
`
`Patent Application Publication May 30, 2002 Sheet 10 0f 51
`
`US 2002/0066022 A1
`
`950
`
`I
`
`BEGIN
`
`I
`
`1010
`/
`V
`CREATE AN AVAILABLE LIST OF
`ROUTINES BASED UPON ALL
`SYSTEM ROUTINES LISTED BY
`THE EXPORT TABLE OF THE
`LIBRARY BEING PROCESSED
`
`CREATE A SHUTDOWN LIST BY
`DELETING FROM AVAILABLE LIST
`ALL SYSTEM ROUTINES
`MAINTAINED BY INTERCEPT
`MODULE
`
`V
`
`INTERCEPT ROUTINES IN
`SHUTDOWN LIST SO THAT THEY
`INVOKE AN ERROR HANDLING
`ROUTINE
`
`V
`
`1040
`/
`
`®-\ INTERCEPT ALL ROUTINES
`IDENTIFIED BY VIRTUAL LIST
`
`ROUTINES IN MEDIATED LIST ARE
`NOT MODIFIED
`
`V
`RETURN I
`
`I
`
`FIG. 10
`
`000011
`
`
`
`Patent Application Publication May 30, 2002 Sheet 11 0f 51
`
`US 2002/0066022 A1
`
`1040
`
`I
`
`BEGIN
`
`I
`
`V
`
`1110
`
`RETRIEVE START ADDRESS OF
`ROUTINE TO BE INTERCEPTED
`
`V
`
`1120
`
`RETRIEVE START ADDRESS OF
`THE WRAPPER ROUTINE
`
`V
`
`1130
`
`CREATE A DYNAMIC VERSION OF
`THE INTERCEPTED ROUTINE
`
`V
`
`1140
`
`SET PAGE ATTRIBUTES OF
`DYNAMICALLY CREATED CODE TO
`EXECUTE ONLY
`
`v
`
`1150
`
`REPLACE ORIGINAL ROUTINE
`WITH NO-OPS ENDING WITH
`ERROR CODE
`
`1160
`
`V
`CHANGE ENTRY POINT OF
`INTERCEPTED ROUTINE TO
`DIRECTLY POINT TO WRAPPER
`ROUTINE
`
`V
`
`1170
`
`MODIFY VARIABLE USED BY
`WRAPPER ROUTINE TO POINT TO
`DYNAMICALLY CREATED ROUTINE
`
`V
`RETURN I
`
`I
`
`FIG. 11
`
`000012
`
`
`
`Patent Application Publication May 30, 2002 Sheet 12 0f 51
`
`US 2002/0066022 A1
`
`970
`
`I
`
`BEGIN
`
`I
`
`1210
`
`OPEN VIRTUAL DATABASE
`
`1220
`
`SHOULD
`APPLICATION
`CREATE NEW
`DATABASE?
`
`DOES VIRTUAL
`DATABASE EXIST?
`
`1 230
`
`No
`
`V
`RETURN
`
`I
`
`FIG‘ 12
`
`1240
`
`CREATE VIRTUAL
`DATABASE
`
`i
`
`1250
`
`COPY PREDEFINED
`LIST NON-CHANGED
`KEYS FROM SYSTEM
`DATABASE TO
`VIRTUAL DATABASE
`
`i / 1260
`READ PREDEFINED
`LIST OF MASKED
`KEYS FROM REAL
`SYSTEM DATABASE
`l
`1270
`COMPLETELY OR PARTIALLY
`CHANGE DATA USING PREDEFINED
`DATA FOR DATABASE TABLE
`MAINTAINED BY INTERCEF'T
`MODULES
`i / 1280
`
`WRITE THE NEW
`CHANGED DATA TO
`VIRTUAL DATABASE
`
`000013
`
`
`
`Patent Application Publication May 30, 2002 Sheet 13 0f 51
`
`US 2002/0066022 A1
`
`i
`
`1320
`
`1310
`
`1335
`
`‘V
`
`1355
`
`‘Y
`
`LIBRARY
`REQUEST
`
`NETWORK
`REQUEST
`
`RESOURCE
`REQUEST
`
`DATABASE
`
`‘
`
`1315
`
`‘V
`
`1330
`
`‘V
`
`1345
`
`FILE
`SYSTEM
`
`GRAPHICS
`
`SHUTDOWN
`
`1340
`
`MACHINE
`SPEClFlC
`lNFORMATlON
`
`‘
`
`1350
`
`"
`
`END
`
`RAlSE AN ERROR
`IDENTIFYING
`WHICH ROUTINE
`IS CALLED
`
`‘
`END
`
`1305
`
`EXCEPTION
`
`‘V
`
`1360
`
`PROCESS
`CREATE AND
`TERMINATE
`
`1365
`
`v
`
`THREAD QUERY
`
`‘
`
`1325
`
`MODIFY PAGE
`PERMISSIONS
`
`HS. 13
`
`000014
`
`
`
`Patent Application Publication May 30, 2002 Sheet 14 0f 51
`
`US 2002/0066022 A1
`
`1405
`
`IDENTIFY TYPE OF
`FILE SYSTEM
`REQUEST
`l
`
`1415
`
`1410
`
`1420
`
`‘V
`
`OPEN
`
`READ OR
`WRITE
`
`MAP FILE TO
`MEMORY
`
`1430
`
`v
`TZ’QTLEEIIIEN
`
`ROUTINES
`
`I
`
`G)
`
`UNMAP FILE
`FROM
`MEMORY
`
`i ‘J
`
`1425
`
`‘
`
`v
`
`i
`
`j
`
`1480
`
`PHLE
`TO BE OPENED IN
`A PRE-DEFINED
`
`LIST?
`
`Yes
`
`DO NOT
`’ MODIFY CALL
`
`L
`
`IS FILE TO BE
`OPENED IN
`SANDBOX
`DIRECTORY‘?
