(12)
`
`United States Patent
`T0ub0ul
`
`(10) Patent N0.:
`(45) Date of Patent:
`
`US 6,480,962 B1
`*Nov. 12, 2002
`
`US006480962B1
`
`5,724,425 A
`3/1998 Chang et al.
`5,740,248 A
`4/1998 Fieres et a1
`5,761,421 A
`6/1998 van Hoff et al.
`(List continued on neXt page.)
`
`OTHER PUBLICATIONS
`
`Jim K. Omura, “Novel Applications of Cryptography in
`Digital Communications”, IEEE Communications Maga
`Zine, May, 1990; pp. 21—29.
`Okamoto, E. et al., “ID—Based Authentication System For
`Computer Virus Detection”, IEEE/IEE Electronic Library
`online, Electronics Letters, vol. 26, Issue 15, ISSN
`0013—5194, Jul. 19, 1990, Abstract and pp. 1169—1170.
`
`(54) SYSTEM AND METHOD FOR PROTECTING
`A CLIENT DURING RUNTIME FROM
`HOSTILE DOWNLOADABLES
`
`(75)
`(73)
`
`Inventor: Shl0m0 T0ub0ul, Kefar-Haim (IL)
`
`Assignee: Finjan Software, Ltd., Kefar-Haim
`(IL)
`
`(*)
`
`Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`This patent is subject to a terminal dis
`claimer.
`
`(21)
`(22)
`
`Appl. No.: 09/551,302
`Filed:
`Apr. 18, 2000
`
`(63)
`(60)
`
`(51)
`(52)
`(58)
`
`(56)
`
`Related US. Application Data
`
`Continuation of application No. 08/790,097, ?led on Jan. 29,
`1997.
`Provisional application No. 60/030,639, ?led on Nov. 8,
`1996.
`
`Int. Cl.7 ................................................ .. H02H 3/05
`
`US. Cl. ...................................... .. 713/200; 713/201
`Field of Search ............................... .. 713/200, 201,
`713/202; 714/38, 704; 709/225, 229
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`5,077,677 A 12/1991 Murphy et al.
`5,359,659 A 10/1994 Rosenthal
`5,361,359 A 11/1994 Tajalli et al.
`5,485,409 A
`1/1996 Gupta et al.
`5,485,575 A
`1/1996 Chess et al.
`5,572,643 A 11/1996 Judson
`5,606,668 A
`2/1997 Shwed
`5,623,600 A
`4/1997 Jietal.
`5,638,446 A
`6/1997 Rubin
`5,692,047 A 11/1997 McManis
`5,692,124 A 11/1997 Holden et al.
`5,720,033 A
`2/1998 D60
`
`URL:http:/iel.ihs.com:80/cgi—bin/ielicgi?se
`
`.
`
`.
`
`.
`
`2ehts%26VieWTemplate%3ddocvieW%5fb%2ehts.
`IBM AntiVirus User’s Guide Version 2.4, International
`Business Machines Corporation, Nov. 15, 1995, pp. 6—7.
`Norvin Leach et al, “IE 3.0 Applets Will Earn Certi?cation”,
`PC Week, vol. 13, No. 29, Jul. 22, 1996, 2 pages.
`“Finjan Software Releases Sur?nBoard, Industry’s First
`JAVA Security Product For the World Wide Web”, Article
`published on the Internet by Finjan SoftWare Ltd., Jul. 29,
`1996, 1 page.
`
`(List continued on neXt page.)
`
`Primary Examiner—Dieu-Minh Le
`(74) Attorney, Agent, or Firm—Squire, Sanders &
`Dempsey, L.L.P.
`
`(57)
`
`ABSTRACT
`
`A system protects a client from hostile DoWnloadables. The
`system includes security rules de?ning suspicious actions
`and security policies de?ning the appropriate responsive
`actions to rule violations. The system includes an interface
`for receiving incoming DoWnloadable and requests made by
`the DoWnloadable. The system still further includes a com
`parator coupled to the interface for examining the
`DoWnloadable, requests made by the DoWnloadable and
`runtime events to determine Whether a security policy has
`been violated, and a response engine coupled to the com
`parator for performing a violation-based responsive action.
`
`51 Claims, 7 Drawing Sheets
`
`000001
`
`Symantec 1009
`IPR of U.S. Pat. No. 8,677,494
`
`

`
`US 6,480,962 B1
`Page 2
`
`US. PATENT DOCUMENTS
`
`6/1998 Breslau et al.
