`Edery et a].
`
`(10) Patent N0.:
`(45) Date of Patent:
`
`US 8,079,086 B1
`*Dec. 13, 2011
`
`US008079086B1
`
`5,361,359 A 11/1994 Tajalli et a1. .................. .. 726/23
`(Continued)
`
`Ep
`EP
`
`FOREIGN PATENT DOCUMENTS
`1091276
`4/2001
`1132796
`9/2001
`OTHER PUBLICATIONS
`
`Zhong, et 211., “Security in the Large: is Java’s Sandbox Scalable?,”
`Seventh IEEE Symposium on Reliable Distributed Systems, pp. 1-6,
`Oct: 1998'
`
`(Continued)
`
`Primary Examiner * Christopher Revak
`(74) Attorney, Agent, or Firm * Dawn-Marie Bey; King &
`Spalding LLP
`ABSTRACT
`(57)
`Protection systems and methods provide for protecting one or
`more personal computers (“PCs”) and/or other intermittently
`or persistently network accessible devices or processes from
`undesirable or otherwise malicious operations of Java TN
`applets, ActiveXTM controls, JavaScriptTM scripts, Visual
`Basic scripts, add-ins, downloaded/uploaded programs or
`other “DoWnloadables” or “mobile code” in Whole or part. A
`protection engine embodiment provides, Within a server, ?re
`Wall or _Other sultable recommumcatq’ for momwng
`information received by the communicator, determimng
`Whether received information does or is likely to include
`.
`.
`.
`executable code, and if so, causes mobile protection code
`(MPC) to be transferred to and rendered operable Within a
`destination device of the received information, more suitably
`.
`.
`.
`.
`.
`by forming a protection agent including the MPC, protection
`.
`.
`.
`policies and a detected-DoWnloadable. An MPC embodiment
`further provides, Within a DoWnloadable-destination, for ini
`timing the Downloadable’ enabling malicious Downloadable
`operation attempts to be received by the MPC, and causing
`(predetermined) corresponding operations to be executed in
`response to the attempts, more suitably in conjunction With
`protection policies.
`
`-
`
`,,
`
`-
`
`-
`
`-
`
`t,
`
`42 Claims, 10 Drawing Sheets
`
`(54) MALICIOUS MOBILE CODE RUNTIME
`MONITORING SYSTEM AND METHODS
`(75) Inventors: Yigal Mordechai Edery, Pardesia (1L);
`Nimrod Itzhak Vered, Goosh Tel-Mond
`(IL); David R Kl‘Oll, San Jose, CA (US);
`Shl0m0 T0ub0ul, Kefar-Haim (1L)
`(73) Assignee: Finjan, Inc., San Jose, CA (US)
`( * ) Notice:
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 3 5
`U.S.C. 154(b) by 0 days.
`This patent is subject to a terminal dis-
`Claimer'
`(21) Appl.No.: 12/471,942
`(22) Filedi
`May 26, 2009
`Related U-s- Application Data
`(63) Continuation of application No. 11/370,114, ?led on
`Mar. 7, 2006, noW Pat. No. 7,613,926, Which is a
`Commuanon of appl1cat1on NO‘ 09/861329}??? on
`Mail, 17’t_200_1’ ngrvtv P?‘ N10] 7t’_058’I\8I22’0g/513C9 6127a
`g’ndmua lon'ln'p
`O app lea Ion 0'
`’hi I;
`_ e on Mar‘ 3,0’ 2000’ 119W Pat'NO' 6’804’780’ W C
`15 a Connnuanon of appl1cat1on NO‘ 08/964388’ ?le?
`on 1N0?‘ 6iI19O997/E6I1OZVZ9PZ‘L Not‘, 6’292’194’ 21:11 f
`appllca lon 0'
`/
`’
`1S 250511 mua lon'ln'p
`0
`app lgailog N343?) 32302’ e on Apr‘ 18’ 2000’
`(60) Provisional appl1cat1on No. 60/205,591, ?led on May
`17 2000
`’
`(51) Int. Cl.
`G06F 21/00
`G06F 11/30
`
`noW a. o.,_ ,_
`
`.
`
`(2006 01)
`(200601)
`'
`(2006.01)
`
`G06F 15/16
`
`(2006.01)
`H04L 9/32
`726/24_ 713/175 713/176
`(52) U 5 Cl
`’
`’
`_'
`'
`' """ "_' """ "_ """" "
`(58) Field of ~Classi?cation Search ............. ..: ...... .. None
`See appl1cat1on ?le for Complete Search hlstory'
`References Cited
`
`(56)
`
`US. PATENT DOCUMENTS
`
`5,077,677 A 12/1991 Murphy et a1. ............... .. 706/62
`5,359,659 A 10/1994 Rosenthal ..................... .. 726/24
`
`Farm 1 prumlctbn agent min on mobile
`pmecmn code, poMrl?ul-Duwnluldahl
`(nuw I dellnad-Dawnloadmle) . my
`pn'mection paliulet
`
`Cause we wot-mien learnt in he delivered
`I: ma \nmrm-wn-nnnnnion
`
`Symantec 1002
`IPR of U.S. Pat. No. 8,677,494
`
`000001
`
`
`
`US 8,079,086 B1
`Page 2
`
`US. PATENT DOCUMENTS
`
`5/1995 Hershey et al. ............... .. 726/22
`5,414,833 A
`1/1996 Gupta et al.
