United States Patent [19]
`T0ub0ul et al.
`
`US006154844A
`[11] Patent Number:
`[45] Date of Patent:
`
`6,154,844
`Nov. 28, 2000
`
`[54] SYSTEM AND METHOD FOR ATTACHING A
`DOWNLOADABLE SECURITY PROFILE TO
`A DOWNLOADABLE
`
`[75] Inventors: Shlomo Touboul, Kefar-Haim;
`Nachshon Gal, Tel-Aviv, both of Israel
`
`[73] Assignee: Finjan Software, Ltd., San Jose, Calif.
`
`[21] Appl. No.: 08/995,648
`[22] Filed:
`Dec. 22, 1997
`
`Related US. Application Data
`[60] Provisional application No. 60/030,639, Nov. 8, 1996.
`
`[51] Int. Cl.7 ...................................................... .. H04L 9/36
`[52] US. Cl. ........................... .. 713/201; 714/38; 713/164
`[58] Field of Search ................................... .. 713/201, 200,
`713/202, 164, 165, 166, 167, 176; 714/38,
`704, 207, 33; 709/229; 380/4, 25, 24; 705/51,
`54, 55
`
`[56]
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`5,077,677 12/1991 Murphy et al. ......................... .. 395/10
`5,359,659 10/1994 Rosenthal .... ..
`380/4
`5,361,359 11/1994 Tajallietal. .......................... .. 395/700
`
`(List continued on next page.)
`
`OTHER PUBLICATIONS
`
`X.N. Zhang, “Secure Code Distribution,” Computer, pp.
`76—79, Jun. 1997.
`IBM AntiVirus User’s Guide Version 2.4, International
`Business Machines Corporation, Nov. 15, 1995, pp. 6—7.
`Jim K. Omura, “Novel Applications of Cryptography in
`Digital Communications”, IEEE Communications Maga
`Zine, May, 1990; pp. 21—27.
`Norvin Leach et al, “IE 3.0 Applets Will Earn Certi?cation”,
`PC Week, v13, n29, 1998, 2 pages.
`Microsoft Authenticode Technology, “Ensuring Account
`ability and Authenticity for Software Components on the
`Internet”, Microsoft Corporation, Oct. 1996, including con
`tents, Introduction and pp. 1—10.
`
`Primary Examiner—Robert W. Beausoliel, Jr.
`Assistant Examiner—Christopher A. Revak
`Attorney, Agent, or Firm—Squire, Sanders & Dempsey,
`L.L.P.
`
`[57]
`
`ABSTRACT
`
`A system comprises an inspector and a protection engine.
`The inspector includes a content inspection engine that uses
`a set of rules to generate a DoWnloadable security pro?le
`corresponding to a DoWnloadable, e.g., J avaTM applets,
`ActiveXTM controls, JavaScriptTM scripts, or Visual Basic
`scripts. The content inspection engine links the Download
`able security pro?le to the DoWnloadable. The set of rules
`may include a list of suspicious operations, or a list of
`suspicious code patterns. The ?rst content inspection engine
`may link to the DoWnloadable a certi?cate that identi?es the
`content inspection engine Which created the DoWnloadable
`security pro?le. Additional content inspection engines may
`generate and link additional DoWnloadable security pro?les
`to the DoWnloadable. Each additional DoWnloadable secu
`rity pro?le may also include a certi?cate that identi?es its
`creating content inspection engine. Each content inspection
`engine preferably creates a DoWnloadable ID that identi?es
`the DoWnloadable to Which the DoWnloadable security
`pro?le corresponds. The protection includes a Download
`able interceptor for receiving a DoWnloadable, a ?le reader
`coupled to the interceptor for determining Whether the
`DoWnloadable includes a DoWnloadable security pro?le, an
`engine coupled to the ?le reader for determining Whether to
`trust the DoWnloadable security pro?le, and a security
`policy analysis engine coupled to the veri?cation engine for
`comparing the DoWnloadable security pro?le against a secu
`rity policy if the engine determines that the DoWnloadable
`security pro?le is trustworthy. A DoWnloadable ID veri?
`cation engine retrieves the DoWnloadable ID that identi?es
`the DoWnloadable to Which the DoWnloadable security
`pro?le corresponds, generates the DoWnloadable ID for the
`DoWnloadable and compares the generated DoWnloadable
`to the linked DoWnloadable. The protection engine further
`includes a certi?cate authenticator for authenticating the
`certi?cate that identi?es a content inspection engine Which
`created the DoWnloadable security pro?le as from a trusted
`source. The certi?cate authenticator can also authenticate a
`certi?cate that identi?es a developer that created the DoWn
`loadable.
`
`(List continued on next page.)