`5,765,205 A
`7/1998 Devarakonda et al.
`5,784,459 A
`8/1998 Davis et al.
`5,796,952 A
`9/1998 Cohen et al.
`5,805,829 A
`5,832,208 A 11/1998 Chen et al.
`5,850,559 A 12/1998 Angelo et al.
`5,859,966 A
`1/1999 Hayman et al.
`5,864,683 A
`1/1999 Boebert et al.
`5,892,904 A
`4/1999 Atkinson et al.
`5,951,698 A
`9/1999 Chen et al.
`5,956,481 A
`9/1999 Walsh et al.
`5,974,549 A 10/1999 Golan
`5,983,348 A 11/1999 11
`6,092,194 A * 7/2000 Touboul ................... .. 713/200
`6,154,844 A * 11/2000 Touboul et al.
`713/201
`6,167,520 A * 12/2000 Touboul ..... ..
`713/200
`
`OTHER PUBLICATIONS
`
`“Powerful PC Security for the New World of JAVATM and
`Downloadables, Sur?n ShieldTM” Article published on the
`Internet by Finjan Software Ltd., 1996, 2 Pages.
`Microsoft® Authenticode Technology, “Ensuring Account
`ability and Authenticity for Software Components on the
`Internet”, Microsoft Corporation, Oct. 1996, including
`Abstract, Contents, Introduction and pp. 1—10.
`
`“Finjan Announces a Personal JavaTM Firewall For Web
`Browsers—the Sur?nShieldTM 1.6 (formerly known as Surf
`inBoard)”, Press Release of Finjan Releases Sur?nShield
`1.6, Oct. 21, 1996, 2 pages.
`Company Pro?le “Finjan—Safe Sur?ng, The Java Security
`Solutions Provider” Article published on the Internet by
`Finjan Software Ltd., Oct. 31, 1996, 3 pages.
`“Finjan Announces Major Power Boost and New Features
`for Sur?nShieldTM 2.0” Las Vegas Convention Center/Pa
`vilion 5 P5551, Nov. 18, 1996, 3 pages.
`“Java Security: Issues & Solutions” Article published on the
`Internet by Finjan Software Ltd., 1996, 8 pages.
`“Products” Article published on the Internet, 7 pages.
`Mark LaDue, “Online Business Consultant: Java Security:
`Whose Business Is It?” Article published on the Internet,
`Home Page Press, Inc. 1996, 4 pages.
`Web Page Article “Frequently Asked Questions About
`Authenticode”, Microsoft Corporation, last updated Feb. 17,
`1997, Printed Dec. 23, 1998. URL: http://www.rnicrosoft
`.corn/workshop/security/authcode/signfaq.asp#9, pp. 1—13.
`Zhang, X.N., “Secure Code Distribution”, IEEE/IEE Elec
`tronic Library online, Cornputer, vol. 30, Issue 6, Jun. 1997,
`pp.: 76—79.
`
`* cited by examiner
`
`000002
`
`

`
`U.S. Patent
`
`Nov. 12, 2002
`
`Sheet 1 of 7
`
`US 6,480,962 B1
`
`oak
`
`an.
`
`mzozzofizszzoo
`
`4mzz<Io
`
`QNN
`
`
`
`zm_m»m»pHm=omm
`
`m4m<o<o4zgoo
`
`nn_
`
`e*_
`
`NGE
`
`000003
`
`000003
`
`
`
`

`
`U.S. Patent
`
`Nov. 12, 2002
`
`Sheet 2 of 7
`
`US 6,480,962 B1
`
`aww
`
`mww
`
`gum
`
`max
`
`gem
`
`axm.
`
`Agmw
`
`mfidw
`
`.
`
`QNN
`
`mkm
`
`_:¢_:o
`
`moH>mo
`
`
`
`mzHozmmzo:<oHz:::oo
`
`mmmgommmm;
`
`
`
`mzflozmm4m<o<o4z;oQ
`
`
`
`2m_m»m¥pHm:omm
`
`
`
`:m_m»mozH_<mmao
`
`
`
`
`
`.092xmo;_mz._o;m4~¢
`
`
`
`._o2»mo:m2mmmoomm
`
`
`
`:mpm»m:m_m»m
`
`<;<g
`
`mo<mo_m
`
`moH>mo
`
`QMN
`
`new.
`
`mum.
