US007613926B2
`
`(12) Ulllted States Patent
`Edery et a].
`
`(10) Patent N0.:
`(45) Date of Patent:
`
`US 7,613,926 B2
`*Nov. 3, 2009
`
`(54) METHOD AND SYSTEM FOR PROTECTING
`A COMPUTER AND A NETWORK FROM
`HOSTILE DOWNLOADABLES
`(75) Inventors: Yigal Mordechai Edery, Pardesia (IL);
`Nimrod Itzhak Vered, Goosh Tel-Mond
`
`5,359,659 A 10/1994 Rosenthal .................. .. 726/24
`
`(Continued)
`
`FOREIGN PATENT DOCUMENTS
`
`
`
`
`
`David R- Kl‘oll, San Jose, (73) Assignee: Finjan Software, Ltd, Netanya (IL) Tollbolll, Kefar-Halm
`
`( * ) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U_S_C_ 154(1)) by 659 days_
`1 d.
`.
`Th.
`.
`b.
`1 is patent 1s su ject to a terrnma 1s-
`c a1mer.
`(21) Appl. N0.: 11/370,114
`(22) Filed:
`Mal? 7: 2006
`(65)
`Prior Publication Data
`
`Jul. 6, 2006
`US 2006/0149968 A1
`Related US. Application Data
`
`(63) Continuation of application No, 09/861,229, ?led on
`May 17, 2001, noW Pat. No. 7,058,822, and a continu-
`ation-in-part of application No. 09/539,667, ?led on
`Mar.' 30, ‘2000, HOW' Pat. NO. 6,804,780, Which iS a
`COnIlnuaIlOIl 0f 81313110811011 NO- O8/964Z388, ?ledpn
`NOV 6, 1997, 110W Pat N0 6,992,194, Sald appllcatlon
`NO~ 09/861,22915 a COmmuanOn-ln-pan OfaPPhCanOn
`231,302’ ?led on Apr‘ 18’ 2000’ HOW Pat‘ NO‘
`(60) Provisional application No. 60/205,591, ?led on May
`17, 2000
`
`OTHER PUBLICATIONS
`
`Zhong, et 211., “Security in the Large: is Java’s Sandbox Scalable?,”
`Seventh IEEE Symposium on Reliable Distributed Systems, pp. l-6,
`Oct‘ 1998‘
`
`(Continued)
`Primary ExamineriChristopher A Revak
`(74) Attorney, Agent, or FirmiKing & Spalding LLP
`
`(57)
`
`ABSTRACT
`
`Protection systems and methods provide for protecting one or
`more personal computers (“PCs”) and/ or other intermittently
`or persistently netWork accessible devices or processes from
`undesirable or otherWise malicious operations of JavaTM
`applets, ActiveXTM controls, JavaScriptTM scripts, Visual
`Basic scripts, add-ins, downloaded/uploaded programs or
`other “DoWnloadables” or “mobile code” in Whole or part. A
`protection engine embodiment provides, Within a server, ?re
`Wall or Pther sultable “re'commumcatq’” for momwng
`1nformat1on rece1ved by the commumcator, determlmng
`Whether received information does or is likely to include
`M d
`d .f
`b.1
`.
`d
`executa e co e, an 1 so, causes mo 1e protect1on co e
`(MPC) to be transferred to and rendered operable W1th1n a
`destination device of the received information, more suitabl
`.
`.
`.
`.
`. y
`by form1ng a protect1on agent 1nclud1ng the MPC, protect1on
`.
`.
`.
`pol1c1es and'a detected-DoWnloadable.AnMPC embodlment
`further prov1des, W1th1n a DoWnloadable-dest1nat1on, for 1m
`tiating the DoWnloadable, enabling malicious DoWnloadable
`Operation attempts to be received by the MPC, and Causing
`(predetermined) corresponding operations to be executed in
`response to the attempts, more suitably in conjunction With
`protection policies.
`
`(51) Int. C].