`
`1482
`
`Yes
`
`’
`
`ENCRYPT
`FILENAME
`
`1450
`
`CREATE VIRTUAL AND
`ENCRYPTED FILENAME TO
`REDIRECT IT TO SANDBOX
`
`Yes
`
`1455
`
`DOES
`DIRECTORY
`IN FILENAME EXIST
`
`CREATE
`DIRECTORIES IN
`VIRTUAL TREE
`I—___
`
`FIG. 14
`
`1484
`
`‘486
`
`DOES FILE
`EXIST AND DOES
`IT CONTAIN
`EXECUTABLE
`CODE?
`
`Yes_>
`
`REMOVE
`WR|TE
`PRIVILEGES
`FROM OPEN
`COMMAND
`
`1490
`
`CALL ORIGINAL
`OPEN AND RETURN
`HANDLE
`
`000015
`
`
`
`Patent Application Publication May 30, 2002 Sheet 15 0f 51
`
`US 2002/0066022 A1
`
`IS EXCEPTION AN
`ACCESS VIOLATION AND
`FALLING WITHIN ONE OF
`MEMORY MAPPED
`VIRTUAL BUFFERS'?
`
`1550
`
`No———)
`
`PASS ON EXCEPTION
`
`Yes
`
`1520
`
`IDENTIFY BLOCK
`CORRESPONDING TO
`ADDRESS CAUSING
`EXCEPTION
`
`V
`
`1560
`
`IF EXCEPTION IS NOT
`HANDLED BY THE
`APPLICATION, THEN NOTIFY
`A VIRTUAL MACHINE THREAD
`
`v
`
`1530
`
`DECRYPT BLOCK FROM
`REAL BUFFER COPYING IT
`TO THE VIRTUAL BUFFER
`
`V
`
`MODIFY VIRTUAL MEMORY
`BLOCK PROTECTION FLAG
`TO BE ACCESSIBLE
`
`\
`
`RETURN
`
`FIG. 15
`
`000016
`
`
`
`Patent Application Publication May 30, 2002 Sheet 16 0f 51
`
`US 2002/0066022 A1
`
`BEGIN
`
`1610
`
`ENCRYPT FILENAME _®
`
`I
`
`1620
`
`LOAD LIBRARY "NAME" INTO
`MEMORY IF NOT ALREADY
`LOADED
`
`HAS FILE BEEN
`MODIFIED?
`
`Yes—>
`
`CHECK FOR IMPROPER
`INSTRUCTION
`SEQUENCES
`
`1640
`
`1650
`
`RECURSIVELY LOAD ALL
`LIBRARIES THAT SELECTED
`LIBRARY DEPENDS UPON IN
`ITS IMPORT TABLE LIST INTO
`MEMORY IF NOT ALREADY
`LOADED
`
`I
`
`PATCH LOADED
`LIBRARIES
`
`1660
`
`é
`
`MAKE CODE PAGES
`EXECUTE ONLY AND
`REMOVE ALL EXECUTION
`PRIVILEGES FROM
`REMAINING NEW PAGES
`
`I
`
`I
`
`1 665
`
`1670
`
`EXECUTE DLL INITIALIZATION
`OF ALL LOADED LIBRARIES
`
`END
`
`FIG. 16
`
`000017
`
`
`
`Patent Application Publication May 30, 2002 Sheet 17 0f 51
`
`US 2002/0066022 A1
`
`I
`
`BEGIN
`
`I
`
`1710
`
`CHECK FILE FOR IMPROPER
`INSTRUCTION SEQUENCES
`
`1720
`
`INTERCEPT IMPROPER
`SEQUENCES THAT WERE FOUND
`
`1740
`
`WERE THERE
`ANY IMPROPER
`SEQUENCES OF
`INSTRUCTION NOT
`INTERCEPTED?
`
`‘73°
`
`VIRTUAL MEMORY SPACE
`ALLOCATED CONTAINING THOSE
`Yes—> IMPROPER SEQUENCES NOT
`INTERCEPTED WILL BE SET SUCH
`THAT IT CANNOT BE EXECUTED
`
`FIG. 17
`
`000018
`
`
`
`Patent Application Publication May 30, 2002 Sheet 18 0f 51
`
`US 2002/0066022 A1
`
`I
`
`BEGIN
`
`1805
`
`1815
`
`1825
`
`1835
`
`1845
`
`1855
`
`1865
`
`ACCEPT
`
`SEND TO
`
`RECEIVE
`FROM
`
`SHUT
`DOWN
`
`SOCKET
`
`CONNECT
`
`QUERY
`
`1810
`
`1820
`
`1830
`
`1840
`
`1850
`
`1860
`
`1870
`
`SEND
`
`RECEIVE
`
`CLOSE
`
`SELECT
`
`BIND
`
`LISTEN
`
`UPDATE
`
`5555 55
`
`FIG. 18
`
`000019
`
`
`
`Patent Application Publication May 30, 2002 Sheet 19 0f 51
`
`US 2002/0066022 A1
`
`ACCEPT
`
`1905
`
`IS
`INAgEéIEESS
`OVED
`LIST‘?
`
`RAISE VIRTUAL
`No_> MACHINE
`ERROR
`
`1945
`
`1910
`
`1950
`
`SOCKET
`IN TABLE?
`
`NO
`
`RETURN LOW
`LEVEL ERROR
`
`~
`'
`
`IS
`STATUS
`FLAG VALID FOR
`ACCEPT’?
`
`1920
`
`IS THERE
`AN ENTRY IN
`CONNECTION
`QUEUE?
`
`IS OPTION
`BLOCKING?