`
`Nat
`
`mzo:<oHz:z2oQ
`
`mo<Lmm_zH
`
`MNN
`
`ON“
`
`Q»
`N
`
`_:mzH
`
`wz>mo
`
`mam
`
`2&9
`
`000004
`
`000004
`
`
`
`
`

`
`U.S. Patent
`
`Nov. 12, 2002
`
`Sheet 3 of 7
`
`US 6,480,962 B1
`
`
`
`
`
`M232:4<3E><><_,
`
`M
`
`
`
`mflmzzgzaogmaoszmsm
`
`
`
`
`
`gom_m<mE<ommééaCE:oH._m
`
`35:8I$5
`
`
`
`mzszmmmzommm10:22
`
`Hzmzzogzmmzzza
`
`E58:65
`
`<><—,
`
`$50
`
`zemzmca
`
`2032
`
`_§m»m
`
`000005
`
`000005
`
`
`
`

`
`US 6,480,962 B1
`
`.._ommééa
`
`
`
`m5m<o<3z;8mgoaampm
`
`3:58I85
`
`
`
`mm<ms<oE%Bm
`
`3U
`
`m
`
`M
`
`n,
`
`W.
`
`w_h__S
`
`Ma.8»PzmotsmX23
`eBofiaz
`
`555zamas_Em>m
`
`
`
`E03:850%
`
`
`
`
`
`v.zomzmcm222:520555
`
`m.8»
`
`MSmMEsom2%
`
`
`
`mzazmmmzommm
`
`
`
`
`
`02:23E5.mozzoz03E:§ze:>E
`
`000006
`
`000006
`
`
`

`
`U.S. Patent
`
`Nov. 12, 2002
`
`Sheet 5 0f 7
`
`US 6,480,962 B1
`
`( START )
`
`300
`
`505
`
`RECOGNIZE
`RECEIPT OF A REQUEST
`MADE BY A DOWNLOADABLE
`
`INTERRUPT PROCESSING OF THE REQUEST
`
`508
`I
`FORWARD A MESSAGE IDENTIFYING THE J
`DOWNLOADABLE TO THE EVENT ROUTER
`I
`r‘ 510
`INFORM USER
`T
`LOG EVENTS
`
`515
`
`YES
`
`520
`
`ARE
`ANY INGOMING
`DOWNLOADABLES KNOWN TO BE
`SUSPICIOUS
`
`THE EXECUTING
`DOWNLOADABLES IN
`
`'
`/
`T YES
`MANAGE THE SUSPICIOUS
`DOWNLOADABLE
`
`535 '
`
`NO
`
`END
`'2
`
`YES
`
`540
`/
`
`RESUME
`OPERATION OF
`THE DOWNLOADABLE
`
`F/G. 5
`
`000007
`
`

`
`U.S. Patent
`
`Nov. 12, 2002
`
`Sheet 6 6f 7
`
`US 6,480,962 B1
`
`530
`610 /
`COMPILE ALL CURRENT I
`RULE vnlmnows p20
`
`I
`
`COMPILE RULE VIOLATIONS
`WITH SECURITY POLICIES
`1
`f 6.30
`PERFORM A PREDETERMTNED
`RESPONSE ACTION BASED
`ON THE COMPARISON
`
`TT
`
`END
`
`F/G. 6
`
`000008
`
`

`
`U.S. Patent
`
`Nov. 12, 2002
`
`Sheet 7 0f 7
`
`US 6,480,962 B1
`
`700 ;
`
`MONITOR OPERATING SYSTEM
`FOR ALL OS REQUESTS I 705
`
`YES
`
`715
`/
`INTERRUPT OS REQUEST
`
`720
`/
`FORWARD INFORMATION ON OS
`REQUEST TO THE EVENT ROUTER
`
`730
`/
`RESUME OS REQUEST
`
`IS
`OS REQUEST
`SUSPICIOUS
`'2
`
`NO
`
`YES
`
`735
`\
`MANAGE THE SUSPICIOUS
`DOWNLOADABLE
`
`740
`
`YES
`
`F/G. 7
`
`000009
`
`

`
`US 6,480,962 B1
`
`1
`SYSTEM AND METHOD FOR PROTECTING
`A CLIENT DURING RUNTIME FROM
`HOSTILE DOWNLOADABLES
`
`2
`and a digital signature does not guarantee that a DoWnload
`able is harmless. Therefore, a system and method are needed
`for protecting clients from hostile DoWnloadables.