`726/25
`5,485,409 A
`1/1996 Chess et al. .
`714/38
`5,485,575 A
`5,572,643 A 11/1996 Judson ...... ..
`. 709/218
`5,579,509 A 11/1996 Furtney et al.
`703/27
`5,606,668 A
`2/1997 Shwed
`726/13
`5,623,600 A
`4/1997 Jiet al. .
`726/24
`5,638,446 A
`6/1997 Rubin .... ..
`705/51
`5,675,711 A 10/1997 Kephart et al.
`706/12
`5,692,047 A 11/1997 McManis
`. 713/167
`5,692,124 A 11/1997 Holden et al.
`726/2
`5,720,033 A
`2/1998 Deo .......... ..
`.. 726/2
`5,724,425 A
`3/1998 Chang et al. .................. .. 705/52
`5,740,248 A
`4/1998 Fieres et al. ................ .. 713/156
`5,740,441 A
`4/1998 Yellin et al.
`. 717/134
`5,761,421 A
`6/1998 van Hoffet al.
`. 709/223
`5,765,205 A
`6/1998 Breslau etal.
`. 711/203
`5,784,459 A
`7/1998 Devarakonda et al.
`. 713/165
`5,796,952 A
`8/1998 Davis et al. ...... ..
`. 709/224
`5,805,829 A
`9/1998 Cohen et al.
`. 709/202
`5,832,208 A 11/1998 Chen et al. ..
`726/24
`5,832,274 A 11/1998 Cutler et al. ................ .. 717/171
`5,850,559 A 12/1998 Angelo et al. .............. .. 713/320
`5,859,966 A
`1/1999 Hayman et al.
`726/23
`5,864,683 A
`1/1999 Boebert et al. .
`. 709/249
`5,881,151 A
`3/1999 Yamamoto ..
`726/24
`5,884,033 A
`3/1999 Duvallet al. ..
`. 709/206
`5,892,904 A
`4/1999 Atkinson et al.
`726/22
`5,951,698 A
`9/1999 Chen et al.
`714/38
`5,956,481 A
`9/1999 Walsh etal.
`726/23
`5,963,742 A 10/1999 Williams .................... .. 717/143
`5,974,549 A 10/1999 Golan ........................... .. 726/23
`5,978,484 A 11/1999 Apperson et al.
`705/54
`5,983,348 A 11/1999 Ji .............. ..
`726/13
`5,987,611 A 11/1999 Freund
`.. 726/4
`6,088,801 A
`7/2000 Grecsek
`726/1
`6,088,803 A
`7/2000 Tso et al. .
`726/22
`6,092,194 A *
`7/2000 Touboul .... ..
`726/24
`6,154,844 A * 11/2000 Touboulet al
`726/24
`6,167,520 A * 12/2000 Touboul .... ..
`726/23
`6,339,829 B1
`1/2002 Beadle et al.
`726/15
`6,425,058 B1
`7/2002 Arimilliet al.
`. 711/134
`6,434,668 B1
`8/2002 Arimilliet al.
`. 711/128
`6,434,669 B1
`8/2002 Arimilliet al. ............. .. 711/128
`6,480,962 B1* 11/2002 Touboul ........................ .. 726/22
`6,487,666 B1
`11/2002 Shanklin et al.
`726/23
`6,519,679 B2
`2/2003 Devireddy et al.
`. 711/114
`6,598,033 B2
`7/2003 Ross etal.
`706/46
`6,732,179 B1
`5/2004 Brown et al.
`. 709/229
`6,804,780 B1* 10/2004 Touboul .... ..
`. 713/181
`6,917,953 B2
`7/2005 Simon et al.
`. 707/204
`7,058,822 B2* 6/2006 Edery et al. .
`726/22
`7,143,444 B2 11/2006 Porras et al. .................. .. 726/30
`7,210,041 B1
`4/2007 Gryaznov etal. ........... .. 713/188
`7,308,648 B1
`12/2007 Buchthalet al.
`. 715/234
`7,343,604 B2
`3/2008 Grabarnik et al. .
`. 719/313
`7,418,731 B2
`8/2008 Touboul ....... ..
`726/22
`7,613,926 B2* 11/2009 Edery et al. .
`. 713/181
`7,647,633 B2* 1/2010 Edery et al. .
`726/22
`2003/0014662 A1
`1/2003 Gupta et al.
`726/23
`2003/0101358 A1
`5/2003 Porras et al.
`726/4
`2004/0073811 A1
`4/2004 Sanin ............................ .. 726/13
`2004/0088425 A1
`5/2004 Rubinstein et al. ......... .. 709/230
`2005/0050338 A1
`3/2005 Liang et al.
`. 713/188
`2005/0172338 A1
`8/2005 Sandu et al.
`726/22
`2006/0031207 A1
`2/2006 Bjarnestam et al.
`707/3
`2006/0048224 A1
`3/2006 Duncan et al. ..
`726/22
`2008/0066160 A1
`3/2008 Becker et al. ..