`
`CREATE NEW ENTRY IN
`SOCKET TABLE
`
`1925
`
`1970
`
`N“
`+
`RETURN EMPTY
`QUEUE STATUS
`
`I
`
`1930
`
`INITIALIZE SOCKET STRUCTURE
`(LOCAL) WITH INPUT PARAMETERS
`TO ACCEPT
`
`I
`
`1935
`
`REMOVE ENTRY FROM CONNECT
`QUEUE AND INITIALIZE OPTIONS
`AND REMOTE SOCKET STRUCTURE
`FROM ENTRY
`
`I
`
`1940
`
`ENQUEUE MESSAGE FOR PROXY
`SENDING BACK LOCAL SOCKET
`STRUCTURE TO REMOTE PROXY
`
`FIG. 19
`
`000020
`
`
`
`Patent Application Publication May 30, 2002 Sheet 20 of 51
`
`US 2002/0066022 A1
`
`BBB
`
`SEND
`
`2050
`
`RETURN LOW LEVEL
`ERROR
`
`SOCKET
`IN TABLE?
`
`YES
`
`
`
`
`
` STATUS
`
`VALID FOR
`SEND?
`
`
`
`
`
`RETURN LOW LEVEL
`ERROR
`
`WRITE BUFFER INTO SEND QUEUE
`
`NOTIFY PROXY
`
`
`
`RETURN
`
`FIG. 20
`
`000021
`
`000021
`
`
`
`Patent Application Publication May 30, 2002 Sheet 21 of 51
`
`US 2002/0066022 A1
`
`SEND TO
`
`2170 2110
`
`RETURN
`ERROR
`
`IS
`
`DESTINATION
`ADDRESS
`VALID?
`
`
`
`IS
`
`SOCKET ID
`IN TABLE?
`
`
`
`IS
`STATUS
`
`VALID FOR
`SEND?
`
`
`
`
`No
`
`
`
`Yes
`
`2140
`
`UPDATE REMOTE SOCKET STRUCTURE IN
`
`SOCKET TABLE
`
`WRITE BUFFER INTO SEND QUEUE
`
`NOTIFY
`
`PROXY
`
`
`RETURN
`
`FIG. 21
`
`000022
`
`000022
`
`
`
`Patent Application Publication May 30, 2002 Sheet 22 of 51
`
`US 2002/0066022 A1
`
`@
`
`RECEIVE
`
`BEGIN
`
`
`
`
`
`2220
`
`RETURN
`ERROR
`
`IS SOCKET
`
`IN TABLE?
`IS
`
`RECEIVE
`
`
`VALID GIVEN
`CURRENT
`
`STATUS?
` Yes
`
`2210
`
`RETU RN
`E RROR
`
`
`
`RETURN
`STATUS
`
`IS STATUS
`BLOCKING?
`
`IS
`THERE AN
`ENTRY IN RECEIVE
`QUEUE?
`
`
`
`Yes
`
`COPY INTO BUFFER UP TO
`AMOUNT SPECIFIED TO
`RECEIVE
`
`REMOVE CONSUMABLE
`ENTRIES FROM RECEIVE
`QUEUE
`
`RETURN NUMBER OF BYTES
`COPIED
`
`FIG. 22
`
`000023
`
`
`
`
`
`000023
`
`
`
`Patent Application Publication May 30, 2002 Sheet 23 of 51
`
`US 2002/0066022 A1
`
`RECEIVE
`FROM
`
`ERROR
`
`
`
`
`
`IS
`RECEIVE
`
`VALID GIVEN
`CURRENT
`
`STATUS?
`
`
`2320
`
`RETURN
`ERROR
`
`N°
`
`Yes
`
`/ 2310
`
`RETURN
`
`IS SOCKET
`IN TABLE?
`
`Yes
`
`IS
`THERE AN
`ENTRY IN RECENE
`QUEUE?
`
`IS STATUS
`BLOCKING?
`
`RETURN
`STATUS
`
`COPY INTO BUFFER UP TO
`AMOUNT SPECIFIED TO
`RECEIVE
`
`REMOVE CONSUMABLE
`ENTRIES FROM RECEIVE
`QUEUE
`
`LOOKUP THE REMOTE
`ADDRESS AND UPDATE THE
`ARGUMENTS
`
`RETURN NUMBER OF BYTE-S
`COPIED
`
`FIG. 23
`
`000024
`
`000024
`
`
`
`Patent Application Publication May 30, 2002 Sheet 24 of 51
`
`US 2002/0066022 A1
`
`CLOSE
`
`BEGIN
`
`
`
`RETURN LOW LEVEL
`
`N°
`ERROR
`
`
`
`RETURN LOW LEVEL
`ERROR
`
`IS STATUS
`VALID FOR
`TERMINATION?
`
`
`
`SET STATUS AS "TERMINATE" FOR
`TABLE ENTRY
`
`NOTIFY PROXY
`
`
`
`RETURN
`
`
`
`FIG. 24
`
`000025
`
`
` 2450
`
`
`
`IS
`SOCKET
`IN TABLE?
`
`
`2410
`
`000025
`
`
`
`Patent Application Publication May 30, 2002 Sheet 25 of 51
`
`US 2002/0066022 A1
`
`SHUTDOWN
`
`BEGIN
`
`
`
`[8 SOCKET
`IN TABLE?
`
`2520
`
`RETURN LOW
`LEVEL ERROR
`
`2530
`
`
`
`254°
`RETURN
`LOW
`LEVEL
`
`ERROR
`
`N
`
`°
`
`IS STATUS
`VALID FOR
`SHUTDOWN?