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`
`This application is related to co-pending provisional
`patent application ?led on Nov. 8, 1996, entitled “System
`and Method for Protecting a Computer from Hostile
`DoWnloadables,” Ser. No. 60/030,639, by inventor Shlomo
`Touboul, and is a continuation of US. patent application
`?led on Jan. 29, 1997, entitled “System and Method for
`Protecting a Computer During Runtime From Hostile
`DoWnloadbales,” Ser. No. 08/790,097, by inventor Shlomo
`Touboul, Which subject matters are hereby incorporated by
`reference herein.
`
`10
`
`15
`
`BACKGROUND OF THE INVENTION
`
`20
`
`25
`
`30
`
`1. Field of the Invention
`This invention relates generally to computer networks,
`and more particularly to a system and method for protecting
`clients from hostile DoWnloadables.
`2. Description of the Background Art
`The Internet currently interconnects about 100,000 indi
`vidual computer netWorks and several million computers.
`Because it is public, the Internet has become a major source
`of many system damaging and system fatal application
`programs, commonly referred to as “viruses.”
`In response to the Widespread generation and distribution
`of computer viruses, programmers continue to design and
`update security systems for blocking these viruses from
`attacking both individual and netWork computers. On the
`most part, these security systems have been relatively suc
`cessful. HoWever, these security systems are typically not
`con?gured to recogniZe computer viruses Which have been
`attached to or masked as harmless DoWnloadables (i.e.,
`applets). A DoWnloadable is a small executable or interpret
`able application program Which is doWnloaded from a
`40
`source computer and run on a destination computer. A
`DoWnloadable is used in a distributed environment such as
`in the JavaTM distributed environment produced by Sun
`Microsystems or in the ActiveXTM distributed environment
`produced by Microsoft Corporation.
`Hackers have developed hostile DoWnloadables designed
`to penetrate security holes in DoWnloadable interpreters. In
`response, Sun Microsystems, Inc. has developed a method
`of restricting DoWnloadable access to resources (?le system
`resources, operating system resources, etc.) on the destina
`tion computer, Which effectively limits DoWnloadable func
`tionality at the JavaTM interpreter. Sun Microsystems, Inc.
`has also provided access control management for basing
`DoWnloadable-accessible resources on DoWnloadable type.
`HoWever, the above approaches are difficult for the ordinary
`Web surfer to manage, severely limit JavaTM performance
`and functionality, and insufficiently protect the destination
`computer.
`Other security system designers are currently considering
`digital signature registration stamp techniques, Wherein,
`before a Web broWser Will execute a DoWnloadable, the
`DoWnloadable must possess a digital signature registration
`stamp. Although a digital signature registration stamp Will
`diminish the threat of DoWnloadables being intercepted,
`exchanged or corrupted, this approach only partially
`addresses the problem. This method does not stop a hostile
`DoWnloadable from being stamped With a digital signature,
`
`35
`
`45
`
`55
`
`60
`
`65
`
`SUMMARY OF THE INVENTION
`
`The present invention provides a system for protecting a
`client from hostile DoWnloadables. The system includes
`security rules de?ning suspicious actions such as WRITE
`operations to a system con?guration ?le, overuse of system
`memory, overuse of system processor time, etc. and security
`policies de?ning the appropriate responsive actions to rule
`violations such as terminating the applet, limiting the
`memory or processor time available to the applet, etc. The
`system includes an interface, such as J avaTM class extensions
`and operating system probes, for receiving incoming DoWn
`loadable and requests made by the DoWnloadable. The
`system still further includes a comparator coupled to the
`interface for examining the DoWnloadable, requests made
`by the DoWnloadable and runtime events to determine
`Whether a security policy has been violated, and a response
`engine coupled to the comparator for performing the
`violation-based responsive action.
`The present invention further provides a method for
`protecting a client from hostile DoWnloadables. The method
`includes the steps of recogniZing a request made by a
`DoWnloadable during runtime, interrupting processing of
`the request, comparing information pertaining to the DoWn
`loadable against a predetermined security policy, recording
`all rule violations in a log, and performing a predetermined
`responsive action based on the comparison.