`
`44 Claims, 7 Drawing Sheets
`
`110
`
`10:;
`
`125
`
`mm Wm
`
`HU
`
`ENSPECIOR
`
`160
`
`DOWNLOADABLE
`OWELDWEN MW
`1
`
`DKVELOPER CERIEFIEATE
`1517
`
`comm WSPEDHDN MW
`165
`195
`
`INSPECTED
`l7” DOWNLDIDAELII
`
`SIGNED DOWNLOADABLE
`
`INS’IICTUR CERTIFICATE
`
`EX'ERNAL
`COMPUIER NETWORK
`
`105
`
`155
`
`NZIWORK GATEWAY
`
`NETWDRK PRO/[CUM
`menu
`
`INTUNAL COMPUTER
`NUWORK
`
`DDMFUTER CLIENT
`
`U5
`
`COMPUTER l'RUlLC/IUN
`ENGINE
`
`000001
`
`Symantec 1016
`IPR of U.S. Pat. No. 8,677,494
`
`

`
`6,154,844
`Page 2
`
`US. PATENT DOCUMENTS
`
`1/1996 Gupta et al. .......................... .. 395/186
`5,485,409
`1/1996 Chess et al. ..
`395/183.14
`5,485,575
`5,572,643 11/1996 Judson ..
`395/793
`5,623,600
`4/1997 Ji et al. ..
`395/187.01
`5,638,446
`6/1997 Rubin
`.... .. 380/25
`
`5,692,047 11/1997 McManis . . . . . .
`
`. . . . . . .. 380/4
`
`5,692,124 11/1997 Holden et al. ................... .. 395/187.01
`5,720,033
`2/1998 Deo ....................................... .. 395/186
`5,724,425
`3/1998 Chang et al. .
`380/25
`
`5,740,248
`5,761,421
`5,765,205
`5,784,459
`5,796,952
`5,805,829
`
`. . . . . . . .. 380/25
`4/1998 Fieres et al. . . . . . .
`.. 395/200.53
`6/1998 van Hoff et al. .
`6/1998 Breslau et al. ........................ .. 711/203
`7/1998 Devarakonda et al. .................. .. 380/4
`8/1998 Davis et al. ........ ..
`.. 395/200.54
`9/1998 Cohen et al.
`.... .. 395/200.32
`
`. . . . .. 395/187.01
`5,832,208 11/1998 Chen et al. . . . . . . .
`.... .. 395/750.03
`5,850,559 12/1998 Angelo et al.
`..... .. 713/200
`5,859,966
`1/1999 Hayman et al. ..
`.. 395/200.79
`5,864,683
`1/1999 Boebert et al.
`..... .. 713/201
`5,892,904
`4/1999 Atkinson et al. .
`713/200
`5,956,481
`9/1999 Walsh et al. .... ..
`713/200
`5,974,549 10/1999 Golan ...... ..
`5,983,348 11/1999 J1 ........................................... .. 713/200
`
`OTHER PUBLICATIONS
`
`Web Page, Article “Frequently Asked Questions About
`Authenticode”, Microsoft Corporation, last updated Feb. 17,
`1997, URL: http://www.rnicrosoft.corn/workshop/security/
`authcode/signfaq.asp#9, pp. 1—13.
`
`http://iel.ihs.corn:80/cgi—bin/iel13
`page:
`Web
`cgi?se. . .2ehts%26ViewTernplate%3ddocview% 5fb%2ehts,
`Okarnato, E. et al., “ID—Based Authentication System For
`Computer Virus Detection”, IEEE/IEE Electronic Library
`online, Electronics Letters, vol. 26, Issue 15, ISSN
`0013—5194, Jul. 19, 1990, Abstract and pp. 1169—1170.
`“Finjan Announces a Personal JavaTM Firewall for Web
`Browsers—the Sur?nShieldTM 1.6”, Press Release of Finj an
`Releases Sur?nShield, Oct. 21, 1996, 2 pages.
`“Finj an Software Releases Sur?nBoard, Industry’s First
`JAVA Security Product For the World Wide Web”, Article
`published on the Internet by Finjan Software, Ltd., Jul. 29,
`1996, 1 page.
`“Powerful PC Security for the New World of JavaTM and
`Downloadables, Sur?n ShieldTM” Article published on the
`Internet by Finjan Software Ltd., 1996, 2 pages.
`“Company Pro?le Finjan—Safe Sur?ng, The Java Security
`solutions Provider” Article published on the Internet by
`Finjan Software Ltd., Oct. 31, 1996, 3 pages.
`“Finjan Announces Major Power Boost and New Features
`for Sur?nShieldTM 2.0” Las Vegas Convention Center/Pa
`villion 5 P5551, Nov. 18, 1996, 3 pages.