`
`«
`
`yes
`
`Yes
`
`2550
`
`CHANGE STATUS TO BE
`
`SHUTDOWN
`
`/ 2560
`
`NOTIFY PROXY
`
`RETU RN
`
`FIG. 25
`
`000026
`
`000026
`
`
`
`Patent Application Publication May 30, 2002 Sheet 26 of 51
`
`US 2002/0066022 A1
`
`SELECT
`
`
`
`BEGIN
`
`WAIT FOR SPECIFIED DELAY TIME
`TO EXPIRE
`
`/// 2610
`
`
`
`2620
`
`2630
`
`GIVEN LIST(S) OF SOCKETS, FIND
`ALL SOCKET MEETING A GIVEN
`CONDITION
`
`MODIFY SOCKET LIST BASED ON
`QUERY
`
`///2640
`
`RETURN NUMBER OF SOCKETS
`THAT MEET CONDITION
`
`FIG. 26
`
`000027
`
`000027
`
`
`
`Patent Application Publication May 30, 2002 Sheet 27 of 51
`
`US 2002/0066022 A1
`
`1845
`
`SOCKET
`
`BEGIN
`
`CREATE NEW ENTRY IN
`SOCKET TABLE AND
`INITIALTZE ENTRY
`
`2710
`
`2720
`
`
`
`
`RETURN UNIQUE
`SOCKET ID
`
`FIG. 27
`
`000028
`
`000028
`
`
`
`Patent Application Publication May 30, 2002 Sheet 28 of 51
`
`US 2002/0066022 A1
`
`BIND
`
`IS
`
`
`/ 2810
`NETWORK
`ADDRESS
`
`
`IN APPROVED
`LIST?
`
`
`2850
`
`No
`
`
`
`
`
`RAISE VIRTUAL
`MACHINE
`ERROR
`
`
`
`IS SOCKET
`IN TABLE?
`
`RETURN LOW
`LEVEL ERROR
`
`STORE THE PASSED
`NETWORK ADDRESS IN
`SOCKET STRUCTURE
`
`
`
`RETU RN
`
`
`
`FIG. 28
`
`000029
`
`000029
`
`
`
`Patent Application Publication May 30, 2002 Sheet 29 of 51
`
`US 2002/0066022 A1
`
`CONNECT
`
`BEGIN
`
`
`
`2910
`
`IS ADDRESS
`
`IN APPROVED
`LIST?
`
`2960
`
`RAISE VIRTUAL
`
`MACHINE
`ERROR
`
`Yes
`
`
`
`
`
`
`
`NO
`
`RETURN LOW
`LEVEL ERROR
`
`Yes
`
`293°
`
`IS STATUS
`VAEIBASOR
`CONNECT?
`
`Yes
`J
`
`2940
`
`UPDATE STATUS FLAG ENTRY TO
`BE CONNECTING
`
`NOTIFY PROXY
`
`
`
`RETURN
`
`
`
`FIG. 29
`
`000030
`
`
`
`
`
`
`/ 2920
`
`N°
`
`IS SOCKET
`IN TABLE?
`
`RETURN LOW
`LEVEL ERROR
`
`000030
`
`
`
`Patent Application Publication May 30, 2002 Sheet 30 of 51
`
`US 2002/0066022 A1
`
`LISTEN
`
`BEGIN
`
`
`
`
`
`
`3040
`
`IS SOCKET
`IN TABLE?
`
`RETURN LOW
`
`LEVEL ERROR
`
`Yes
`
`3020
`
`
`
`IS STATUS
`FLAG VALID
`FOR LISTEN?
`
`RETURN LOW
`LEVEL ERROR
`
`
`
`
`
`UPDATE STATUS FLAG TO LISTEN
`AND INITIALIZE CONNECTION
`QUEUE
`
`
`
`RETURN
`
`FIG. 30
`
`000031
`
`000031
`
`
`
`Patent Application Publication May 30, 2002 Sheet 31 of 51
`
`US 2002/0066022 A1
`
`QUERY
`
`BEGIN
`
`
`
`
`
`IS SOCKET IN
`
` RETURN LOW
`SOCKET TABLE?
`
`LEVEL ERROR
`
`RETRIEVE ENTRY FROM TABLE
`AND RETURN DATA
`
`
`
`FIG. 31
`
`000032
`
`000032
`
`
`
`Patent Application Publication May 30, 2002 Sheet 32 of 51
`
`US 2002/0066022 A1
`
`UPDATE
`
`BEGIN
`
`
`
`3230
`
` IS SOCKET ID
`
`RETURN LOW LEVEL
`ERROR
`
`IN TABLE?
`
`UPDATE STATUS OF CONDITIONS
`OR FLAGS
`
`
`
`RETU RN
`
`FIG. 32
`
`000033
`
`000033
`
`
`
`Patent Application Publication May 30, 2002 Sheet 33 of 51
`
`US 2002/0066022 A1
`
`BEGIN
`
`//, 3310
`REFUSE TO MAKE PAGE
`WITH EXECUTION
`
`PRIVILEGES READABLE
`
`3320
`
`No——
`
`REFUSE TO MAKE PAGE
`WITH EXECUTION
`PRIVILEGES WRITEABLE
`
`3330
`
`
`
`
`IS
`ATTEMPT
`TO MAKE PAGE
`EXECUTABLE?
`
`Yes
`
`3340
`
`CHECK PAGE FOR
`IMPROPER
`INSTRUCTION
`SEQUENCES
`
`3350
`
`INTERCEPT IMPROPER
`SEQUENCES FOUND
`
`3380
`
`Yes
`
`
`
`REFUSE TO MAKE PAGES
`
`CONTAINING THESE
`REMAINING NOT
`INTERCEPTED IMPROPER
`
`
`SEQUENCES EXECUTABLE
`
`
`
`No
`
`3370
`
`MAKE PAGES WITH NO IMPROPER
`SEQUENCES OR ONES WITH ALL
`IMPROPER SEQUENCES
`
`INTERCEPTED AS EXECUTABLE
`
`END
`
`FIG. 33
`
`000034
`
`3360
`
`
`
`WERE
`
`THERE ANY
`IMPROPER SEQUENCES
`OF INSTRUCTIONS NOT
`INTERCEPTED?
