Ulllted States Patent [19]
`T0ub0ul
`
`US006092194A
`[11] Patent Number:
`[45] Date of Patent:
`
`6,092,194
`*Jul. 18, 2000
`
`[54] SYSTEM AND METHOD FOR PROTECTING
`A COMPUTER AND A NETWORK FROM
`HOSTILE DOWNLOADABLES
`
`5,864,683
`5,892,904
`
`1/1999 Boebert et al. .................. .. 395/200.79
`4/1999 Atkinson et al. ................ .. 395/18701
`OTHER PUBLICATIONS
`
`[75] Inventor: Shl0m0 T0ub0ul, Kefar-Haim, Israel
`
`Web
`
`page;
`
`http;metihseom;8()/Cgi_bin/ie1i
`
`.
`
`_
`
`.
`
`.
`
`[73] Asslgnee' Fm‘lan Software’ Ltd" Netanya’ Israel
`[*1 Notice:
`patent issued on a Continued pros_
`ecution application ?led under 37 CFR
`
`T5223;
`
`
`
`and is subject to the twenty year provlslons of 35 USC'
`
`_
`[21] Appl' NO" 08/964’388
`[22] Filed:
`Nov. 6, 1997
`
`Related US. Application Data
`[60] Provisional application No. 60/030,639, Nov. 8, 1996.
`
`7
`[51] Int. Cl. ...................................................... .. H04L 1/00
`
`[52] US. Cl. ............................................................ .. 713/200
`-
`_
`[58] Field of Search ............................. .. 395/18701 186
`713/200 201 202 714/38 704_ 769/229’
`’
`’
`’
`’
`’
`References Cited
`
`56
`T
`]
`
`Us‘ PATENT DOCUMENTS
`5 077 677 12/1991 Murphy et al. ......................... .. 395/10
`5,361,359 11/1994 Tajalli et al. .... ..
`395/700
`5,485,409
`1/1996 Gupta et al. . . . . . .
`. . . . . .. 395/186
`5,485,575
`1/1996 Chess et a1, __
`395/183_14
`5,572,643 11/1996 Judson _ _ _ _ _ _
`_ _ _ _ _ _ __ 395/793
`5,623,600
`4/1997 11 et al. ..
`395/187.01
`5,638,446
`6/1997 Rubin
`. 380/25
`5,692,047 11/1997 MCManiS - - - - - -
`- - - - - - -- 380/4
`5,692,124 11/1997 Holden et al-
`395/187-01
`5,720,033
`2/1998 D60 ~~~~~~~~~~~~~ ~~
`395/186
`5,724,425
`3/1998 Chang et al. ........................... .. 380/25
`5,740,248
`4/1998 Fieres et al. ............................ .. 380/25
`577617421
`6/1998 Van Hoff et a1‘ '
`" 39500053
`g/
`greslauket 31' "" ' '
`' ' ' ' ' " mégzooi
`5’796’952 82998 Dziiiisraetoi? a et a‘
`5/4
`5:805:829
`9/1998 Cohen et al. .................... .. 395/20032
`
`5,832,208 11/1998 Chen et al. . . . . . . .
`
`. . . . .. 395/187.01
`
`5,850,559 12/1998 Angelo et al. ................... .. 395/750.03
`
`cgi?se...2ehts%26VieWTemplate%3ddocvie%5fb%2ehts,
`
`Okamato, E. et al., “ID—Based Authentication System For
`Computer Virus Detection”,
`Electronic Library
`online, Electronics Letters, vol. 26, Issue 15, ISSN
`
`
`
`
`
`Abstract and 19, (List continued on next page.)
`
`Primary Examiner—Robert W. Beausoliel, Jr.
`Assistant Examiner—Christopher Revak
`Attorney, Agent, or Firm—Graham & James LLP
`
`[57]
`
`ABSTRACT
`
`_
`_
`A system protects a computer from suspicious DoWnload
`ables. The system comprises a security policy, an interface
`for receiving a Downloadable, and a Comparator, Coupled to
`the interface, for applying the security policy to the DoWn
`loadable to determine if the Security policy has been Vi0_
`lated. The DoWnloadable ma include a JavaTM a let, an
`.
`.Y
`.
`. PP
`.
`ActiveXTM control, a JavaScriptTl’I script, or a Visual Basic
`script. The security policy may include a default security
`policy to be applied regardless of the client to Whom the
`DoWnloadable is addressed, or a speci?c security policy to
`be applied based on the client or the group to Which the
`Client belongs~ The System uses an ID generator to Compute
`a Downloadable ID identifying the Downloadable,
`Preferably, by fetching all Components of the Downloadable
`and performing a hashing function on the DoWnloadable
`including the fetched components. Further, the security
`policy may indicate several tests to perform, including (1) a
`comparison With known hostile and non-hostile DoWnload
`ables; (2) a comparison With DoWnloadables to be blocked
`or alloWed per administrative override; (3) a comparison of
`the DoWnloadable security pro?le data against access con
`H01 lists; (4) a Comparison of a Certi?cate embodied in the
`Downloadable against trusted Certi?cates; and (5) a Com_
`parison of the URL from Which the DoWnloadable origi
`nated against trusted and untrusted URLs. Based on these
`tests, a logical engine can determine Whether to alloW or
`block the Downloadable'
`
`68 Claims, 10 Drawing Sheets
`
`660
`
`Reeslvs Results lmm Filst
`comparator, ACL
`Comparatur. cenil'lcme
`Comparator and URL
`Comparator
`
`Compare Results wlm
`Securlty Policles
`
`Send Subsmute
`
`,
`
`*4
`
`Downloadblc to
`
`lnlorm The User
`
`‘
`
`Record Fludlugs
`
`000001
`
`Symantec 1007
`IPR of U.S. Pat. No. 8,677,494
`
`