`“Java Security: Issues & Solutions” Article published on the
`Internet by Finjan Software Ltd., 1996, 8 pages.
`“Products” Article published on the Internet, 7 pages.
`Mark LaDue, “Online Business Consultant” Article pub
`lished on the Internet, Home Page, Inc. 1996, 4 pages.
`
`000002
`
`

`
`U.S. Patent
`
`Nov. 28,2000
`
`Sheet 1 of7
`
`6,154,844
`
`F/G. 7
`
`DEVELOPER
`
`120 /
`
`140
`/
`
`DOWNLOADABLE
`DEVELOPMENT ENCINE
`155
`/
`DEVELOPER CERTIFICATE
`750
`/
`SICNED DOWNLOADABLE
`
`100
`
`INSPECTOR
`
`L25
`150
`/
`CONTENT INSPECTION ENCINE
`765
`795
`’
`’
`RULES BASE
`SICNED
`INSPECTED
`170 DOWNLOADABLE
`/
`INSPECTOR CERTIFICATE
`
`7/85
`WEB SERVER 1,90
`
`WEB PAGE DATA
`
`'05
`
`1'35
`/ ,110
`
`EXTERNAL
`COMPUTER NETWORK
`
`NETWORK GATEWAY
`NETWORK PROTECTION
`ENGINE
`
`1 15
`
`INTERNAL COMPUTER
`NETWORK
`
`COMPUTER CLIENT
`735 /
`WEB CLIENT
`130 /730
`
`COMPUTER PROTECTION
`ENGINE
`
`000003
`
`

`
`U.S. Patent
`
`Nov. 28,2000
`
`Sheet 2 of7
`
`6,154,844
`
`Rm
`
`3;
`
`Sn
`
`QNN
`
`mm.
`
`
`
`mzazmmzo:§z=_§8
`
`n3
`
`
`
`Simoz:sEo82%
`
`5ms<3z>>oQ
`
`mzszmEfodag
`
`m_._m<o<o._z>>oo
`
`
`
`Eozzfio~mn_o.m_>H._o
`
`$6
`
`
`
`
`
`H._o<m_oHm._<zmEzHBEGmoéoa<25mzoE<oHz32§oo
`
`BEEEmun
`
`atanM3now
`
`w§.._:$o2MEoczmaW$553
`m_._m<Q<O._Z3OQmfilodaoW__
`
`
`
`QNN.4..........................-J~_H___
`
`P2.05Nom
`
`
`
`.r....iw.................-L
`
`«RES
`
`ownannew
`
`
`
`RmEofim55mag5&8m_2>H._o5%:momaoofiEm
`
`000004
`
`000004
`
`
`
`

`
`6,154,844
`
`34
`
`
`
`mzszmsmészaoo
`
`
`
`
`
`Q2zozanmzEH28maENE?82%
`
`M3»
`
`
`
`
`
`
`
`
`
`7mzazmmzo:§z2§8E233%§%zHon.
`
`P3U
`
`tN».QCmR»mn&
`
`zmmo
`
`3»E»3.
`
`WR»
`
`
`
`.$955%H:>m_o5&85:35%mommoowa
`
`0m
`
`3
`
`
`
`ozzsmao«no.5as$5h8297:scm»wEmamoéoa22%;:859moéemEamzo:§z:§8
`
`
`
`
`
`MN».
`
`000005
`
`000005
`
`
`

`
`U.S. Patent
`
`Nov. 28,2000
`
`Sheet 4 0f 7
`
`6,154,844
`
`F/G. 5
`
`500
`
`DOWNLOADABLE FILE INTERCEPTOR / 505
`
`FILE READER
`
`/ 5'0
`
`CERTIFICATE AUTHENTICATOR f515
`
`DOWNLOADABLE ID
`VERIFICATION ENGINE
`
`/520
`
`coNTENT INSPECTION ENGINE f525
`
`LOCAL SECURITY POLICY
`ANALYSIS ENGINE
`
`/5.30
`
`LOCAL SECURITY POLICIES / 535
`
`RE-TRANSMISION ENGINE / 540
`
`000006
`
`

`
`U.S. Patent
`
`Nov. 28, 2000
`
`Sheet 5 0f 7
`
`6,154,844
`
`F/G. 6
`
`/ 600
`
`START
`
`OBTAIN UNINSPECTED DOWNLOADABLE
`
`INCLUDE ALL COMPONENTS IN
`AN ARCHIVE FILE
`
`,510
`
`ATTACH DEVELOPER CERTIFICATE TO THE FILE
`
`SEND FILE TO THE INSPECTOR
`
`, 620
`
`, 625
`CENERATE DSP AND DOWNLOADABLE ID
`
`ATTACH THE DSP AND DOWNLOADABLE ID TO FILE
`
`ATTACH THE INSPECTOR CERTIFICATE TO THE FILE
`
`, 630
`
`, 635
`
`ANOTHER
`CONTENT INSPECTION
`?