`
`
`
`
`
`000034
`
`
`
`Patent Application Publication May 30, 2002 Sheet 34 of 51
`
`US 2002/0066022 A1
`
`BEGIN
`
`3405
`
`3415
`
`3430
`
`CALL A
`WINDOW
`
`CREATE A
`MODAL
`
`DIALOG BOX
`
`SET WINDOW
`PROPERTIES
`
`3445
`
`BEFORE CALLING
`
`
`THE REAL
`OPERATING
`SYSTEM ROUTINE,
`
`REMOVE THE
`WINDOW STYLES
`
`THAT:
`
`-
`SHOW IT
`
`- MAKE IT VISIBLE
`°
`ACTIVATE IT
`
`MAKE IT THE
`
`FOCUS
`
`ETC.
`
`
`
`
`
`
`
`
`
`
`
`3435
`
`DO N_OT CREATE
`MODAL DIALOG BOX.
`INSTEAD RETURN A
`RESULT MOST
`LIKELY TO
`CONTINUE
`EXECUTION
`
`3460
`
`D‘ALO$OM\EiSAGE
`COMMUNICATION
`TH READ
`
`SET STYLE OF
`W'“D0W To
`"HIDE" OR
`
`
`
`
`
`
`
`DISABLE ASPECTS OF
`ROUTINE THAT AFFECT
`
`"'NV‘s“3'-E"
`
`ISIBLE ASPECT OF
`GRAPHICAL USER
`INTERFACE
`
`CALL THE
`ORIGINAL
`CREATE
`ROUTINE
`
` SEND MESSAGES
`
`PROPERTIES TO
`
`
`WINDOWS NOT ‘N
`
`
`APPLICATION
`PACKAGE ARE
`
`DISABLED
`
`
`
`RETURN
`
`FIG. 34
`
`000035
`
`CREATE
`
`WINDOW OR
`
`NORMAL DIALOG
`BOX CREATION
`
`
`
`
`
`
`ROUTINES THAT
`DIRECTLY:
`
`- SHOW WINDOW OR
`
`- ACTIVATE
`
`MAKE ITVISIBLE
`' DRAW
`FOCUS
`.
`- PAINT ETC.
`’
`
`
`
`
`COMMUNICATE AND SET WINDOW
`
`000035
`
`
`
`Patent Application Publication May 30, 2002 Sheet 35 of 51
`
`US 2002/0066022 Al
`
`CD
`
`BEGIN
`
`3505
`
`3520
`
`3535
`
`3545
`
`OPEN KEY
`
`0
`
`QUERY
`
`VALUE
`
`3510
`
`CLOSE KEY
`
`0
`
`SET VALUE
`
`3515
`
`
`
`/
`
`DELETE
`
`QUERYKEY
`
`3555
`
`3530
`
`
`
`3540
`
`
`
`CREATE KEY
`
`
`
`SAVE KEY
`
`3560
`
`RESTORE
`KEY
`
`3550
`
`REPLACE
`
`3525
`
`UPDATE KEY
`
`FIG. 35
`
`000036
`
`000036
`
`
`
`Patent Application Publication May 30, 2002 Sheet 36 of 51
`
`US 2002/0066022 A1
`
`OPEN KEY
`
`BEGIN
`
`
`
`3605
`
`LOOK IN VIRTUAL
`
`DATABASE FOR KEY
`
`
`
`IS KEY IN
`VIRTUAL
`DATABASE?
`
`Yes
`
`No
`
`
`
`3615
`
`ALLOWABLE LIST?
`
`DATABASE 3645
`ALLOCATE A HANDLE IN VIRTUAL DATABASE
`DATABASE
`
`IS KEY IN A
`
`PREDEHNED
`
`
`
`N0
`
`3620
`
`E
`INSERT FAKE K Y, VALUE,
`AND DATA IN VIRTUAL
`
`3625
`
`3630
`
`OPEN KEY IN REAL
`DATABASE
`
`Yes
`
`LOOK UP KEY IN
`PREDEFINED RUN-TIME
`CHANGE LIST
`
`CHANGE ALL VALUES IN
`PREDEFINED LIST
`
`3635
`
`3640
`
`3650
`
`WRITE KEY WITH ALL NEW
`AND UNCHANGED VALUES
`AND DATA TO VIRTUAL
`
`RETURN HANDLE
`
`RETURN
`
`FIG. 36
`
`000037
`
`000037
`
`
`
`Patent Application Publication May 30, 2002 Sheet 37 of 51
`
`US 2002/0066022 A1
`
`CLOSE KEY
`
`BEGIN
`
` 3720
`
`REMOVE KEY FROM
`ALLOCATED LIST
`
`IS KEY ALLOCATED
`IN VIRTUAL DATABASE?
`
`
`
`RETURN ERROR
`
`RETURN SUCCESS
`
`/// 3730
`
`
`
`RETURN
`
`FIG. 37
`
`000038
`
`000038
`
`
`
`Patent Application Publication May 30, 2002 Sheet 38 of 51
`
`US 2002/0066022 A1
`
`BEGIN
`
`
`
`
`
`QUERY SYSTEM USING FILE
`HANDLE TO GET FILENAME
`
`
`
` READ OR WRITE
`
`FILE
`
`IS FILE
`
`ENCRYPTED?
`
`3860
`
`IS
`READ
`REQUEST?