`
`6,092,194
`Page 2
`
`OTHER PUBLICATIONS
`
`“Finjan Announces a Personal Java TM Firewall For Web
`Browsers—the Sur?nShieldTM 1.6”, Press Release of Finjan
`Releases Sur?nShield, Oct. 21, 1996, 2 pages.
`“Finjan Software Releases Sur?nBoard, Industry’s First
`JAVA Security Product For the World Wide Web”, Article
`published on the Internet by Finjan Software, Ltd., Jul. 29,
`1996, 1 page.
`“Powerful PC Security for the New World of JavaTM and
`Downloadables, Sur?n ShieldTM”Article published on the
`Internet by Finjan Software Ltd., 1996, 2 Pages.
`“Cornpany Pro?le Finjan—Safe Sur?ng, The Java Security
`Solutions Provider” Article published on the Internet by
`Finjan Software Ltd., Oct. 31, 1996, 3 pages.
`“Finjan Announces Major Power Boost and New Features
`for Sur?nShieldTM 2.0” Las Vegas Convention Center/Pa
`villion 5 P5551, Nov. 18, 1996, 3 pages.
`
`“Java Security: Issues & Solutions” Article published on the
`Internet by Finjan Software Ltd., 1996, 8 pages.
`“Products” Article published on the Internet, 7 pages.
`Mark LaDue, “Online Business Consultant” Article pub
`lished on the Internet, Home Page, Inc. 1996, 4 pages.
`Jirn K. Ornura, “Novel Applications of Cryptography in
`Digital Communications”, IEEE Communications Maga
`Zine, p 27, May 1990.
`Norvin Leach et al, “IE 3.0 applets will earn certi?cation”,
`PC Week, v13, n29, p1(2), Jul. 1996.
`Microsoft Authenticode Technology, “Ensuring Account
`ability and Authenticity for Software Components on the
`Internet”, Microsoft Corporation, Oct. 1996.
`Frequently Asked Questions About Authenticode, Microsoft
`Corporation, Feb. 1997.
`
`000002
`
`

`
`U.S. Patent
`
`Jul. 18,2000
`
`Sheet 1 0f 10
`
`6,092,194
`
`100
`(J
`
`105
`
`External Computer Network
`
`"
`
`110
`
`Internal Network //
`Security System
`
`130
`/_/
`
`V
`
`Internal Computer Network
`
`115
`
`135
`
`120
`
`Security /
`Management
`Console
`
`FIG. 1
`
`000003
`
`

`
`U.S. Patent
`
`Jul. 18,2000
`
`Sheet 2 of 10
`
`6,092,194
`
`o:
`
`EO._n_
`
`
`
`ESQEOO_mE2xm_
`
`2:0.8362
`
`m_.N
`
`SN
`
`mm?
`
`mom
`
`m8mt9:_Q.
`
`mco:mo_c:EEoo
`
`mowtmE_
`
`_mEm_.xm_
`
`Dn_o
`
`N.O_n_
`
`mmm
`
`omm
`
`omm
`
`mmm
`
`>.._Somm
`
`Emaoi
`
`95980
`
`E996
`
`SN
`
`SN
`
`SN
`
`
`
`mmm_o..wEma
`
`mo_>mn_
`
`btsoww
`
`mmmnmfio
`
`
`
`mo._mEm>m_
`
`Emma
`
`o?
`
`m:o:mo_c:EEoO
`
`momtmt:
`
`_mC._®uC_
`
`
`
`_mSqEoo_mEQ.xm_S
`
`
`
`miéoémz
`
`omm
`
`mmm
`
`000004
`
`000004
`
`
`
`
`
`