`
`FORWARD THE SIGNED INSPECTED DOWNLOADABLE
`TO THE WEB SERVER FOR DEPLOYMENT
`
`f 645
`
`000007
`
`

`
`U.S. Patent
`
`Nov. 28,2000
`
`Sheet 6 of7
`
`6,154,844
`
`F/G. 7
`
`700
`
`@— RECEIVE DOWNLOADABLE FILE /705
`I
`EXTRACT THE DOWNLOADABLE / 710
`I
`AUTHENTICATE THE DEVELOPER CERTIFICATE
`720
`
`, 715
`
`PREVIOUSLY INSPECTED
`'7
`
`YES+
`AUTHENTICATE THE INSPECTOR CERTIFICATE
`I
`EXTRACT THE DSP
`I
`AUTHENTICATE THE DOWNLOADABLE ID
`
`f 730
`
`f 725
`
`f 735
`
`740
`
`ANOTHER DSP
`ATTACHED
`'2
`
`745
`
`PASS ALL
`NO AUTHENTICATION
`'?
`
`GENERATE DSP FOR
`[755
`THE ATTACHED DOWNLOADABLE
`COMPARE DSP AGAINST LOCAL SECURITY POLICIES
`
`PASS ALL
`SECURITY POLICIES
`?
`
`f 765
`
`PASS THE DOWNLOADABLE
`
`/ 770
`
`SEND NON-HOSTILE
`DOWNLOADABLE TO
`INFORM THE CLIENT
`OF THE FAILURE
`
`000008
`
`

`
`U.S. Patent
`
`6,154,844
`
`
`
`mzszmmzo:§z:§8
`
`
`
`
`
`H.265fizmmmm;mamszazaoo
`
`22%;:BEGH._o<mEm<35mzo:§z2§8MmumcanRm7hvm.E35mz:<$%SEm_o<n_mm;m_oEmEzHM5&0;
`
`
`
`
`
`
`
`Rm
`
`ma
`
`MEEE.5wwnew8».2m.8mMgmGE
`
`Sm.
`
`000009
`
`000009
`
`
`

`
`6,154,844
`
`1
`SYSTEM AND METHOD FOR ATTACHING A
`DOWNLOADABLE SECURITY PROFILE TO
`A DOWNLOADABLE
`
`PRIORITY REFERENCE TO RELATED
`APPLICATIONS
`
`This application claims bene?t of and hereby incorporates
`by reference provisional application Ser. No. 60/030,639,
`entitled “System and Method for Protecting a Computer
`from Hostile DoWnloadables,” ?led on Nov. 8, 1996, by
`inventor Shlomo Touboul; patent application Ser. No.
`08/964,388, entitled “System and Method for Protecting a
`Computer and a NetWork from Hostile DoWnloadables,”
`?led on Nov. 6, 1997, by inventor Shlomo Touboul; and
`patent application Ser. No. 08/790,097, entitled “System and
`Method for Protecting a Client from Hostile
`DoWnloadables,” ?led on Jan. 29, 1997, also by inventor
`Shlomo Touboul.
`
`BACKGROUND OF THE INVENTION
`
`20
`
`2
`and DoWnloadable security pro?les to determine Whether or
`not to trust the DoWnloadable security pro?les.
`The inspector includes a content inspection engine that
`uses a set of rules to generate a DoWnloadable security
`pro?le corresponding to a DoWnloadable. The content
`inspection engine links the DoWnloadable security pro?le to
`the DoWnloadable. The set of rules may include a list of
`suspicious operations, or a list of suspicious code patterns.
`The ?rst content inspection engine may link to the DoWn
`loadable a certi?cate that identi?es the content inspection
`engine Which created the DoWnloadable security pro?le.
`The system may include additional content inspection
`engines for generating and linking additional DoWnloadable
`security pro?les to the DoWnloadable. Each additional
`DoWnloadable security pro?le may also include a certi?cate
`that identi?es its creating content inspection engine. Each
`content inspection engine may create a DoWnloadable ID
`that identi?es the DoWnloadable to Which the DoWnloadable
`security pro?le corresponds.