`
`READ AND
`DECRYPT FILE
`BUFFER
`
`
`
`
`
`
`N
`
`
`O (WRITE REQUEST)
`
`ENCRYPT AND WRITE
`FILE BUFFER
`
`
`
`RETU RN
`
`FIG. 38
`
`000039
`
`000039
`
`
`
`Patent Application Publication May 30, 2002 Sheet 39 of 51
`
`US 2002/0066022 A1
`
`BEGIN
`
`
`
`IDENTIFY ENCRYPTED
`BLOCKS CONTAINING
`REQUESTED DATA
`
`3910
`
`3920
`
`
`
`3930
`
`DECRYPT CONTENTS OF
`TEMPORARY BUFFER
`
`3940
`
`COPY DECRYPTED
`ADDRESS RANGE INTO
`ORIGINAL BUFFER
`
`
`
`RETURN
`
`
`
`FIG. 39
`
`000040
`
`
`
`
`
`READ ENCRYPTED
`BLOCKS FROM FILE
`SYSTEM INTO A
`TEMPORARY BUFFER
`
`000040
`
`
`
`Patent Application Publication May 30, 2002 Sheet 40 of 51
`
`US 2002/0066022 A1
`
`IDENTIFY ADDRESS RANGE
`TO BE WRITTEN TO
`
`READ ENCRYPTED BLOCKS CONTAINING
`CORRESPONDING ADDRESS RANGE
`FROM FILE SYSTEM INTO A TEMPORARY
`BUFFER
`
`DECRYPT CONTENTS OF
`TEMPORARY BUFFER
`
`4040
`
`COPY STORED BUFFER
`INTO TEMPORARY BUFFER
`
`4010
`
`
`
`
`
`
`
`4050
`
`4060
`
`ENCRYPT TEMPORARY
`BUFFER
`
`WRITE BUFFER TO DISK
`
`RETURN
`
`FIG. 40
`
`000041
`
`000041
`
`
`
`Patent Application Publication May 30, 2002 Sheet 41 of 51
`
`US 2002/0066022 A1
`
`BEGIN
`
`4110
`
`LOAD AND MAP FILE INTO
`MEMORY
`
`
`
`
`
`HAS FILE BEEN
`MODIFIED?
`
`
`
`
`CHECK FOR IMPROPER
`INSTRUCTION SEQUENCES
`
`IS FILE
`ENCRYPTED?
`
`RESERVE A REGION WITHOUT
`ALLOCATING PHYSICAL
`RESOURCES
`
`
`
`
`
`
`STORE IN MEMORY MAPPED
`TABLE A POINTER TO VIRTUAL
`BUFFER, POINTER TO REAL
`BUFFER, SIZE AND HANDLE
`
`
`
`RETURN POINTER TO VIRTUAL
`ADDRESS BUFFER
`
`
`
`
`
`
`418°
`
`RETURN POINTER TO
`REAL BUFFER
`
`RETURN
`
`FIG. 41
`
`000042
`
`000042
`
`
`
`Patent Application Publication May 30, 2002 Sheet 42 of 51
`
`US 2002/0066022 A1
`
`BEGIN
`
`4210
`
`LOAD AND MAP FILE
`INTO MEMORY
`
`ALTERNATE TO F|G.41)
`
`
`IS FILE
`ENCRYPTED?
`
`
`
`Yes
`
`4230
`
`/
`
`CREATE A VIRTUAL BUFFER
`CONTAINING DECRYPTED
`DATA FROM REAL BUFFER
`
`REAL BUFFER
`
`RETURN POINTER TO
`
`4240
`
`RETURN POINTER TO
`VIRTUAL BUFFER
`
`RETURN
`
`FIG. 42
`
`000043
`
`000043
`
`
`
`Patent Application Publication May 30, 2002 Sheet 43 of 51
`
`US 2002/0066022 A1
`
`BEGIN
`
`
`
`4310
`
`IS BUFFER REAL
`BUFFER OR
`VIRTUAL?
`
`
`
`IDENTIFY WHICH PORTIONS
`OF BUFFER HAVE BEEN
`MODIFIED
`
`ENCRYPT IDENTIFIED
`PORTIONS OF MEMORY INTO
`REAL BUFFER
`
`
`
`CALL OPERATING SYSTEM
`WITH REAL BUFFER
`
`
`
`RETURN
`
`
`
`FIG. 43
`
`000044
`
`000044
`
`
`
`Patent Application Publication May 30, 2002 Sheet 44 of 51
`
`US 2002/0066022 A1
`
`BEGIN
`
`EXECUTE REQUESTED
`ROUTINE
`
`
`
`DECRYPT EACH OF THE
`RETURNED FILENAMES
`
`
`
`RETURN
`
`FIG. 44
`
`000045
`
`000045
`
`
`
`Patent Application Publication May 30, 2002 Sheet 45 of 51
`
`US 2002/0066022 A1
`
`BEGIN
`
`
`
` 4500
`
`IS FILE
`
`LOCATED IN NON-
`
`ENCRYPTED
`DIRECTORY?
`
`4510
`
`IDENTIFY ENCRYPTED
`PORTIONS OF PATHNAME
`USING PREFIX AND
`POSTFIX SYMBOLS
`
`4520
`
`DECRYPT THE ENCRYPTED
`PART OF THE PATHNAME
`
`
`
`4530
`
`ENCRYPT THE FULL
`PATHNAME
`
`RETURN
`
`FIG. 45
`
`000046
`
`000046
`
`
`
`Patent Application Publication May 30, 2002 Sheet 46 of 51
`
`US 2002/0066022 A1
`
`TRADITIONAL
`SYTEM LAYOUT
`
`/ EXE FILE
`/ \
`
`APP DIR —— DATA FILE
`
`APP WORKSPACE
`
`C;——-— SYSTEM FILES
`
`TMP
`
`FIG. 46
`
`000047
`
`000047
`
`
`
`Patent Application Publication May 30, 2002 Sheet 47 of 51
`
`US 2002/0066022 A1
`
`VIRTUALIZED
`SYTEM LAYOUT
`
`EXE FILE
`
`APP DIR—— DATA FILE
`
`J \ UBRARY
`APPWORKSPACE < 01* TMP
`/+
`D2
`VIRTUAL ROOT
`
`SANDBOX
`/ LAYER
`
`C_
`
`SYSTEM FILE
`
`FIG. 47
`
`000048
`
`000048
`
`
`
`Patent Application Publication
`
`May 30, 2002 Sheet 48 of 51
`
`US 2002/0066022 A1
`
`om5m_zzoom_o-
`
`omfiomzzoo-
`
`om»<z_s_mm:-
`
`Z\SOQ._.3Iw.