`
`6,092,194
`
`___
`
`mvm
`
`§m_maEoo
`
`_Eoomm
`
`_4m:_mc_Em_mcammx
`
`
`
`
`emogtmo _N_.9m_maEooEccmomM_98c_Eo
`
`
`3.2m.maEoo.2m_m:mO
`
`tnCtanr
`
`m
`
`0o:
`
`Jmom
`
`98n_mn_
`
`
`
`1wm_o__on_btzomm
`
`fl_ifM_Sm_nmumo_Esoo_._o§maEoo
`Bccmom
`wsofiamzwcoz_._o<muoo_«mmommN5
`
`__0_0_0IIIIIIIIIIIIIIIIIIIIII1IIII1IIIIIIIIIIIIIIIIIII1I|II1III2IIIIIIIIIIIIIIIIIIII
`
`gm:
`
`.9Em:
`
`um>_momm
`
`m_nmumo_EsoD
`
`.oomS.IIIIIIIIII|IIII|IIIIIIIIIIIII_
`
`000005
`
`000005
`
`
`
`

`
`U.S. Patent
`
`Jul. 18, 2000
`
`Sheet 4 0f 10
`
`6,092,194
`
`Security Policies
`305
`
`Policy Selectors
`
`Access Control
`Lists
`
`//
`
`415
`Trusted
`Certificate Lists //
`
`URL Rule Bases
`
`Lists of Downloadables
`to Allow or Block per
`Administrative Override
`
`FIG. 4
`
`000006
`
`

`
`U.S. Patent
`
`Jul. 18,2000
`
`Sheet 5 0f 10
`
`6,092,194
`
`120
`
`To/From
`Internal Computer
`Network
`
`505
`
`/~/
`
`Security
`Policy Editor
`
`FIG. 5
`
`510
`
`515
`
`/
`
`V
`
`Event Log
`Analysts
`Engine
`
`User
`Notification
`Engine
`
`000007
`
`

`
`U.S. Patent
`
`Jul. 18,2000
`
`Sheet 6 0f 10
`
`6,092,194
`
`600
`
`1
`
`Receive Downloadable
`
`604
`
`liGenerate Downloadable ID $6
`
`Find Security Policy
`
`614
`
`616
`
`URL
`comparison
`required?
`
`No
`
`Compare URL
`
`Downloadable
`allowed?
`
`Downloadable
`blocked’?
`
`618
`
`ACL
`comparison
`required?
`
`Previously
`decomposed
`
`Decompose Downloadable
`into DSP data
`
`:
`7
`Compare DSP with ACL
`
`630
`
`FIG. 6A
`
`620
`
`TCL
`comparison
`required’?
`
`No
`
`Scan Certificate
`i
`
`Compare Certificate
`with TCL
`/
`624
`
`y /
`Send results to
`Logical Engine
`
`@
`
`000008
`
`

`
`U.S. Patent
`
`Jul. 18,2000
`
`Sheet 7 0f 10
`
`6,092,194
`
`606
`
`Security policy de?ned
`for User-ID and
`Downloadable?
`
`V
`
`Fetch the generic
`security policy for
`User ID /
`
`652
`
`654
`
`Fetch tfg? PO'ICY
`
`\,\ User ID and
`Downloadable
`
`FIG. 6B
`
`000009
`
`

`
`U.S. Patent
`
`Jul. 18,2000
`
`Sheet 8 0f 10
`
`6,092,194
`
`(
`
`Start
`
`>
`
`Receive Results from First
`Comparator, ACL
`Comparator, Certificate
`Comparator and URL
`Comparator
`
`660
`/_/
`
`662
`Compare Results with //
`Security Policies
`
`7
`
`Security Policies
`Confirm Pass’?
`
`664
`
`N0
`
`666
`
`655
`
`/_/
`
`670
`
`Pass Downloadable
`
`Stop Downloadable
`
`672
`Send Substitute /
`
`Downioadble to
`Inform The User
`
`a
`v
`
`668
`
`Record Findings //
`
`End
`
`FIG. 6C
`
`000010
`
`