`The protection engine includes a DoWnloadable intercep
`tor for receiving a DoWnloadable, a ?le reader coupled to the
`interceptor for determining Whether the DoWnloadable
`includes a DoWnloadable security pro?le, an engine coupled
`to the ?le reader for determining Whether to trust the
`DoWnloadable security pro?le, and a security policy analy
`sis engine coupled to the veri?cation engine for comparing
`the DoWnloadable security pro?le against a security policy
`if the engine determines that the DoWnloadable security
`pro?le is trustWorthy. The engine preferably determines
`Whether the ?rst DoWnloadable security pro?le corresponds
`to the DoWnloadable. The system preferably includes a
`DoWnloadable ID veri?cation engine for retrieving a DoWn
`loadable ID that identi?es the DoWnloadable to Which the
`DoWnloadable security pro?le corresponds. To con?rm the
`correspondence betWeen the DoWnloadable security pro?le
`and the DoWnloadable, the DoWnloadable ID veri?cation
`engine generates the DoWnloadable ID for the DoWnload
`able and compares the generated DoWnloadable to the linked
`DoWnloadable. The system may also include a content
`inspection engine for generating a DoWnloadable security
`pro?le for the DoWnloadable if the ?rst DoWnloadable
`security pro?le is not trustWorthy. The system further
`includes a certi?cate authenticator for authenticating a cer
`ti?cate that identi?es a content inspection engine Which
`created the DoWnloadable security pro?le as from a trusted
`source. The certi?cate authenticator can also authenticate a
`certi?cate that identi?es a developer that created the DoWn
`loadable.
`The present invention provides a method in a ?rst
`embodiment comprising the steps of receiving a
`DoWnloadable, generating a ?rst DoWnloadable security
`pro?le for the received DoWnloadable, and linking the ?rst
`DoWnloadable security pro?le to the DoWnloadable. The
`present invention further provides a method in a second
`embodiment comprising the steps of receiving a DoWnload
`able With a linked ?rst DoWnloadable security pro?le, deter
`mining Whether to trust the ?rst DoWnloadable security
`pro?le, and comparing the ?rst DoWnloadable security pro
`?le against the security policy if the ?rst DoWnloadable
`security pro?le is trustWorthy
`It Will be appreciated that the system and method of the
`present invention may provide computer protection from
`knoWn hostile DoWnloadables. The system and method of
`the present invention may identify DoWnloadables that
`perform operations deemed suspicious. The system and
`method of the present invention may eXamine the DoWn
`loadable code to determine Whether the code contains any
`
`1. Field of the Invention
`This invention relates generally to computer netWorks,
`and more particularly provides a system and method for
`attaching a DoWnloadable security pro?le to a DoWnload
`able to facilitate the protection of computers and netWorks
`from a hostile DoWnloadable.
`2. Description of the Background Art
`The Internet is currently a collection of over 100,000
`individual computer netWorks oWned by governments,
`universities, nonpro?t groups and companies, and is expand
`ing at an accelerating rate. Because the Internet is public, the
`Internet has become a major source of many system dam
`aging and system fatal application programs, commonly
`referred to as “viruses.”
`Accordingly, programmers continue to design computer
`and computer netWork security systems for blocking these
`viruses from attacking both individual and netWork com
`puters. On the most part, these security systems have been
`relatively successful. HoWever, these security systems are
`not con?gured to recogniZe computer viruses Which have
`been attached to or con?gured as DoWnloadable application
`programs, commonly referred to as “DoWnloadables.” A
`DoWnloadable is an eXecutable application program, Which
`is doWnloaded from a source computer and run on the
`destination computer. ADoWnloadable is typically requested
`by an ongoing process such as by an Internet broWser or Web
`client. Examples of DoWnloadables include JavaTM applets
`designed for use in the JavaTM distributing environment
`developed by Sun Microsystems, Inc., J avaScriptTM scripts
`also developed by Sun Microsystems, Inc., ActiveXTM con
`trols designed for use in the ActiveXTM distributing envi
`ronment developed by the Microsoft Corporation, and
`Visual Basic also developed by the Microsoft Corporation.
`DoWnloadables may also include plugins, Which add to the
`functionality of an already eXisting application program.
`Therefore, a system and method are needed to protect a
`netWork from hostile DoWnloadables.