`It Will be appreciated that the system and method of the
`present invention use at least three hierarchical levels of
`security. A?rst level examines the incoming DoWnloadables
`against knoWn suspicious DoWnloadables. A second level
`examines runtime events. A third level examines the DoWn
`loadables operating system requests against predetermined
`suspicious actions. Thus, the system and method of the
`invention are better able to locate hostile operations before
`client resources are damaged.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 is a block diagram illustrating a netWork system in
`accordance With the present invention;
`FIG. 2 is a block diagram illustrating details of the client;
`FIG. 3 is a block diagram illustrating details of a security
`system;
`FIG. 4 is a block diagram illustrating details of an
`alternative security system;
`FIG. 5 is a ?oWchart illustrating a method for protecting
`a client from suspicious DoWnloadables;
`FIG. 6 is a ?oWchart illustrating the method for managing
`a suspicious DoWnloadable; and
`FIG. 7 is a ?oWchart illustrating a supplementary method
`for protecting a client from suspicious DoWnloadables.
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`
`FIG. 1 is a block diagram illustrating a netWork system
`100 in accordance With the present invention. NetWork
`system 100 includes a server 110 coupled to a communica
`tions channel 120, e.g., an Internet or an Intranet. The
`communications channel 120 is in turn coupled to a client
`130, e.g., an individual computer, a netWork computer, a
`kiosk Workstation, etc., Which includes a security system
`
`000010
`
`

`
`US 6,480,962 B1
`
`3
`135 for protecting the client 130 from hostile (i.e., Will
`adversely effect the operational characteristics of the client
`130) or suspicious (i.e., potentially hostile) doWnloadables.
`Server 110 forwards a DoWnloadable 140 across the
`communications channel 120 to the client 130. During
`runtime, the security system 135 examines each DoWnload
`able 140 and the actions of each DoWnloadable 140 to
`monitor for hostile or suspicious actions.
`FIG. 2 is a block diagram illustrating details of a client
`130, Which includes a Central Processing Unit (CPU) 205,
`such as a Motorola PoWer PC® microprocessor or an Intel
`Pentium® microprocessor, coupled to a signal bus 220. The
`client 130 further includes an input device 210 such as a
`keyboard and mouse, an output device 215 such as a
`Cathode Ray Tube (CRT) display, a data storage device 230
`such as Read Only Memory (ROM) or magnetic disk, and a
`Random-Access Memory (RAM) 235, each being coupled
`to signal bus 220. A communications interface 225 is
`coupled betWeen the communications channel 120 and the
`signal bus 220.
`An operating system 260 controls processing by CPU
`205, and is typically stored in data storage device 230 and
`loaded into RAM 235 for execution. The operating system
`260 includes a ?le management system 265, a netWork
`management system 270, a process system 275 for control
`ling CPU 205, and a memory management system 280 for
`controlling memory use and allocation. A communications
`engine 240 generates and transfers message packets to and
`from the communications channel 140 via the communica
`tions interface 225, and may also be stored in data storage
`device 230 and loaded into RAM 235 for execution.
`The client 130 further includes a Web broWser 245, such
`as the NetscapeTM Web broWser produced by the Netscape
`Corporation, the Internet ExplorerTM Web broWser produced
`by the Microsoft Corporation, or the J avaTM Developers Kit
`1.0 Web broWser produced by Sun Microsystems, Inc., for
`communicating via the communications channel 120. The
`Web broWser 245 includes a DoWnloadable engine 250 for
`managing and executing received DoWnloadables 140.
`The client 130 further includes the security system 135 as
`described With reference to FIG. 1. The security system 135
`may be stored in data storage device 230 and loaded into
`RAM 235 for execution. During runtime, the security sys
`tem 135 intercepts and examines DoWnloadables 140 and
`the actions of DoWnloadables 140 to monitor for hostile or
`suspicious actions. If the security system 135 recogniZes a
`suspicious DoWnloadable 140 or a suspicious request, then
`the security system 135 can perform an appropriate respon
`sive action such as terminating execution of the DoWnload
`able 140.
`FIG. 3 is a block diagram illustrating details of the
`security system 135a, Which is a ?rst embodiment of secu
`rity system 135 of FIG. 2 When operating in conjunction
`With a J avaTM virtual machine 250 (i.e., the DoWnloadable
`engine 250) that includes conventional J avaTM classes 302.
`Each of the J avaTM classes 302 performs a particular service
`such as loading applets, managing the netWork, managing
`?le access, etc. Although applets are typically described With
`reference to the J avaTM distributed environment, applets
`herein correspond to all doWnloadable executable or inter
`pretable programs for use in any distributed environment
`such as in the ActiveXTM distributed environment.