`
`U.S. Patent
`
`Jul. 18,2000
`
`Sheet 9 0f 10
`
`6,092,194
`
`628
`
`(
`
`Start
`
`)
`
`Disassemble the Machine
`Code
`
`Resolve a Respective
`Command in The Code
`
`Is The Resolved
`Command Suspect?
`
`705
`
`710
`
`715
`
`720
`
`Decode and Register The
`Command and The
`Command Parameters as
`DSP Data
`
`No
`
`725
`
`4
`i
`
`"
`
`Done?
`
`Yes
`
`FIG. 7
`
`000011
`
`

`
`U.S. Patent
`
`Jul. 18,2000
`
`Sheet 10 0f 10
`
`6,092,194
`
`800
`
`/
`
`810
`
`Y
`
`Receive a Downloadable
`
`V
`
`Fetch Downloadable
`Components
`
`Include Fetched Components in
`The Downloadable
`
`7
`
`Perform a Hashing Function on
`the Downloadable to Generate
`a Downloadable ID
`
`V
`
`Store the Downloadable ID
`
`End
`
`FIG. 8
`
`000012
`
`

`
`6,092,194
`
`1
`SYSTEM AND METHOD FOR PROTECTING
`A COMPUTER AND A NETWORK FROM
`HOSTILE DOWNLOADABLES
`
`INCORPORATION BY REFERENCE TO
`RELATED APPLICATION
`This application hereby incorporates by reference related
`US. patent application Ser. No. 08/790,097, entitled “Sys
`tem and Method for Protecting a Client from Hostile
`DoWnloadables,” ?led on Jan. 29, 1997, by inventor Shlomo
`Touboul.
`
`PRIORITY REFERENCE TO PROVISIONAL
`APPLICATION
`
`This application claims bene?t of and hereby incorporates
`by reference provisional application Ser. No. 60/030,639,
`entitled “System and Method for Protecting a Computer
`from Hostile DoWnloadables,” ?led on Nov. 8, 1996, by
`inventor Shlomo Touboul.
`
`10
`
`15
`
`20
`
`BACKGROUND OF THE INVENTION
`
`25
`
`30
`
`35
`
`40
`
`1. Field of the Invention
`This invention relates generally to computer networks,
`and more particularly provides a system and method for
`protecting a computer and a netWork from hostile DoWn
`loadables.
`2. Description of the Background Art
`The Internet is currently a collection of over 100,000
`individual computer netWorks oWned by governments,
`universities, nonpro?t groups and companies, and is expand
`ing at an accelerating rate. Because the Internet is public, the
`Internet has become a major source of many system dam
`aging and system fatal application programs, commonly
`referred to as “viruses.”
`Accordingly, programmers continue to design computer
`and computer netWork security systems for blocking these
`viruses from attacking both individual and netWork com
`puters. On the most part, these security systems have been
`relatively successful. HoWever, these security systems are
`not con?gured to recogniZe computer viruses Which have
`been attached to or con?gured as DoWnloadable application
`programs, commonly referred to as “DoWnloadables.” A
`DoWnloadable is an eXecutable application program, Which
`45
`is doWnloaded from a source computer and run on the
`destination computer. DoWnloadable is typically requested
`by an ongoing process such as by an Internet broWser or Web
`engine. Examples of DoWnloadables include J avaTM applets
`designed for use in the JavaTM distributing environment
`developed by Sun Microsystems, Inc., JavaScript scripts
`also developed by Sun Microsystems, Inc., ActiveXTM con
`trols designed for use in the ActiveXTM distributing envi
`ronment developed by the Microsoft Corporation, and
`Visual Basic also developed by the Microsoft Corporation.
`Therefore, a system and method are needed to protect a
`netWork from hostile DoWnloadables.
`
`55
`
`2
`security policy may include a default security policy to be
`applied regardless of the client to Whom the DoWnloadable
`is addressed, a speci?c security policy to be applied based on
`the client or the group to Which the client belongs, or a