`726/4
`2010/0195909 A1
`8/2010 Wasson et al. .............. .. 382/176
`
`OTHER PUBLICATIONS
`
`Rubin, et al., “Mobile Code Security,” IEEE Internet, pp. 30-34, Dec.
`1998.
`Schmid, et al. “Protecting Data From Malicious Software,” Proceed
`ing of the 18th Annual Computer Security Applications Conference,
`pp. 1-10, 2002.
`
`Corradi, et al., “A Flexible Access Control Service for Java Mobile
`Code,” IEEE, pp. 356-365, 2000.
`International Search Report for Application No. PCT/IB97/01626, 3
`pp., May 14, 1998 (mailing date).
`International Search Report for Application No. PCT/ IL05/ 00915, 4
`pp., dated Mar. 3, 2006.
`Written Opinion for Application No. PCT/ IL05/ 00915, 5 pp., dated
`Mar. 3, 2006 (mailing date).
`International Search Report for Application No. PCT/IB01/01 138, 4
`pp., Sep. 20, 2002 (mailing date).
`International Preliminary Examination Report for Application No.
`PCT/IB01/01138, 2 pp., dated Dec. 19,2002.
`Gerzic, Amer, “Write Your Own Regular Expression Parser,” Nov.
`17, 2003, 18 pp.
`Power, James, “Lexical Analysis,” 4 pp., May 14, 2006.
`Sitaker, Kragen, “Rapid Genetic Evolution of Regular Expressions”
`[online], The Mia/Archive, Apr. 24, 2004 (retrieved on Dec. 7, 2004),
`5 pp.
`“Lexical Analysis: DFA Minimization & Wrap Up” [online], Fall,
`2004 [retrieved on Mar. 2, 2005], 8 pp.
`“Minimization of DFA” [online], [retrieved on Dec. 7, 2004], 7 pp.
`“Algorithm: NFS -> DFA” [online], Copyright 1999-2001 [retrieved
`on Dec. 7, 2004], 4 pp.
`“CS 3813: Introduction to Formal Languages and AutomataiState
`Minimization and OtherAlgorithms for Finite Automata,” 3 pp., May
`11, 2003.
`Watson, Bruce W., “Constructing Minimal Acyclic Deterministic
`Finite Automata,” [retrieved on Mar. 20, 2005], 38 pp.
`Chang, Chia-Hsiang, “From Regular Expressions to DFA’s Using
`Compressed NFA’s,” Oct. 1992, 243 pp.
`“Products,” Articles published on the Internet, “Revolutionary Secu
`rity for a New Computing Paradigm” regarding Sur?nGateTM, 7 pp.
`“Release Notes for the Microsoft ActiveX Development Kit,” Aug.
`13, 1996, activex.adsp.orjp/inetsdk/readmetxt, pp. 1-10.
`Doyle, et al., “Microsoft Press Computer Dictionary,” Microsoft
`Press, 2d Edition, pp. 137-138, 1993.
`Finjan Software Ltd., “Powerful PC Security for the New World of
`JavaTM and Downloadables, Sur?n ShieldTM,” Article published on
`the Internet by Finjan Software Ltd., 2 pp. 1996.
`Finjan Sofrtware Ltd., “FinjanAnnounces a Personal JavaTM Firewall
`for Web Browsersithe Sur?nShieldTM 1.6 (formerly known as
`Sur?nBoard),” Press Release of Finjan Releases Sur?nShield 1.6, 2
`pp., Oct. 21, 1996.
`Finjan Software Ltd., “Finjan Announces Major Power Boost and
`New Features for Sur?nShieldTM 2.0,” Las Vegas Convention Center/
`Pavillion 5 P5551, 3 pp., Nov. 18, 1996.
`Finjan Software Ltd., “Finjan Software Releases Sur?nBoard, Indus
`try’s First JAVA Security Product for the World Wide Web,” Article
`published on the Internet by Finjan Software Ltd., 1 p., Jul. 29, 1996.
`Finjan Software Ltd., “Java Security: Issues & Solutions,” Article
`published on the Internet by Finjan Software Ltd., 8 pp. 1996.
`Finjan Software Ltd., Company Pro?le, “FinjaniSafe Sur?ng, The
`Java Security Solutions Provider,” Article published on the Internet
`by Finjan Software Ltd., 3 pp., Oct. 31, 1996.
`“IBM AntiVirus User’s Guide, Version 2.4,”, International Business
`Machines Corporation, pp. 6-7, Nov. 15, 1995.
`Khare, R., “Microsoft Authenticode Analyzed” [online], Jul. 22,
`1996 [retrieved on Jun. 25, 2003], 2 pp.
`LaDue, M., Online Business Consultant: Java Security: Whose Busi
`ness is It?, Article published on the Internet, Home Page Press, Inc.,
`4 pp., 1996.
`Leach, Norvin, et al., “IE 3.0 Applets Will Earn Certi?cation,” PC
`Week, vol. 13, No. 29, 2 pp., Jul. 22, 1996.
`Moritz, R., “Why We Shouldn’t Fear Java,” Java Report, pp. 51-56,
`Feb. 1997.
`Microsoft, “MicrosoftActiveX Software Development Kit” [online],
`Aug. 12, 1996 [retrieved on Jun. 25, 2003], pp. 1-6.