`
`ozsom.
`
`OZ_._.0m_ZZO0-
`
`oz_>_momm-
`
`oz_zm:.w:-
`
`ozazmw-
`
`
`
`
`
`omtomzzooza-wabfimExoom
`
`wv.O_u_
`
`
`
`mm_mmm_moo<v_mo>>E2-
`
`m._ooo»omn_.
`
`mZO_._.n_O.
`
`oz_xoo._m-
`
`._.zm>m_-
`
`>._:>_<n_-
`
`
`Exoomm_DO_ZD. m_n_?_.Exoom-D.
`
`
`m_m:53m.5.m_v_oom
`
`
`
`
`
`Nmmvmum?vmwvcame
`
`
`
`
`
`zofiomzzoom>_mommozmmExoom
`
`
`
`m_._m_<._.Exoom
`
`
`
`mamasmamaomamacmzo_Eo
`
`
`
`
`
`oav
`
`N_mv
`
`«em?
`
`Egoow
`
`wabfim
`
`
`
`m:o_2mE_.>Ezm._
`
`mmaposmkwmmEosmbm
`
`
`
`ExoowExoom:_<OO._
`
`82
`
`000049
`
`000049
`
`
`
`
`
`
`
`
`
`Patent Application Publication May 30, 2002 Sheet 49 of 51
`
`US 2002/0066022 A1
`
`
`
`
`
`SEND CREATE OR
`TERMINATE
`MESSAGE TO
`APPLICATION
`MANAGER WITH
`PROCESS ID
`
`IS EVENT
`PROCESS
`CREATE OR
`TERMINATE?
`
`
`
`SEND ERROR OR
`IS EVENT
`
`MESSAGE TO
`AN ERROR
`OR DIALOG
`APPLICATION
`MANAGER
`MESSAGE?
`
`
`
`
`
`
`
`IS EVENT
`FROM
`APPLICATION
`MANAGER’?
`
`Yes
`
`PROCESS
`APPLICATION
`MANAGER EVENT
`
`
`
`
`
`
`
`
`
`Yes
`
`PROCESS
`
`APPLICATION EVENT
`
`IS EVENT
`FROM
`APPLICATION?
`
`
`
`
`
`4940
`
`UNKNOWN EVENT
`SEND ERROR TO
`APPLICATION MANAGER
`
`
`
`F|G.49
`
`000050
`
`
`
`000050
`
`
`
`Patent Application Publication May 30, 2002 Sheet 50 of 51
`
`US 2002/0066022 A1
`
`BEGIN
`
`
`
`5000
`
`PAUSE
`
`5005
`
`5040
`
`RESUME
`
`CHECKPOINT
`
`MAKE LIST OF
`ALL THREADS IN
`
`PROCESS
`
`5005
`
`CALL RESUME THREAD
`ON ALL THREADS IN
`
`5030
`
`SUSPEND LIST
`
`DOES
`
`
`APPLICATION HAVE A
`"CHECKPOINT"
`
`
`ROUTINE?
`
`
`No -
`
`
`
`
`REMOVE THREAD
`FROM SUSPEND LIST
`ONCE IT IS RESUMED
`
`5035
`
`Yes
`
`CALL CHECKPOINT
`ROUTINE IN
`APPLICATION
`
`5045
`
`5°”
`
`5015
`
`5020
`
`RETURN SUCCESS oR FAILURE
`
`EVENT TO APPLICATION MANAGER
`
`5°25
`
`END
`
`FIG. 50
`
`000051
`
`
`SUSPENDED THREADS
`
`REMOVE FROM LIST
`VM THREADS
`
`SUSPEND ALL
`THREADS REMAINING
`IN THIS "SUSPEND"
`LIST
`
`STORE THE LIST OF
`
`000051
`
`
`
`Patent Application Publication May 30, 2002 Sheet 51 of 51
`
`US 2002/0066022 A1
`
`BEGIN
`
`
`
`
`
`
`RESULT FILE
`COMPLETION PROGRESS
`
`5105
`
`
`
`
`SEND PROGRESS
`STATISTICS TO
`APPLICATION MANAGER SEND FINISHED RESULT
`FILENAME AND LOCATION
`TO APPLICATION MANAGER
`
`5115
`
`FIG. 51
`
`000052
`
`000052
`
`
`
`US 2002/0066022 A1
`
`May 30, 2002
`
`SYSTEM AND METHOD FOR SECURING AN
`APPLICATION FOR EXECUTION ON A
`COMPUTER
`
`RELATED APPLICATIONS
`
`[0001] This application relates to the following co-owned
`and co-pending U.S. Patent Applications, which are each
`incorporated by reference herein in their entirety: U.S.
`patent application Ser. No.
`, “METHOD AND PRO-
`CESS FOR SECURING AN APPLICATION PROGRAM
`TO EXECUTE IN A REMOTE ENVIRONMENT”, filed
`Nov. 29, 2000; U.S. patent application Ser. No.
`,
`“METHOD AND PROCESS FOR THE REWRITING OF
`BINARIES TO INTERCEPT SYSTEM CALLS IN A
`SECURE EXECUTION ENVIRONMENT”, filed Nov. 29,
`2000; U.S. patent application Ser. No.