`speci?c policy to be applied based on the client/group and on
`the particular DoWnloadable received. The system uses an
`ID generator to compute a DoWnloadable ID identifying the
`DoWnloadable, preferably, by fetching all components of the
`DoWnloadable and performing a hashing function on the
`DoWnloadable including the fetched components.
`Further, the security policy may indicate several tests to
`perform, including (1) a comparison With knoWn hostile and
`non-hostile DoWnloadables; (2) a comparison With DoWn
`loadables to be blocked or alloWed per administrative over
`ride; (3) a comparison of the DoWnloadable security pro?le
`data against access control lists; (4) a comparison of a
`certi?cate embodied in the DoWnloadable against trusted
`certi?cates; and (5) a comparison of the URL from Which the
`DoWnloadable originated against trusted and untrusted
`URLs. Based on these tests, a logical engine can determine
`Whether to alloW or block the DoWnloadable.
`The present invention further provides a method for
`protecting a computer from suspicious DoWnloadables. The
`method comprises the steps of receiving a DoWnloadable,
`comparing the DoWnloadable against a security policy to
`determine if the security policy has been violated, and
`discarding the DoWnloadable if the security policy has been
`violated.
`It Will be appreciated that the system and method of the
`present invention may provide computer protection from
`knoWn hostile DoWnloadables. The system and method of
`the present invention may identify DoWnloadables that
`perform operations deemed suspicious. The system and
`method of the present invention may eXamine the DoWn
`loadable code to determine Whether the code contains any
`suspicious operations, and thus may alloW or block the
`DoWnloadable accordingly.
`BRIEF DESCRIPTION OF THE DRAWINGS
`FIG. 1 is a block diagram illustrating a netWork system,
`in accordance With the present invention;
`FIG. 2 is a block diagram illustrating details of the
`internal netWork security system of FIG. 1;
`FIG. 3 is a block diagram illustrating details of the
`security program and the security database of FIG. 2;
`FIG. 4 is a block diagram illustrating details of the
`security policies of FIG. 3;
`FIG. 5 is a block diagram illustrating details of the
`security management console of FIG. 1;
`FIG. 6A is a ?oWchart illustrating a method of eXamining
`for suspicious DoWnloadables, in accordance With the
`present invention;
`FIG. 6B is a ?oWchart illustrating details of the step for
`?nding the appropriate security policy of FIG. 6A;
`FIG. 6C is a ?oWchart illustrating a method for determin
`ing Whether an incoming DoWnloadable is to be deemed
`suspicious;
`FIG. 7 is a ?oWchart illustrating details of the FIG. 6 step
`of decomposing a DoWnloadable; and
`FIG. 8 is a ?oWchart illustrating a method 800 for
`generating a DoWnloadable ID for identifying a DoWnload
`able.
`
`SUMMARY OF THE INVENTION
`The present invention provides a system for protecting a
`netWork from suspicious DoWnloadables. The system com
`prises a security policy, an interface for receiving a
`DoWnloadable, and a comparator, coupled to the interface,
`for applying the security policy to the DoWnloadable to
`determine if the security policy has been violated. The
`DoWnloadable may include a JavaTM applet, an ActiveXTM
`control, a JavaScriptTM script, or a Visual Basic script. The
`
`65
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`FIG. 1 is a block diagram illustrating a netWork system
`100, in accordance With the present invention. The netWork
`
`000013
`
`