`Microsoft® Authenticode Technology, “Ensuring Accountability
`and Authenticity for Software Components on the Internet,”
`Microsoft Corporation, Oct. 1996, including Abstract, Contents,
`Introduction, and pp. 1-10.
`
`000002
`
`
`
`US 8,079,086 B1
`Page 3
`
`Microsoft Corporation, Web Page Article “Frequently Asked Ques
`tions About Authenticode,” last updated Feb. 17, 1997, printed Dec.
`23, 1998, pp. 1-13.
`Okamoto, E., et al., “ID-Based Authentication System for Computer
`Virus Detection,” IEEE/IEE Electronic Library online, Electronics
`Letters, vol. 26, Issue 15, ISSN 0013-5194, Jul. 19, 1990, Abstract
`and pp. 1169-1170.
`Omura, J. K., “Novel Applications of Cryptography in Digital Com
`munications,” IEEE Communications Magaine, pp. 21-29, May
`1990.
`
`Schmitt, D.A., “.EXE ?les, OS-2 style,”PC Tech Journal, vol. 6, No.
`11, p. 76(13), Nov. 1988.
`Zhang, X. N., “Secure Code Distribution,” IEEE/IEE Electronic
`Library online, Computer, vol. 30, Issue 6, pp. 76-79, Jun. 1997.
`D. Grune, et al., “Parsing Techniques: A Practical Guide,” John Wiley
`& Sons, Inc., NeWYork, New York, USA, pp. 1-326, 2000.
`Power, James, “Notes on Formal Language Theory and Parsing,”
`National University of Ireland, pp. 1-40, 1999.
`
`* cited by examiner
`
`000003
`
`
`
`US. Patent
`
`Dec. 13, 2011
`
`Sheet 1 0f 10
`
`US 8,079,086 B1
`
`100
`
`Redundanc Su ort
`V
`pp
`Subsystem-1
`(Sandbox Protected)
`
`Subsystem-N
`(Unprotected)
`
`subsystemM
`(Protected)
`
`102
`ResourceServer-1 W
`121
`Resource-1 W/
`
`ResourceServer-N
`
`103
`W
`131
`?/
`132
`Resource-M
`Reswce‘" W
`
`FIG. 121
`
`10421
`
`104b
`
`140a
`ISP-Server W
`
`141b
`w\ Server
`
`Protection Engine
`(PE)
`
`<—
`D
`
`141b
`
`Corporate Server
`_
`\ Sewer _ F|rewall
`
`140D
`W143
`f”
`
`PE
`
`PE
`
`4
`D
`
`iMPQD
`
`145a i- _____ "I ______ n
`
`User W145
`Device-n
`146
`
`Client
`
`i
`
`~—
`
`142a
`
`142D
`
`142b
`
`MPC,D
`/
`
`145%‘ User
`Device-n
`146
`\“ Client
`
`MPC,D
`a
`
`User W145
`Device-n
`146
`
`Client
`
`FIG. 1b
`
`FIG. 1c
`
`000004
`
`
`
`US. Patent
`
`Dec. 13, 2011
`
`Sheet 2 0f 10
`
`US 8,079,086 B1
`
`mom K
`
`mam \\
`
`
`
`0333M $39200
`
`0333M EEQEQU
`63oz 838E uwSoHm
`
`mEEwoE GEO
`
`
`
`D0822 ma?a?
`
`mas \\
`
`Nam \\
`
`@0225 :55
`
`KEN
`
`v/
`
`000005
`
`
`
`Hef.aPS”U
`
`D
`
`B
`
`0
`
`US 8,079,086 B1
`
`
`
`wxnu\u3S=ooxm.:oZ.v
`
`0En:2.3_0CO=.O¢«0gn.W3%3::
`Bnfizooxm
`
`
`
`2,__m>>m._u_
`
`wNewHam
`
`
`
` cosmchéflHnozooomm_n.m«u~w.@mxm_Hmm
`
`tcan
`
`000006
`
`mdumb
`
`gm
`
`2.».
`
`000006
`
`
`
`
`U.S. Patent
`
`Dec. 13, 2011
`
`Sheet 4 of 10
`
`US 8,079,086 B1
`
`GMXZ
`
`UMX
`
`_.o¢
`
`.2_.._o_2
`
`:o=mF_._8:_j
`
`
`
`.8m_o:o0.53
`
`.50on:
`
`9.2:...
`
`msmcm
`
`:2.
`
`N3
`
`_-I__
`
`IE.Ill
`
`
`
`=o_.8=S£=<_>u__on_.7-
`
`.o~>_a:<_._uumom
`
`
`
`
`
`8...2_9_w.cozuwfio
`
`EvNmv
`
`nowi
`Emxz. 2._....3e.usz
`
`8..
`
`w.ۤa=_5:3..8mD
`:o_§E._o.«=_$5...8
`um_o2o._n_ So.§_on_ ocacm35.03
`
`
`
`v.UHm
`
`wow
`
`|l|Kwm_o__on____
`:o=mu_Em£=<S:zomm.
`
`J
`
`|.I|.I|l.._
`
`
`
`
`
`-llllllllilllllllllIIIIIIIIIIllllIIllllllllllllltlllllllllllllIIIIIIIIIIIIIIIIll_I
`
`
`
`
`
`now1
`
`2:.