`Examples of J avaTM classes used in Netscape NavigatorTM
`include AppletSecurity.class, EmbeddedAppletFrame.class:,
`AppletClassLoader.class, MoZillaAppletContext.class,
`ServerSocket.class, SecurityException.class and
`
`10
`
`15
`
`25
`
`35
`
`45
`
`55
`
`65
`
`4
`SecurityManager.class, etc. Examples of J avaTM classes
`used in Internet ExplorerTM include AppletSecurity.class,
`BroWserAppletFrame.class, AppletClassLoader.class,
`ServerSocket.class, SecurityException.class and
`SecurityManager.class, etc. Other classes may include
`Broker.class, BClnterface.class, SocketConnection.class,
`queueManager.class, BroWserExtension.class,
`Message.class, MemoryMeter.class and AppletDescription
`.class.
`The security system 135a includes JavaTM class exten
`sions 304, Wherein each extension 304 manages a respective
`one of the JavaTM classes 302. When a neW applet requests
`the service of a Java class 302, the corresponding JavaTM
`class extension 304 interrupts the request and generates a
`message to notify the request broker 306 of the DoWnload
`able’s request. The request broker 306 uses TCP/IP message
`passing protocol to forWard the message to the event router
`308.
`The security system 135a further includes operating sys
`tem probes 310, 312, 314 and 316. More particularly, a ?le
`management system probe 310 recogniZes applet instruc
`tions sent to the ?le system 265 of operating system 260, a
`netWork system probe 312 recogniZes applet instructions set
`to the netWork management system 270 of operating system
`260, a process system probe 314 recogniZes applet instruc
`tions sent to the process system 275 of operating system 260,
`and a memory management system probe 316 recogniZes
`applet instructions sent to the memory system 280 of oper
`ating system 260. When any of the probes 310—316 recog
`niZes an applet instruction, the recogniZing probe 310—316
`sends a message to inform the event router 308.
`Upon receipt of a message, the event router 308 accord
`ingly forWards the message to a Graphical User Interface
`(GUI) 324 for notifying the user of the request, to an event
`log 322 for recording the message for subsequent analysis,
`and to a runtime environment monitor 320 for determining
`Whether the request violates a security rule 330 stored in a
`security database 326. Security rules 330 include a list of
`computer operations Which are deemed suspicious. Suspi
`cious operations may include READ/W RITE operations to
`a system con?guration ?le, READ/WRITE operations to a
`document containing trade secrets, overuse of system
`memory, overuse of system processor time, too many
`applets running concurrently, or too many images being
`displayed concurrently. For example, the runtime environ
`ment monitor 320 may determine that a security rule 330 has
`been violated When it determines that an applet uses more
`than tWo megabytes of RAM 235 or When the J avaTM virtual
`machine 250 runs more than ?ve applets concurrently.
`Upon recognition of a security rule 330 violation, the
`runtime environment monitor 320 records the violation With
`the event log 322, informs the user of the violation via the
`GUI 324 and forWards a message to inform the response
`engine 318 of the violation. The response engine 318
`analyZes security policies 332 stored in the security database
`326 to determine the appropriate responsive action to the
`rule 330 violation. Appropriate responsive actions may
`include terminating the applet, limiting the memory or
`processor time available to the applet, etc. For example, the
`response engine 318 may determine that a security policy
`332 dictates that When more than ?ve applets are executed
`concurrently, operation of the applet using the greatest
`amount of RAM 235 should be terminated. Further, a
`security policy 332 may dictate that When an applet or a
`combination of applets violates a security policy 332, the
`response engine 318 must add information pertaining to the
`applet or applets to the suspicious DoWnloadables database
`
`000011
`
`

`
`US 6,480,962 B1
`
`5
`328. Thus, When the applet or applets are encountered again,
`the response engine 318 can stop them earlier.
`The GUI 324 enables a user to add or modify the rules 330
`of the security database 326, the policies 332 of the security
`database 326 and the suspicious applets of the suspicious
`DoWnloadables database 328. For example, a user can use
`the GUI 324 to add to the suspicious DoWnloadables data
`base 328 applets generally knoWn to be hostile, applets
`deemed to be hostile by the other clients 130 (not shoWn),
`applets deemed to be hostile by netWork MIS managers, etc.
`Further, a user can use the GUI 324 to add to the rules 330
`actions generally knoWn to be hostile, actions deemed to be
`hostile by netWork MIS managers, etc.