`, “METHOD
`AND PROCESS FOR VIRTUALIZING FILE SYSTEM
`
`INTERFACES”, filed Nov. 29, 2000; U.S. patent application
`Ser. No.
`, “METHOD AND PROCESS FOR THE
`VIRTUALIZATION OF SYSTEM DATABASES AND
`STORED INFORMATION”,
`filed Nov. 29, 2000; U.S.
`patent application Ser. No.
`, “METHOD AND PRO-
`CESS FOR VIRTUALIZING NETWORK INTERFACES”,
`filed Nov. 29, 2000; U.S. patent application Ser. No.
`,
`“METHOD AND PROCESS FOR VIRTUALIZING USER
`
`INTERFACES”, filed Nov. 29, 2000; and U.S. patent appli-
`cation Ser. No.
`, “SYSTEM AND METHOD FOR
`COMMUNICATING AND
`CONTROLLING
`THE
`BEHAVIOR OF AN APPLICATION EXECUTING ON A
`COMPUTER”, filed Nov. 29, 2000.
`
`FIELD OF THE INVENTION
`
`[0002] The invention relates to distributed computing, and
`more particularly, relates to secure peer-to-peer Internet or
`enterprise distributed computing. The invention also relates
`to the secure execution of an application on a client com-
`puter.
`
`DESCRIPTION OF THE RELATED
`TECHNOLOGY
`
`[0003] Distributed computing systems offer a wide variety
`of resources that can be harnessed and collected so as to
`
`work toward a common goal. Until recently, distributed
`computing has been performed predominantly on secure
`networks, wherein each of the computers in the network are
`owned by a single entity, such as a business. However,
`recently some individuals have attempted to implement
`distributed computing systems across the Internet, which
`includes millions of heterogeneous and non-secure comput-
`ers. An example of the is the GIMPS project that utilizes
`various computers that are provided by homeowners, busi-
`nesses, and universities to search for new Mersenne primes
`(primes of the form 2p—1).
`
`[0004] Although utilizing the Internet for distributed com-
`puting has met with limited success for certain projects, lack
`of security on the Internet makes it difficult to utilize the
`Internet for other types of projects. For example, many
`projects are of a confidential nature. Thus, project owners
`may be reluctant to utilize the computers of non-trusted
`individuals for these types of projects.
`
`[0005] Another problem with distributing computing on
`the Internet is that for similar security concerns described
`
`above, many consumers, e.g. individuals, businesses, uni-
`versities, are unwilling to allow third party software to be
`run on their machines. By allowing a distributed process to
`execute on the consumer’s machine, the task may, among
`other things:
`cause a system malfinction; (ii) improperly
`access confidential information; or (iii) otherwise adversely
`affect the performance of their computer.
`
`[0006] Thus, there is a need for a distributed computing
`system that will allow a project to be executed securely
`across the Internet using non-secure trusted machines. The
`system should protect
`the contents of the project from
`improper tampering at the user machine. Furthermore, the
`system should protect
`the non-secure machine from
`improper tampering by the project.
`
`SUMMARY OF THE INVENTION
`
`[0007] One aspect of the invention comprises a prepro-
`cessor module for scanning the application program for code
`sequences that cause the computer to trap to the operating
`system and for modifying the code sequences such that the
`computer does not trap to the operating system, a server
`computer for receiving at least one application that has been
`modified by the preprocessor module, a network, and a
`client computer operably connected to the server computer
`via the network, wherein the client computer receives the
`modified application from the server computer, wherein
`subsequent to receiving the application, the client computer
`executes the application.
`
`[0008] Another aspect of the invention comprises scan-
`ning the application for code sequences that cause the
`computer to trap to the operating system, and modifying the
`code sequences such that the computer does not trap to the
`operating system.
`
`[0009] Yet another aspect of the invention comprises load-
`ing the application, marking all of the code pages of the
`loaded application execute only, and preventing the appli-
`cation from creating executable data during the execution of
`the application.
`
`[0010] Yet another aspect of the invention comprises pre-
`venting the application from creating executable data during
`the execution of the application, scanning the application for
`code sequences that cause the computer to trap to the
`operating system, and modifying the code sequences such
`that the computer does not trap to the operating system.
`
`[0011] Yet another aspect of the invention comprises pre-
`venting the application from creating executable data during
`the execution of the application, and preventing at least one
`code page of the application from becoming readable and
`writeable.
`
`[0012] Yet another aspect of the invention comprises load-
`ing the application, marking all of the data pages of the
`loaded application read and write only, and preventing the
`application from creating executable data during the execu-
`tion of the application.
`
`[0013] Yet another aspect of the invention comprises pre-
`venting the application from creating executable data during
`the execution of the application, and preventing the appli-
`cation from modifying executable files or executing any
`application generated files.
`
`OOOO53
`
`000053
`
`
`
`US 2002/0066022 A1
`
`May 30, 2002
`
`[0014] Yet another aspect of the invention comprises
`before the execution of an application program, scanning the
`application program for code sequences that cause the
`computer to trap to the operating system, before the execu-
`tion of
`the application program, modifying the code
`sequences such that
`the computer does not
`trap to the
`operating system, during or subsequent to the execution of
`the application program, scanning executable data that is
`created by the application program for sequences that trap to
`the operating system, and during or subsequent
`to the
`execution of the application program, scanning new execut-
`able files that are created or modified by the application
`program, and during or subsequent to the execution of the
`application program, modifying the executable data and the
`new files such that the application program does not trap to
`the operating system.
`
`[0015] Yet another aspect of the invention comprises scan-
`ning the application for code sequences that cause the
`computer to trap to the operating system, modifyi
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