`
`000007
`
`000007
`
`
`
`
`
`
`
`
`U.S. Patent
`
`Dec. 13, 2011
`
`Sheet 5 of 10
`
`US 8,079,086 B1
`
`
`
`
`
`w.m$Em_mm_Sm:m0..2o2mo_m.mEEm._mmE2m>wwoo1IIII.1...»_..w~.c@o|.lI
`
`
`
`
`
`
`
`
`
`m_2mEm._mn_8mtmE_
`
`mow
`
`.3.OHm
`
`mm.650_N/7_..o.uu«vn__
`mmml.lJJ
`
`._ouw..w:o0m:_m:m
`.53or._2mca._._.oh
`
`m.__.__5op
`
`mc_u:m
`
`
`
`.$_:_._._ommouca
`
`fifimgmon
`
`commm_aEaoV
`
`no.05.
`
`\\\.I\_2fig
`\E
`
`8%
`
`W._O.«UEW_Nn_._QmDmama._0m._Nn_
`
`__9_2m.._
`
`
`
`
`
`
`
`Q0~0EN._mn_u_Eofimfiowxm
`
`Sm
`
`m._2oEw._mn_muoomzflzuoxw_.om33.BE
`
`
`m._9oEEmm:._m=mn_._9o2on_
`
`
`
`.2mc:_
`
`.u2mv.m.._&
`
`eommmooa
`
`EmE.
`
`000008
`
`000008
`
`
`
`
`
`
`
`
`
`US. Patent
`
`Dec. 13, 2011
`
`Sheet 6 0110
`
`US 8,079,086 B1
`
`700
`
`340
`\N
`
`701
`J
`Memory Space-N
`
`702
`W
`Memory Spaces-P1 and P2
`
`Protection
`343
`Agent
`146
`2 R Destination
`MW 0" )
`
`4} Resources
`711
`+
`C
`Sandbox Engine
`M Initiator
`(JVM) V
`N w
`341
`721
`
`POL
`
`342
`
`FIG. 7a
`
`703
`704
`W W
`Memory Space-P1
`Memory Space~P2
`‘
`_
`342
`343
`@E-h/
`731
`341
`
`341
`
`\N
`
`801
`///802
`Package Extractor
`803
`Executable installer
`Sandbox Engine Installer 4/ 8o 4
`Resource Access Diverter W805
`Resource Access Analyzer 14/ 806
`Policy Enforcer
`4/807
`MP0 De-lnstaller W
`
`FIG. 7b
`
`FIG. 8
`
`000009
`
`
`
`U.S. Patent
`
`Dec. 13, 2011
`
`Sheet 7 of 10
`
`US 8,079,086 B1
`
`mom
`
`E.m........................1%.......................
`
`
`....-...,...m....~__.m..._.......m,......nw.m..“.,“,.,..,.,...~_....J
`
`\saqmmmaammaammmma¢
`
`0.
`
`a.UHr.H
`
`
`
`cozmcsmuu-:ozmF:£:_
`
`
`
`
`
`9.:onUm:m.>__..mUma2nrm.u_nmUmo_c3oD-.m.acmzo.umwnmo
`
`_.om
`
`mom
`
`arm
`
`mwm
`
`«mm
`
`m5
`
`ozumuoo
`
`..wm.n....__Uc_
`
`ma}
`
`
`
`
`
`m=noE0.amutooEmmacoauouoga_mE3...
`
`
`
`
`
`m_nmumo_:3oDu_m.a:m..on_Huoo.._0_...UwuoE
`
`xcm+nu_nmumo_:3oD-umzuo.v_um.505
`
`
`
`mu_u__oa:.u_uuw:En_
`
`
`.._o=m..__.....uDu:O_tmE._O__C_
`
`
`0......9_um...m>__w_uma9Emmacozumuoa05wmawo
`
`
`
`0-000mfifiaowxwWWH.=J—U...__U_n—N—.vN°_.__L>?Oo
`
`
`
`
`
`
`
`Co>._..ww.m.3.—OuflG_r_3CL...C.UnY.flh.B_:o_2
`
`
`
`
`
`CO_....fl._0QD
`
`
`
`
`
`_um:uuuD._aNm:_>u.._:o.amc....opE_ulaoem
`
`
`
`:o_.._mc.=mm.UCO_aM__._..C_Du..__
`
`
`
`.._o_nmumo_cz.oo-.m_Eflo...flu
`
`0......9hi}—uDC_=-.-flufiflfii
`
`
`
`
`
`1_N_._—CWaOQUfiuExams?m.:_c.._._.u....m0
`
`000010
`
`000010
`
`
`
`
`
`
`
`
`
`
`U.S. Patent
`
`Dec. 13, 2011
`
`Sheet 8 of 10
`
`US 8,079,086 B1
`
`
`
`.m.3EmmacozomuoawE._29co=m_.EoE_
`
`
`
`
`
`€.__£EEmficoommmm_o__oa_fiEon_s_
`
`
`
`mi.UFm
`
`<3film
`
`
`
`
`
`_w.uoowfimfiooxmmmu:_oc_
`
`oEmumo_:>>oo-voU9wumm_nmumo_Eson_-_m_Em..oqw£.ou_mcoo
`
`
`
`
`
`mvorduoocozomzoam__noEm£w_a:o0
`
`w.9mEm.mn
`
`
`
`
`
`-vm>_oo9ucmmm_o__oacozofioa
`
`89
`
`9.:“M598_E_88new:5Seem:
`
`
`
`
`
`>_mx__m._oEm_nmvmo_Esoo-_m_EmSa
`
`cozofloaM—.O_,E50»ucmm._9mESmncozofloam>mEmm
`
`
`
`m52mEEooommw_o__oq
`
`
`mEmEooOE$5.o£mEswc_E._m.wo
`
`
`
`
`
`mEonmaonce.0:o=mrEo”E_bassmuaos
`
`:9
`
`
`
`
`
`E5.newm.2mESmaco_.o£o.am>mEwm
`
`
`
`
`
`
`
`m52m:_Eooommuoocozofioam_5oE
`
`m._m.mEm_ma
`
`aa
`
`M3
`
`32
`
`
`
`-_m_E2oam5.m£o§>mfictflmo
`
`
`
`mzmfiomxmcmw3mo_n:_w_nmumo_E.6Q
`
`oaaoa
`
`000011
`
`000011
`
`
`
`
`
`
`
`
`
`
`US. Patent