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`SUMMARY OF THE INVENTION
`
`The present invention provides systems for protecting a
`netWork from suspicious DoWnloadables, e.g., J avaTM
`applets, ActiveXTM controls, JavaScriptTM scripts, or Visual
`Basic scripts. The netWork system includes an inspector for
`linking DoWnloadable security pro?les to a DoWnloadable,
`and a protection engine for examining the DoWnloadable
`
`60
`
`65
`
`000010
`
`

`
`3
`suspicious operations, and thus may allow or block the
`DoWnloadable accordingly. It Will be appreciated that,
`because the system and method of the present invention link
`a veri?able DoWnloadable security pro?le to a
`DoWnloadable, the system and method may avoid decom
`posing the DoWnloadable into the DoWnloadable security
`pro?le on the ?y.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 is a block diagram illustrating a netWork system in
`accordance With the present invention;
`FIG. 2 is a block diagram illustrating details of an
`example inspected DoWnloadable of FIG. 1;
`FIG. 3 is a block diagram illustrating details of a devel
`oper of FIG. 1;
`FIG. 4 is a block diagram illustrating details of an
`inspector of FIG. 1;
`FIG. 5 is a block diagram illustrating details of a generic
`protection engine of FIG. 1;
`FIG. 6 is a ?oWchart illustrating a method for attaching a
`DoWnloadable security pro?le to a DoWnloadable in accor
`dance With the present invention;
`FIG. 7 is a ?oWchart illustrating a method for examining
`a DoWnloadable in accordance With the present invention;
`and
`FIG. 8 is a block diagram illustrating details of the Web
`server of FIG. 1.
`
`10
`
`15
`
`25
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`FIG. 1 is a block diagram illustrating a computer netWork
`system 100 in accordance With the present invention. The
`computer netWork system 100 includes an external computer
`
`
`
`netWork 105, such as the Wide Area NetWork commonly referred to as the Internet, coupled via a netWork
`
`35
`
`gateWay 110 to an internal computer netWork 115, such as a
`Local Area NetWork (LAN) commonly referred to as an
`intranet. The netWork system 100 further includes a devel
`oper 120 coupled to the external computer netWork 105, an
`inspector 125 also coupled to the external computer netWork
`105, a Web server 185 also coupled to the external computer
`netWork 105, and a computer client 130 coupled to the
`internal computer netWork 115. One skilled in the art Will
`recogniZe that connections to external or internal netWork
`systems are merely exemplary, and alternative embodiments
`may have other connections. Further, although the developer
`120, inspector 125 and Web server 185 are being described
`as distinct sites, one skilled in the art Will recogniZe that
`these elements may be a part of an integral site, may each
`include components of multiple sites, or may include com
`binations of single and multiple sites.
`The developer 120 includes a DoWnloadable development
`engine 140 for generating a signed (yet uninspected) DoWn
`loadables 150. The developer 120 may obtain an unin
`spected DoWnloadable or may initially use the DoWnload
`able development engine 140 to generate an uninspected
`DoWnloadable. The developer 120 can then use the DoWn
`loadable development engine 140 to transmit the signed
`DoWnloadable to the inspector 125 for hostility inspection.
`The developer 120 includes a developer certi?cate 155,
`Which the DoWnloadable development engine 140 attaches
`to each uninspected DoWnloadable so that the inspector 125,
`the netWork gateWay 110 and the computer client 130 can
`authenticate the developer 120.
`The inspector 125 includes a content inspection engine
`160 for examining a received DoWnloadable, e.g., the signed
`
`45
`
`55
`
`65
`
`6,154,844
`
`4
`DoWnloadable 150 received from the developer 120, for
`generating a DoWnloadable Security Pro?le (DSP) based on
`a rules base 165 for the DoWnloadable, and for attaching the
`DSP to the DoWnloadable. A DSP preferably includes a list
`of all potentially hostile or suspicious computer operations
`that may be attempted by the DoWnloadable, and may also
`include the respective arguments of these operations. Gen
`erating a DSP includes searching the DoWnloadable code for
`any pattern, Which is undesirable or suggests that the code
`Was Written by a hacker. The content inspection engine 160
`preferably performs a fall-content inspection. It Will be
`appreciated that generating a DSP may also include com
`paring a DoWnloadable against DoWnloadables Which Origi
`nal Equipment Manufacturers (OEMs) knoW to be hostile,
`DoWnloadables Which OEMs knoW to be non-hostile, and
`DoWnloadables previously examined by the content inspec
`tion engine 160. Accordingly, the rules base may include a
`list of operations and code patterns deemed suspicious,
`knoWn hostile DoWnloadables, knoWn viruses, etc.
`
`An Example List of Operations Deemed Suspicious
`File operations: READ a ?le, WRITE a ?le, DELETE a
`?le, RENAME a ?le;
`NetWork operations: LISTEN on a socket, CONNECT to
`a socket, SEND data, RECEIVE data, VIEW INTRANET;
`Registry operations: READ a registry item, WRITE a
`registry item;
`Operating system operations: EXIT WINDOWS, EXIT
`BROWSER, START PROCESS/THREAD, KILL
`PROCESS/THREAD, CHANGE PROCESS/THREAD
`PRIORITY, DYNAMICALLY LOAD A CLASS/
`LIBRARY, etc.; and
`Resource usage thresholds: memory, CPU, graphics, etc.