`It Will be appreciated that the embodiment illustrated in
`FIG. 3 includes three levels of security. The ?rst level
`examines the incoming DoWnloadables 140 against knoWn
`suspicious DoWnloadables. The second level examines the
`DoWnloadables’access to the JavaTM classes 302. The third
`level examines the DoWnloadables requests to the operating
`system 260. Thus, the security system 135a is better apt to
`locate a hostile operation before an operation damages client
`130 resources.
`FIG. 4 is a block diagram illustrating details of a security
`system 135b, Which is a second embodiment of security
`system 135 When operating in conjunction With the
`ActiveXTM platform (i.e., the DoWnloadable engine 250)
`Which uses message 401 calls, Dynamic-Data-Exchange
`(DDE) 402 calls and Dynamically-Linked-Library (DLL)
`403 calls. Thus, instead of having JavaTM class extensions
`304, the security system 135 has a messages extension 401
`for recogniZing message 401 calls, a DDE extension 405 for
`recogniZing DDE 402 calls and a DLL extension 406 for
`recogniZing DLL calls. Upon recognition of a call, each of
`the messages extension 404, the DDE extension 405 and the
`DLL extension 406 send a message to inform the request
`broker 306. The request broker 306 and the remaining
`elements operate similarly to the elements described With
`reference to FIG. 3.
`FIG. 5 is a ?oWchart illustrating a method 500 for
`protecting a client 130 from hostile and suspicious DoWn
`loadables 140. Method 500 begins With the extensions 304,
`404, 405 or 406 in step 505 Waiting to recogniZe the receipt
`of a request made by a DoWnloadable 140. Upon recognition
`of a request, the recogniZing extension 304, 404, 405 or 406
`in step 506 interrupts processing of the request and in step
`508 generates and forWards a message identifying the
`incoming DoWnloadable 140 to the request broker 306,
`Which forWards the message to the event router 308.
`The event router 308 in step 510 forWards the message to
`the GUI 324 for informing the user and in step 515 to the
`event log 322 for recording the event. Further, the event
`router 308 in step 520 determines Whether any of the
`incoming DoWnloadables 140 either alone or in combination
`are knoWn or previously determined to be suspicious. If so,
`then method 500 jumps to step 530. OtherWise, the runtime
`environment monitor 320 and the response engine 318 in
`step 525 determine Whether any of the executing DoWn
`loadables 140 either alone or in combination violate a
`security rule 330 stored in the security database 332.
`If a rule 330 has been violated, then the response engine
`318 in step 530 manages the suspicious DoWnloadable 140.
`Step 530 is described in greater detail With reference to FIG.
`6. OtherWise, if a policy has not been violated, then response
`engine 318 in step 540 resumes operation of the DoWnload
`able 140. In step 535, a determination is made Whether to
`end method 500. For example, if the user disconnects the
`
`10
`
`15
`
`25
`
`35
`
`45
`
`55
`
`65
`
`6
`client 130 from the server 110, method 500 ends. If a request
`to end is made, then method 500 ends. OtherWise, method
`500 returns to step 505.
`FIG. 6 is a ?oWchart illustrating details of step 530. Since
`multiple rule 330 violations may amount to a more serious
`violation and thus require a stricter response by the response
`engine 318, step 530 begins With the response engine 318 in
`step 610 compiling all rule 330 violations currently occur
`ring. The response engine 318 in step 620 compares the
`compiled rule 330 violations With the security policies 332
`to determine the appropriate responsive action for managing
`the suspicious DoWnloadable 140 or DoWnloadables 140,
`and in step 630 the response engine 318 performs a prede
`termined responsive action. Predetermined responsive
`actions may include sending a message via the GUI 324 to
`inform the user, recording the message in the event log 322,
`stopping execution of a suspicious DoWnloadable 140, stor
`ing a DoWnloadable 140 or combination of DoWnloadables
`140 in the suspicious DoWnloadable database 328, limiting
`memory available to the DoWnloadable 140, limiting pro
`cessor time available to the DoWnloadable 140, etc.
`FIG. 7 is a ?oWchart illustrating a supplementary method
`700 for protecting a client 130 from suspicious DoWnload
`ables 140. Method 700 begins With operating system probes
`310, 312, 314 and 316 in step 705 monitoring the operating
`system 260 for Operating System (OS) requests from DoWn
`loadables 140. As illustrated by step 710, When one of the
`probes 310—316 recogniZes receipt of an OS request, the
`recogniZing probe 310—316 in step 715 interrupts the request
`and in step 720 forWards a message to inform the event
`router 308.