`
`Dec. 13, 2011
`
`Sheet 9 0f 10
`
`US 8,079,086 B1
`
`lnstall mobile protection code elements /V1101
`and policies within a destination device
`I
`Y
`-
`1102
`Load the downioadble without actually W
`initiating it
`l
`V
`
`Form an access interceptor for intercepting
`downloadable destination device access
`attempts within the destination device
`
`1103
`
`1105
`i
`Initiate the Downloadable within the W
`destination device
`
`No
`
`Yes
`
`Determine policies in accordance with the /,/1 109
`access attempt
`i
`Execute the policies (including causing an
`allowable response expected by the A111
`Donwloadable to be returned to the
`Downloadable)
`
`FIG. 11
`
`000012
`
`
`
`ta
`
`11023:1
`
`ehS
`
`01
`
`mf
`
`US 8,079,086 B1
`
`«NuUuh
`
`0EmJ
`
`ml.2:H
`
`:3.UHm
`
`22
`
`
`
`>o__oamm:_E._9m.u2mw_o__on_35$>530
`
`o_nmumo_Esoom59mcficouwwtoo
`
`
`
`“$359mmmoom
`
`
`
`_n_<_uwEvoE9.:m_>
`
`2.2
`
`
`
`
`
`fiancewwmoomw_nmumo_Esoomwzmoom
`
`
`
`wwmoomm:o_o__mEmmmuooco__o9oaDm_5oE9:938:3.
`
`
`
`
`
`
`
`Amw_nmUmo_:>>on_9.:__m..u.c_e_.oN_.
`
`PJH8:
`
`
`
`885%2_n_<m_fiumo_Es8wea_uos_
`
`000013
`
`000013
`
`
`
`
`
`
`US 8,079,086 B1
`
`1
`MALICIOUS MOBILE CODE RUNTIME
`MONITORING SYSTEM AND METHODS
`
`PRIORITY REFERENCE TO RELATED
`APPLICATIONS
`
`This application is a continuation of assignee’ s application
`Ser. No. 11/370,114, ?led Mar. 7, 2006, now US. Pat. No.
`7,613,926, entitled “Method and System for Protecting a
`Computer and a Network from Hostile Downloadables,”
`which is a continuation of Ser. No. 09/ 861,229, ?led on May
`17, 2001, now US. Pat. No. 7,058,822, entitled “Malicious
`Mobile Code Runtime Monitoring System And Methods”, all
`of which are hereby incorporated by reference. U.S. applica
`tion Ser. No. 09/861,229 claims bene?t of provisional appli
`cation Ser. No. 60/205,591, entitled “Computer Network
`Malicious Code Run-time Monitoring,” ?led on May 17,
`2000 by inventors Nimrod ItZhak Vered, et al., which is
`hereby incorporated by reference. US. application Ser. No.
`09/861,229 is also a Continuation-In-Part of US. patent
`application Ser. No. 09/539,667, entitled “System and
`Method for Protecting a Computer and a Network From Hos
`tile Downloadables” ?led on Mar. 30, 2000 by inventor
`Shlomo Touboul, now US. Pat. No. 6,804,780, and hereby
`incorporated by reference, which is a continuation of assign
`ee’s US. patent application Ser. No. 08/964,388, ?led on
`Nov. 6, 1997, now US. Pat. No. 6,092,194, also entitled
`“System and Method for Protecting a Computer and a Net
`work from Hostile Downloadables” and hereby incorporated
`by reference. U.S. Ser. No. 09/ 861 ,229 is also a Continuation
`In-Part of US. patent application Ser. No. 09/551,302,
`entitled “System and Method for Protecting a Client During
`Runtime From Hostile Downloadables”, ?led on Apr. 18,
`2000 by inventor Shlomo Touboul, now US. Pat. No. 6,480,
`962, which is hereby incorporated by reference.
`
`20
`
`25
`
`30
`
`35
`
`BACKGROUND OF THE INVENTION
`
`40
`
`45
`
`1. Field of the Invention
`This invention relates generally to computer networks, and
`more particularly provides a system and methods for protect
`ing network-connectable devices from undesirable down
`loadable operation.