`Further, the content inspection engine 160 generates and
`attaches a DoWnloadable ID to the DoWnloadable. The
`DoWnloadable ID is typically stored as part of the DSP, since
`multiple DSPs may be attached to a DoWnloadable and each
`may have a different DoWnloadable ID. Preferably, to gen
`erate a DoWnloadable ID, the content inspection engine 160
`computes a digital hash of the complete DoWnloadable code.
`The content inspection engine 160 preferably prefetches all
`components embodied in or identi?ed by the code for
`DoWnloadable ID generation. For example, the content
`inspection engine 160 may prefetch all classes embodied in
`or identi?ed by the JavaTM applet bytecode, and then may
`perform a predetermined digital hash on the DoWnloadable
`code (and the retrieved components) to generate the DoWn
`loadable ID. Similarly, the content inspection engine 160
`may retrieve all components listed in the .INF ?le for an
`ActiveXTM control to compute a DoWnloadable ID.
`Accordingly, the DoWnloadable ID for the DoWnloadable
`Will be the same each time the content inspection engine 160
`(or a protection engine as illustrated in FIG. 5) receives the
`same DoWnloadable and applies the same digital hash
`function. The doWnloadable components need not be stored
`With the DoWnloadable, but can be retrieved before each use
`or DoWnloadable ID generation.
`Generating a DSP and generating a DoWnloadable ID are
`described in great detail With reference to the patent appli
`cation Ser. No. 08/964,388, entitled “System and Method for
`Protecting a Computer and a NetWork from Hostile
`DoWnloadables,” ?led on Nov. 6, 1997, by inventor Shlomo
`Touboul, Which has been incorporated by reference above.
`After performing content inspection, the inspector 125
`attaches an inspector certi?cate 170 to the DoWnloadable.
`The inspector certi?cate 170 veri?es the authenticity of the
`
`000011
`
`

`
`6,154,844
`
`5
`DSP attached to the DoWnloadable. Details of an example
`signed inspected DoWnloadable 150 are illustrated and
`described With reference to FIG. 2. The inspector 125 then
`transmits the signed inspected DoWnloadable 195 to the Web
`server 185 for addition to Web page data 190 and Web page
`deployment. Accordingly, the computer client 130 includes
`a Web client 175 for accessing the Web page data 190
`provided by the Web server 185. As is knoWn in the art, upon
`recognition of a DoWnloadable call, the Web client 175
`requests the Web server 185 to forWard the corresponding
`DoWnloadable. The Web server 185 then transmits the
`DoWnloadable via the netWork gateWay 110 to the computer
`client 130.
`The netWork gateWay 110 includes netWork protection
`engine 135, and the computer client 130 includes a computer
`protection engine 180. Both the netWork protection engine
`135 and the computer protection engine 180 examine all
`incoming DoWnloadables and stop all DoWnloadables
`deemed suspicious. It Will be appreciated that a DoWnload
`able is deemed suspicious if it performs or may perform any
`undesirable operation, or if it threatens or may threaten the
`integrity of any computer component. It is to be understood
`that the term “suspicious” includes hostile, potentially
`hostile, undesirable, potentially undesirable, etc. Thus, if the
`incoming DoWnloadable includes a signed inspected DoWn
`loadable 195, then the netWork protection engine 135 and
`the computer protection engine 180 can revieW the attached
`certi?cates to verify the authenticity of the DSP. If the
`incoming DoWnloadable does not include a signed inspected
`DoWnloadable 195, then each of the netWork protection
`engine 135 and the computer protection engine 180 must
`generate the DSP, and compare the DSP against local
`security policies (535, FIG. 5).
`Components and operation of the netWork protection
`engine 135 and the computer protection engine 180 are
`described in greater detail With reference to FIG. 5. It Will be
`appreciated that the netWork gateWay 110 may include the
`components described in the patent-application Ser. No.
`08/964,388, entitled “System and Method for Protecting a
`Computer and a Network from Hostile DoWnloadables,”
`?led on Nov. 6, 1997, by inventor Shlomo Touboul, Which
`has been incorporated by reference above. It Will be further
`appreciated that the computer protection engine 180 may
`include the components described in the patent application
`Ser. No. 08/790,097, entitled “System and Method for
`Protecting a Client from Hostile DoWnloadables,” ?led on
`Jan. 29, 1997, also by inventor Shlomo Touboul.
`It Will be appreciated that the netWork system 100 may
`include multiple inspectors 125, Wherein each inspector 125
`may provide a different content inspection. For example, one
`inspector 125 may examine for suspicious operations,
`another inspector 125 may examine for knoWn viruses that
`may be attached to the DoWnloadable 150, etc. Each inspec
`tor 125 Would attach a corresponding DSP and a certi?cate
`verifying the authenticity of the attached DSP. Alternatively,
`a single inspector 125 may include multiple content inspec
`tion engines 160, Wherein each engine provides a different
`content inspection.