`
`3
`system 100 includes an external computer network 105,
`such as the Wide Area Network
`commonly referred
`to as the Internet, coupled via a communications channel
`125 to an internal netWork security system 110. The netWork
`system 100 further includes an internal computer netWork
`115, such as a corporate Local Area Network (LAN),
`coupled via a communications channel 130 to the internal
`netWork computer system 110 and coupled via a communi
`cations channel 135 to a security management console 120.
`The internal netWork security system 110 examines
`DoWnloadables received from external computer netWork
`105, and prevents DoWnloadables deemed suspicious from
`reaching the internal computer netWork 115. It Will be
`further appreciated that a DoWnloadable is deemed suspi
`cious if it performs or may perform any undesirable
`operation, or if it threatens or may threaten the integrity of
`an internal computer netWork 115 component. It is to be
`understood that the term “suspicious” includes hostile,
`potentially hostile, undesirable, potentially undesirable, etc.
`Security management console 120 enables vieWing, modi
`?cation and con?guration of the internal netWork security
`system 110.
`FIG. 2 is a block diagram illustrating details of the
`internal netWork security system 110, Which includes a
`Central Processing Unit (CPU) 205, such as an Intel Pen
`tium® microprocessor or a Motorola PoWer PC®
`microprocessor, coupled to a signal bus 220. The internal
`netWork security system 110 further includes an external
`communications interface 210 coupled betWeen the com
`munications channel 125 and the signal bus 220 for receiv
`ing DoWnloadables from external computer netWork 105,
`and an internal communications interface 225 coupled
`betWeen the signal bus 220 and the communications channel
`130 for forWarding DoWnloadables not deemed suspicious
`to the internal computer netWork 115. The external commu
`nications interface 210 and the internal communications
`interface 225 may be functional components of an integral
`communications interface (not shoWn) for both receiving
`DoWnloadables from the external computer netWork 105 and
`forWarding DoWnloadables to the internal computer netWork
`115.
`Internal netWork security system 110 further includes
`Input/Output (I/O) interfaces 215 (such as a keyboard,
`mouse and Cathode Ray Tube (CRT) display), a data storage
`device 230 such as a magnetic disk, and a Random-Access
`Memory (RAM) 235, each coupled to the signal bus 220.
`The data storage device 230 stores a security database 240,
`Which includes security information for determining
`Whether a received DoWnloadable is to be deemed suspi
`cious. The data storage device 230 further stores a users list
`260 identifying the users Within the internal computer net
`Work 115 Who may receive DoWnloadables, and an event log
`245 Which includes determination results for each DoWn
`loadable examined and runtime indications of the internal
`netWork security system 110. An operating system 250
`controls processing by CPU 205, and is typically stored in
`data storage device 230 and loaded into RAM 235 (as
`illustrated) for execution. A security program 255 controls
`examination of incoming DoWnloadables, and also may be
`stored in data storage device 230 and loaded into RAM 235
`(as illustrated) for execution by CPU 205.
`FIG. 3 is a block diagram illustrating details of the
`security program 255 and the security database 240. The
`security program 255 includes an ID generator 315, a policy
`?nder 317 coupled to the ID generator 315, and a ?rst
`comparator 320 coupled to the policy ?nder 317. The ?rst
`comparator 320 is coupled to a logical engine 333 via four
`
`10
`
`15
`
`25
`
`35
`
`45
`
`55
`
`65
`
`6,092,194
`
`4
`separate paths, namely, via Path 1, via Path 2, via Path 3 and
`via Path 4. Path 1 includes a direct connection from the ?rst
`comparator 320 to the logical engine 333. Path 2 includes a
`code scanner coupled to the ?rst comparator 320, and an
`Access Control List (ACL) comparator 330 coupling the
`code scanner 325 to the logical engine 333. Path 3 includes
`a certi?cate scanner 340 coupled to the ?rst comparator 320,
`and a certi?cate comparator 345 coupling the certi?cate
`scanner 340 to the logical engine 333. Path 4 includes a
`Uniform Resource Locator (URL) comparator 350 coupling
`the ?rst comparator 320 to the logical engine 3330. A
`record-keeping engine 335 is coupled betWeen the logical
`engine 333 and the event log 245.
`The security program 255 operates in conjunction With
`the security database 240, Which includes security policies
`305, knoWn DoWnloadables 307, knoWn Certi?cates 309
`and DoWnloadable Security Pro?le (DSP) data 310 corre
`sponding to the knoWn DoWnloadables 307. Security poli
`cies 305 includes policies speci?c to particular users 260 and
`default (or generic) policies for determining Whether to
`alloW or block an incoming DoWnloadable. These security
`policies 305 may identify speci?c DoWnloadables to block,
`speci?c DoWnloadables to alloW, or necessary criteria for
`alloWing an unknoWn DoWnloadable. Referring to FIG. 4,
`security policies 305 include policy selectors 405, access
`control lists 410, trusted certi?cate lists 415, URL rule bases
`420, and lists 425 of DoWnloadables to alloW or to block per
`administrative override.
`KnoWn DoWnloadables 307 include lists of DoWnload
`ables Which Original Equipment Manufacturers (OEMs)
`knoW to be hostile, of DoWnloadables Which OEMs knoW to
`be non-hostile, and of DoWnloadables previously received
`by this security program 255. DSP data 310 includes the list
`of all potentially hostile or suspicious computer operations
`that may be attempted by each knoWn DoWnloadable 307,
`and may also include the respective arguments of these
`operations. An identi?ed argument of an operation is
`referred to as “resolved.” An unidenti?ed argument is
`referred to as “unresolved.” DSP data 310 is described beloW
`With reference to the code scanner 325.
`The ID generator 315 receives a DoWnloadable (including
`the URL from Which it came and the userID of the intended
`recipient) from the external computer netWork 105 via the
`external communications interface 210, and generates a
`DoWnloadable ID for identifying each DoWnloadable. The
`DoWnloadable ID preferably includes a digital hash of the
`complete DoWnloadable code. The ID generator 315 pref
`erably prefetches all components embodied in or identi?ed
`by the code for DoWnloadable ID generation. For example,
`the ID generator 315 may prefetch all classes embodied in
`or identi?ed by the J avaTM applet bytecode to generate the
`DoWnloadable ID. Similarly, the ID generator 315 may
`retrieve all components listed in the .INF ?le for an
`ActiveXTM control to compute a DoWnloadable ID.
`Accordingly, the DoWnloadable ID for the DoWnloadable
`Will be the same each time the ID generator 315 receives the
`same DoWnloadable. The ID generator 315 adds the gener
`ated DoWnloadable ID to the list of knoWn DoWnloadables
`307 (if it is not already listed). The ID generator 315 then
`forWards the DoWnloadable and DoWnloadable ID to the
`policy ?nder 317.
`The policy ?nder 317 uses the userID of the intended user
`and the DoWnloadable ID to select the speci?c security
`policy 305 that shall be applied on the received DoWnload
`able. If there is a speci?c policy 305 that Was de?ned for the
`user (or for one of its super groups) and the DoWnloadable,
`then the policy is selected. OtherWise the generic policy 305
`
`000014
`
`