`2. Description of the Background Art
`Advances in networking technology continue to impact an
`increasing number and diversity of users. The Internet, for
`example, already provides to expert, intermediate and even
`novice users the informational, product and service resources
`of over 100,000 interconnected networks owned by govem
`ments, universities, nonpro?t groups, companies, etc. Unfor
`tunately, particularly the Internet and other public networks
`have also become a major source of potentially system-fatal
`or otherwise damaging computer code commonly referred to
`as “viruses.”
`Efforts to forestall viruses from attacking networked com
`puters have thus far met with only limited success at best.
`Typically, a virus protection program designed to identify and
`remove or protect against the initiating of known viruses is
`installed on a network ?rewall or individually networked
`computer. The program is then inevitably surmounted by
`some new virus that often causes damage to one or more
`computers. The damage is then assessed and, if isolated, the
`new virus is analyZed. A corresponding new virus protection
`program (or update thereof) is then developed and installed to
`combat the new virus, and the new program operates success
`fully until yet another new virus appearsiand so on. Of
`course, damage has already typically been incurred.
`
`50
`
`55
`
`60
`
`65
`
`2
`To make matters worse, certain classes of viruses are not
`well recogniZed or understood, let alone protected against. It
`is observed by this inventor, for example, that Downloadable
`information comprising program code can include distribut
`able components (eg JavaTM applets and JavaScript scripts,
`ActiveXTM controls, Visual Basic, add-ins and/or others). It
`can also include, for example, application programs, Trojan
`horses, multiple compressed programs such as Zip or meta
`?les, among others. US. Pat. No. 5,983,348 to Shuang, how
`ever, teaches a protection system for protecting against only
`distributable components including “Java applets or ActiveX
`controls”, and further does so using resource intensive and
`high bandwidth static Downloadable content and operational
`analysis, and modi?cation of the Downloadable component;
`Shuang further fails to detect or protect against additional
`program code included within a tested Downloadable. US.
`Pat. No. 5,974,549 to Golan teaches a protection system that
`further focuses only on protecting against ActiveX controls
`and not other distributable components, let alone other
`Downloadable types. US. Pat. No. 6,167,520 to Touboul
`enables more accurate protection than Shuang or Golan, but
`lacks the greater ?exibility and ef?ciency taught herein, as do
`Shuang and Golan.
`Accordingly, there remains a need for e?icient, accurate
`and ?exible protection of computers and other network con
`nectable devices from malicious Downloadables.
`
`SUMMARY OF THE INVENTION
`
`The present invention provides protection systems and
`methods capable of protecting a personal computer (“PC”) or
`other persistently or even intermittently network accessible
`devices or processes from harmful, undesirable, suspicious or
`other “malicious” operations that might otherwise be effec
`tuated by remotely operable code. While enabling the capa
`bilities of prior systems, the present invention is not nearly so
`limited, resource intensive or in?exible, and yet enables more
`reliable protection. For example, remotely operable code that
`is protectable against can include downloadable application
`programs, Trojan horses and program code groupings, as well
`as software “components”, such as JavaTM applets,
`ActiveXTM controls, JavaScriptTM/Visual Basic scripts, add
`ins, etc., among others. Protection can also be provided in a
`distributed interactively, automatically or mixed con?gurable
`manner using protected client, server or other parameters,
`redirection, local/remote logging, etc., and other server/client
`based protection measures can also be separately and/or
`interoperably utiliZed, among other examples.
`In one aspect, embodiments of the invention provide for
`determining, within one or more network “servers” (e.g. ?re
`walls, resources, gateways, email relays or other devices/
`processes that are capable of receiving-and-transferring a
`Downloadable) whether received information includes
`executable code (and is a “Downloadable”). Embodiments
`also provide for delivering static, con?gurable and/ or exten
`sible remotely operable protection policies to a Download
`able-destination, more typically as a sandboxed package
`including the mobile protection code, downloadable policies
`and one or more received Downloadables. Further client
`based or remote protection code/policies can also be utiliZed
`in a distributed manner. Embodiments also provide for caus
`ing the mobile protection code to be executed within a Down
`loadable-destination in a manner that enables various Down
`loadable operations to be detected, intercepted or further
`responded to via protection operations. Additional server/
`information-destination device security or other protection is
`also enabled, among still further aspects.
`
`000014
`
`
`
`US 8,079,086 B1
`
`3
`A protection engine according to an embodiment of the
`invention is operable Within one or more netWork servers,
`?rewalls or other netWork connectable information re-com
`municating devices (as are referred to herein summarily one
`or more “servers” or “re-communicators”). The protection
`engine includes an information monitor for monitoring infor
`mation received by the server, and a code detection engine for
`determining Whether the received information includes
`executable code. The protection engine also includes a pack
`aging engine for causing a sandboxed package, typically
`including mobile protection code and doWnloadable protec
`tion policies to be sent to a DoWnloadable-destination in
`conjunction With the received information, if the received
`information is determined to be a DoWnloadable.