`FIG. 2 is a block diagram illustrating details of a signed
`inspected DoWnloadable 195, Which includes a DoWnload
`able 205, a developer certi?cate 155, a DSP 215 Which
`includes a DoWnloadable ID 220, and an inspector certi?
`cate 170. The DoWnloadable 205 includes the doWnloadable
`and executable code that a Web client 175 receives and
`executes. The DoWnloadable 205 may be encrypted using
`the developer’s private key. The attached developer certi?
`cate 155 may include the developer’s public key, the devel
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`oper’s name, an expiration date of the key, the name of the
`certifying authority that issued the certi?cate, and a serial
`number. The signed DoWnloadable 150 comprises the
`DoWnloadable 205 and the developer certi?cate 155. The
`DSP 215 and DoWnloadable ID 220 may be encrypted by the
`inspector’s private key. The DoWnloadable ID 220 is illus
`trated as part of the DSP 215 for simplicity, since each
`signed inspected DoWnloadable 195 may include multiple
`DSPs 215 (and each DSP 215 may include a separate and
`distinct DoWnloadable ID 220). The inspector certi?cate 170
`may include the inspector’s public key, an expiration date of
`the key, the name of the certifying authority that issued the
`certi?cate, and a Ser. No.
`Although the signed inspected DoWnloadable 195 illus
`trates the DSP 215 (and DoWnloadable ID 220) as an
`attachment, one skilled in the art Will recogniZe that the DSP
`215 can be linked to the DoWnloadable 205 using other
`techniques. For example, the DSP 215 can be stored in the
`netWork system 100, and alternatively a pointer to the DSP
`215 can be attached to the signed inspected DoWnloadable
`195. The term “linking” herein Will be used to indicate an
`association betWeen the DoWnloadable 205 and the DSP 215
`(including using a pointer from the DoWnloadable 195 to the
`DSP 215, attaching the DSP 215 to the DoWnloadable 205,
`etc.)
`FIG. 3 is a block diagram illustrating details of the
`developer 120, Which includes a processor 305, such as an
`Intel Pentium® microprocessor or a Motorola PoWer PC®
`microprocessor, coupled to a signal bus 310. The developer
`120 further includes an input device 315 such as a keyboard
`and mouse, an output device 320 such as a Cathode Ray
`Tube (CRT) display, a data storage device 330 such as a
`magnetic disk, and an internal storage 335 such as Random
`Access Memory (RAM), each coupled to the signal bus 310.
`A communications interface 325 couples the signal bus 325
`to the external computer netWork 105, as shoWn in FIG. 1.
`An operating system 350 controls processing by processor
`305, and is typically stored in the data storage device 330
`and loaded into internal storage 335 (as illustrated) for
`execution by processor 305. The DoWnloadable develop
`ment engine 140 generates signed DoWnloadables 150 as
`described above, and also may be stored in the data storage
`device 330 and loaded into internal storage 335 (as
`illustrated) for execution by processor 305. The data storage
`device 330 stores the signed DoWnloadables 150 and the
`developer certi?cate 155. A communications engine 360
`controls communications via the communications interface
`325 With the external computer netWork 105, and also may
`be stored in the data storage device 330 and loaded into
`internal storage 335 (as illustrated) for execution by proces
`sor 305.
`One skilled in the art Will understand that the developer
`120 may also include additional information, such as net
`Work connections, additional memory, additional
`processors, LANs, input/output lines for transferring infor
`mation across a hardWare channel, the Internet or an
`intranet, etc. One skilled in the art Will also recogniZe that
`the programs and data may be received by and stored in the
`system in alternative Ways. For example, a computer
`readable storage medium (CRSM) reader 370 such as a
`magnetic disk drive, hard disk drive, magneto-optical reader,
`CPU, etc. may be coupled to the signal bus 310 for reading
`a computer-readable storage medium (CRSM) 375 such as
`a magnetic disk, a hard disk, a magneto-optical disk, RAM,
`etc. Accordingly, the developer 120 may receive programs
`and data via the CRSM reader 370.
`FIG. 4 is a block diagram illustrating details of the
`inspector 125, Which includes a processor 405, such as an
`
`000012
`
`

`
`6,154,844
`
`7
`Intel Pentium® microprocessor or a Motorola PoWer PC®
`microprocessor, coupled to a signal bus 410. The inspector
`125 further includes an input device 415 such as a keyboard
`and mouse, an output device 420 such as a CRT display, a
`data storage device 430 such as a magnetic disk, and an
`internal storage 435 such as RAM, each coupled to the
`signal bus 410. Acommunications interface 425 couples the
`signal bus 425 to the external computer netWor