`The event router 308 in step 725 routes the information to
`each of the components of the security engine 135 as
`described With reference to FIG. 5. That is, the event router
`308 forWards the information to the GUI 324 for informing
`the user, to the event log 322 for recordation and to the
`runtime environment monitor 320 for determining if the OS
`request violates a rule 330. The response engine 318 com
`pares the OS request alone or in combination With other
`violations against security policies 332 to determine the
`appropriate responsive actions. It Will be appreciated that,
`based on the security policies 332, the response engine 318
`may determine that an OS request violation in combination
`With other OS request violations, in combination With rule
`330 violations, or in combination With both other OS request
`violations and rule 330 violations merits a stricter responsive
`action.
`If the OS request does not violate a security rule 330, then
`the response engine 318 in step 730 instructs the operating
`system 260 via the recogniZing probe 310—316 to resume
`operation of the OS request. OtherWise, if the OS request
`violates a security rule 330, then the response engine 318 in
`step 730 manages the suspicious DoWnloadable by perform
`ing the appropriate predetermined responsive actions as
`described With reference to FIGS. 5 and 6. In step 740, a
`determination is made Whether to end method 700. If a
`request to end the method is made, then method 700 ends.
`OtherWise, method 700 returns to step 705.
`The foregoing description of the preferred embodiments
`of the invention is by Way of example only, and other
`variations of the above-described embodiments and methods
`are provided by the present invention. For example,
`although the invention has been described in a system for
`protecting an internal computer netWork, the invention can
`be embodied in a system for protecting an individual com
`puter. Components of this invention may be implemented
`
`000012
`
`

`
`US 6,480,962 B1
`
`7
`using a programmed general purpose digital computer, using
`application speci?c integrated circuits, or using a netWork of
`interconnected conventional components and circuits. The
`embodiments described herein have been presented for
`purposes of illustration and are not intended to be exhaustive
`or limiting. Many variations and modi?cations are possible
`in light of the foregoing teaching. The system is limited only
`by the folloWing claims.
`What is claimed is:
`1. A computer-based method, comprising:
`monitoring substantially in parallel a plurality of sub
`systems of the operating system during runtime for an
`event caused from a request made by a DoWnloadable;
`interrupting processing of the request;
`comparing information pertaining to the DoWnloadable
`against a predetermined security policy; and
`performing a predetermined responsive action based on
`the comparison.
`2. The method of claim 1, Wherein monitoring the oper
`ating system includes monitoring a request sent to a DoWn
`loadable engine.
`3. The method of claim 2,
`Wherein the DoWnloadable engine includes a J avaTM
`virtual machine having JavaTM classes; and
`Wherein monitoring the operating system includes moni
`toring each JavaTM class for receipt of the request.
`4. The method of claim 2,
`Wherein the DoWnloadable engine includes an AppletXTM
`platform having a message engine, a dynamic-data
`eXchange and a dynamically-linked library; and
`Wherein monitoring the operating system includes moni
`toring the message engine, the dynamic-data-eXchange
`and the dynamically-linked library for receipt of the
`request.
`5. The method of claim 1, further comprising determining
`Whether information pertaining to the DoWnloadable vio
`lates a security rule.
`6. The method of claim 5, further comprising determining
`Whether violation of the security rule violates the security
`policy.
`7. The method of claim 1, further comprising:
`comparing information pertaining to the DoWnloadable
`With information pertaining to a predetermined suspi
`cious DoWnloadable; and
`performing a predetermined responsive action based on
`the comparison With the information pertaining to the
`predetermined suspicious DoWnloadable.
`8. The method of claim 1, Wherein the predetermined
`responsive action includes storing results of the comparison
`in an event log.
`9. The method of claim 1, Wherein the predetermined
`responsive action includes informing the user When the
`security policy has been violated.
`10. The method of claim 1, Wherein the predetermined
`responsive action includes storing information on the DoWn
`loadable in a suspicious DoWnloadable database.
`11. The method of claim 1, Wherein the predetermined
`responsive action includes discarding the DoWnloadable.
`12. A system, comprising:
`a security policy;
`a plurality of operating system interfaces operating sub
`stantially in parallel, each interface for recogniZing a
`runtime event in a subsystem of the operating system
`caused from a request made by a DoWnloadable;
`a ?rst comparator coupled to the interfaces for comparing
`information pertaining to the received DoWnloadable
`With the security policy; and
`
`15
`
`8
`a respon