`
`6,092,194
`
`5
`that was de?ned for the user (or for one of its super groups)
`is selected. The policy ?nder 317 then sends the policy to the
`?rst comparator 320.
`The ?rst comparator 320 receives the Downloadable, the
`Downloadable ID and the security policy 305 from the
`policy ?nder 317. The ?rst comparator 320 examines the
`security policy 305 to determine which steps are needed for
`allowing the Downloadable. For example, the security
`policy 305 may indicate that, in order to allow this
`Downloadable, it must pass all four paths, Path 1, Path 2,
`Path 3 and Path 4. Alternatively, the security policy 305 may
`indicate that to allow the Downloadable, it must pass only
`one of the paths. The ?rst comparator 320 responds by
`forwarding the proper information to the paths identi?ed by
`the security policy 305.
`Path 1
`In path 1, the ?rst comparator 320 checks the policy
`selector 405 of the security policy 305 that was received
`from the policy ?nder 317. If the policy selector 405 is either
`“Allowed” or “Blocked,” then the ?rst comparator 320
`forwards this result directly to the logical engine 333.
`Otherwise, the ?rst comparator 320 invokes the comparisons
`in path 2 and/or path 3 and/or path 4 based on the contents
`of policy selector 405. It will be appreciated that the ?rst
`comparator 320 itself compares the Downloadable ID
`against the lists of Downloadables to allow or block per
`administrative override 425. That is, the system security
`administrator can de?ne speci?c Downloadables as
`“Allowed” or “Blocked.”
`Alternatively, the logical engine 333 may receive the
`results of each of the paths and based on the policy selector
`405 may institute the ?nal determination whether to allow or
`block the Downloadable. The ?rst comparator 320 informs
`the logical engine 333 of the results of its comparison.
`Path 2
`In path 2, the ?rst comparator 320 delivers the
`Downloadable, the Downloadable ID and the security policy
`305 to the code scanner 325. If the DSP data 310 of the
`received Downloadable is known, the code scanner 325
`retrieves and forwards the information to the ACL compara
`tor 330. Otherwise, the code scanner 325 resolves the DSP
`data 310. That is, the code scanner 325 uses conventional
`parsing techniques to decompose the code (including all
`prefetched components) of the Downloadable into the DSP
`data 310. DSP data 310 includes the list of all potentially
`hostile or suspicious computer operations that may be
`attempted by a speci?c Downloadable 307, and may also
`include the respective arguments of these operations. For
`example, DSP data 310 may include a READ from a speci?c
`?le, a SEND to an unresolved host, etc. The code scanner
`325 may generate the DSP data 310 as a list of all operations
`in the Downloadable code which could ever be deemed
`potentially hostile and a list of all ?les to be accessed by the
`Downloadable code. It will be appreciated that the code
`scanner 325 may search the code for any pattern, which is
`undesirable or suggests that the code was written by a
`hacker.
`An Example List of Operations Deemed Potentially Hostile
`File operations: READ a ?le, WRITE a ?le;
`Network operations: LISTEN on a socket, CONNECT to
`a socket, SEND data, RECEIVE data, VIEW INTRA
`NET;
`Registry operations: READ a registry item, WRITE a
`registry item;
`Operating system operations: EXIT WINDOWS, EXIT
`BROWSER, START PROCESS/THREAD, KILL
`
`15
`
`25
`
`35
`
`45
`
`55
`
`65
`
`6
`PROCESS/THREAD, CHANGE PROCESS/
`THREAD PRIORITY, DYNAMICALLY LOAD A
`CLASS/LIBRARY, etc.; and
`Resource usage thresholds: memory, CPU, graphics, etc.
`In the preferred embodiment, the code scanner 325 performs
`a full-content inspection. However, for improved speed but
`reduced security, the code scanner 325 may examine only a
`portion of the Downloadable such as the Downloadable
`header. The code scanner 325 then stores the DSP data into
`DSP data 310 (corresponding to its Downloadable ID), and
`sends the Downloadable, the DSP data to the ACL com
`parator 330 for comparison with the security policy 305.
`The ACL comparator 330 receives the Downloadable, the
`corresponding DSP data and the security policy 305 from the
`code scanner 325, and compares the DSP data against the
`security policy 305. That is, the ACL comparator 330
`compares the DSP data of the received Downloadable
`against the access control lists 410 in the received security
`policy 305. The access control list 410 contains criteria
`indicating whether to pass or fail the Downloadable. For
`example, an access control list may indicate that the Down
`loadable fails if the DSP data includes a WRITE command
`to a system ?le. The ACL comparator 330 sends its results
`to the logical engine 333.
`Path 3
`In path 3, the certi?cate scanner 340 determines whether
`the received Downloadable was signed by a certi?cate
`authority, such as VeriSign, Inc., and scans for a certi?cate
`embodied in the Downloadable. The certi?cate scanner 340
`forwards the found certi?cate to the certi?cate comparator
`345. The certi?cate comparator 345 retrieves known certi?
`cates 309 that were deemed trustworthy by the security
`administrator and compares the found certi?cate with the
`known certi?cates 309 to determine whether the Download
`able was signed by a trusted certi?cate. The certi?cate
`comparator 345 sends the results to the logical engine 333.
`Path 4
`In path 4, the URL comparator 350 examines the URL
`identifying the source of the Downloadable against URLs
`stored in the URL rule base 420 to determine whether the
`Downloadable comes from a trusted source. Based on the
`security policy 305, the URL comparator 350 may deem the
`Downloadable suspicious if the Downloadable comes from
`an untrustworthy source or if the Downloadable did not
`come from a trusted source. For example, if the Download
`able comes from a known hacker, then the Downloadable
`may be deemed suspicious and presumed hostile. The URL
`comparator 350 sends its results to the logical engine 333.
`The logical engine 333 examines the results of each of the
`paths and the policy selector 405 in the security policy 305
`to determine whether to allow or block the Downloadable.
`The policy selector 405 includes a logical expression of the
`results received from each of the paths. For example, the
`logical engine 333 may block a Downloadable if it fails any
`one of the paths, i.e., if the Downloadable is known hostile
`(Path 1), if the Downloadable may request suspicious opera
`tions (Path 2), if the Downloadable was not signed by a
`trusted certi?cate authority (Path 3), or if the Downloadable
`came from an untrustworthy source (Path 4). The logical
`engine 333 may apply other logical expressions according to
`the policy selector 405 embodied in the security policy 305.
`If the policy selector 405 indicates that the Downloadable
`may pass, then the logical engine 333 passes the Download
`able to its intended recipient. Otherwise, if the policy
`selector 405 indicates that the Downloadable should be
`blocked, then the logical engine 333 forwards a non-hostile
`Downloadable to the intended recipient to inform the user
`
`000015
`
`