`A sandboxed package according to an embodiment of the
`invention is receivable by and operable With a remote DoWn
`loadable-destination. The sandboxed package includes
`mobile protection code (“MPC”) for causing one or more
`predetermined malicious operations or operation combina
`tions of a DoWnloadable to be monitored or otherWise inter
`cepted. The sandboxed package also includes protection poli
`cies (operable alone or in conjunction With further
`DoWnloadable-destination stored or received policies/MPCs)
`for causing one or more predetermined operations to be per
`formed if one or more undesirable operations of the DoWn
`loadable is/are intercepted. The sandboxed package can also
`include a corresponding DoWnloadable and can provide for
`initiating the DoWnloadable in a protective “sandbox”. The
`MPC/policies can further include a communicator for
`enabling further MPC/policy information or “modules” to be
`utiliZed and/or for event logging or other purposes.
`A sandbox protection system according to an embodiment
`of the invention comprises an installer for enabling a received
`MPC to be executed Within a DoWnloadable-destination (de
`vice/process) and further causing a DoWnloadable applica
`tion program, distributable component or other received
`doWnloadable code to be received and installed Within the
`DoWnloadable-destination. The protection system also
`includes a diverter for monitoring one or more operation
`attempts of the DoWnloadable, an operation analyZer for
`determining one or more responses to the attempts, and a
`security enforcer for effectuating responses to the monitored
`operations. The protection system can further include one or
`more security policies according to Which one or more pro
`tection system elements are operable automatically (e.g. pro
`grammatically) or in conjunction With user intervention (eg
`as enabled by the security enforcer). The security policies can
`also be con?gurable/extensible in accordance With further
`doWnloadable and/or DoWnloadable-destination informa
`tion.
`A method according to an embodiment of the invention
`includes receiving doWnloadable information, determining
`Whether the doWnloadable information includes executable
`code, and causing a mobile protection code and security
`policies to be communicated to a netWork client in conjunc
`tion With security policies and the doWnloadable information
`if the doWnloadable information is determined to include
`executable code. The determining can further provide mul
`tiple tests for detecting, alone or together, Whether the doWn
`loadable information includes executable code.
`A further method according to an embodiment of the
`invention includes forming a sandboxed package that
`includes mobile protection code (“MPC”), protection poli
`cies, and a received, detected-DoWnloadable, and causing the
`sandboxed package to be communicated to and installed by a
`receiving device or process (“user device”) for responding to
`one or more malicious operation attempts by the detected
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`4
`DoWnloadable from Within the user device. The MPC/poli
`cies can further include a base “module” and a “communica
`tor” for enabling further up/doWnloading of one or more
`further “modules” or other information (eg events, user/user
`device information, etc.).
`Another method according to an embodiment of the inven
`tion includes installing, Within a user device, received mobile
`protection code (“MPC”) and protection policies in conjunc
`tion With the user device receiving a doWnloadable applica
`tion program, component or other DoWnloadable(s). The
`method also includes determining, by the MPC, a resource
`access attempt by the DoWnloadable, and initiating, by the
`MPC, one or more predetermined operations corresponding
`to the attempt. (Predetermined operations can, for example,
`comprise initiating user, administrator, client, netWork or pro
`tection system determinable operations, including but not
`limited to modifying the DoWnloadable operation, extricating
`the DoWnloadable, notifying a user/another, maintaining a
`local/remote log, causing one or more MPCs/policies to be
`doWnloaded, etc.)
`Advantageously, systems and methods according to
`embodiments of the invention enable potentially damaging,
`undesirable or otherWise malicious operations by even
`unknoWn mobile code to be detected, prevented, modi?ed
`and/or otherWise protected against Without modifying the
`mobile code. Such protection is further enabled in a manner
`that is capable of minimiZing server and client resource
`requirements, does not require pre-installation of security
`code Within a DoWnloadable-destination, and provides for
`client speci?c or generic and readily updateable security mea
`sures to be ?exibly and ef?ciently implemented. Embodi
`ments further provide for thWarting efforts to bypass security
`measures (eg by “hiding” undesirable operation causing
`information Within apparently inert or otherWise “friendly”
`doWnloadable information) and/or dividing or combining
`security measures for even greater ?exibility and/or e?i
`ciency.
`Embodiments also provide for determining protection
`policies that can be doWnloaded and/or ascertained from
`other security information (eg broWser settings, administra
`tive policies, user input, uploaded information, etc.). Differ
`ent actions in response to different DoWnloadable operations,
`clients, users and/or other criteria are also enabled, and
`embodiments provide for implementing other security mea
`sures, such as verifying a doWnloadable source, certi?cation,
`authentication, etc. Appropriate action can also be accom
`plished automatically (e.g. programmatically) and/ or in con
`junction With alerting one or more users/ administrators, uti
`liZing user input, etc. Embodiments further enable desirable
`DoWnloadable operations to remain substantially unaffected,
`among other aspects.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1a is a block diagram illustrating a netWork system in
`accordance With an embodiment of the present invention;
`FIG. 1b is a block diagram illustrating a netWork sub
`system example in accordance With an embodiment of the
`invention;
`FIG. 10 is a block diagram illustrating a further netWork
`sub system example in accordance With an embodiment of the
`invention;
`FIG. 2 is a block diagram illustrating a computer system in
`accordance With an embodiment of the invention;
`FIG. 3 is a How diagram broadly illustrating a protection
`system host according to ru an embodiment of the invention;
`
`000015