`
`6,092,194
`
`7
`that internal network security system 110 discarded the
`original DoWnloadable. Further, the logical engine 333
`forwards a status report to the record-keeping engine 335,
`Which stores the reports in event log 245 in the data storage
`device 230 for subsequent revieW, for example, by the MIS
`director.
`FIG. 5 is a block diagram illustrating details of the
`security management console 120, Which includes a security
`policy editor 505 coupled to the communications channel
`135, an event log analysis engine 510 coupled betWeen
`communications channel 135 and a user noti?cation engine
`515, and a DoWnloadable database revieW engine 520
`coupled to the communications channel 135. The security
`management console 120 further includes computer com
`ponents similar to the computer components illustrated in
`FIG. 2.
`The security policy editor 505 uses an I/O interface
`similar to I/O interface 215 for enabling authoriZed user
`modi?cation of the security policies 305. That is, the secu
`rity policy editor 505 enables the authoriZed user to modify
`speci?c security policies 305 corresponding to the users 260,
`the default or generic security policy 305, the DoWnload
`ables to block per administrative override, the DoWnload
`ables to alloW per administrative override, the trusted cer
`ti?cate lists 415, the policy selectors 405, the access control
`lists 410, the URLs in the URL rule bases 420, etc. For
`example, if the authoriZed user learns of a neW hostile
`DoWnloadable, then the user can add the DoWnloadable to
`the DoWnloadables to block per system override.
`The event log analysis engine 510 examines the status
`reports contained in the event log 245 stored in the data
`storage device 230. The event log analysis engine 510
`determines Whether noti?cation of the user (e.g., the security
`system manager or MIS director) is Warranted. For example,
`the event log an