`G06F 21/24
`G06F 11/30
`
`H04L 9/00
`
`G06F 15/16
`
`(2006 01)
`(200601)
`'
`(2006 01)
`'
`(2006.01)
`713/181_ 713/175 713/176
`’
`’
`726/24’
`
`52) U 5 Cl
`(
`‘
`‘
`‘ """"""""""" "
`_
`_
`_
`..... .. None
`(58) Field of1 ~Classl??clatiqon Searclh ........
`See app lcanon e or Comp ete Seam lstory'
`References Cited
`
`(56)
`
`U.S. PATENT DOCUMENTS
`
`5,077,677 A 12/1991 Murphy et a1. .............. .. 706/62
`
`30 Claims, 10 Drawing Sheets
`
`wnhoul anvil/y
`Load the downloadble
`mmaung
`1r
`
`1 Form an awess lnrarcepmrtw intercepting
`downluadabla de‘?niilon diViDe access
`attempts wlmin me des?nl?nn device
`
`Exacuta the pDIiOIBS (meluding nausing an
`allowable response :Xpeded by m
`Danwluadablo m be rammed M1718
`Dwmlmdabla)
`
`1111
`
`

`
`US 7,613,926 B2
`Page 2
`
`US. PATENT DOCUMENTS
`
`5,361,359 A 11/1994 Tajalliet al. ................ .. 726/23
`5,414,833 A
`5/1995 Hersheyetal.
`..
`5,485,409 A
`1/1996 Gupta et al.
`5,485,575 A
`1/1996 Chess et al. ................. .. 714/38
`5,572,643 A 11/1996 Judson ..................... .. 709/218
`5,579,509 A 11/1996 Furtney et al. .
`703/27
`5,606,668 A *
`2/1997 Shwed ..... ..
`.. 726/13
`5,623,600 A *
`4/1997 Jiet al.
`726/24
`5,638,446 A
`6/1997 Rubin ....................... .. 705/51
`5,675,711 A 10/1997 Kephart et al. .............. .. 706/12
`5,692,047 A 11/1997 McManis ..... ..
`.713/167
`5,692,124 A 11/1997 Holden et al. ................ .. 726/2
`5,720,033 A
`2/1998 Deo ............................ .. 726/2
`5,724,425 A
`3/1998 Chang et al.
`705/52
`5,740,248 A
`4/1998 Fieres et al. .............. .. 713/156
`5,740,441 A
`4/1998 Yellin et al. ............... .. 717/134
`5,761,421 A
`6/1998 van Hoffetal. ..
`709/223
`5,765,205 A
`6/1998 Breslau et al. ............ .. 711/203
`5,784,459 A
`7/1998 Devarakonda et al. .... .. 713/165
`5,796,952 A
`8/1998 Davis et al. ............... .. 709/224
`5,805,829 A
`9/1998 Cohen et al. .............. .. 709/202
`5,832,208 A 11/1998 Chen et al. .................. .. 726/24
`5,832,274 A 11/1998 Cutler et al.
`717/171
`5,850,559 A 12/1998 Angelo et al. ............. .. 713/320
`5,859,966 A
`1/1999 Hayman et al. ............. .. 726/23
`5,864,683 A
`1/1999 Boebert et al. .
`. 709/249
`5,881,151 A
`3/1999 Yamamoto ................. .. 726/24
`5,884,033 A
`3/1999 Duvallet al. .............. .. 709/206
`5,892,904 A
`4/1999 Atkinson et al. ..
`726/22
`5,951,698 A
`9/1999 Chen et al. .................. .. 714/38
`5,956,481 A
`9/1999 Walsh et al. ................ .. 726/23
`5,963,742 A 10/1999 Williams .................. .. 717/143
`5,974,549 A 10/1999 Golan
`5,978,484 A 11/1999 Apperson et al. ........... .. 705/54
`5,983,348 A 11/1999 Ji
`5,987,611 A 11/1999 Freund ........................ .. 726/4
`6,088,801 A
`7/2000 Grecsek ....................... .. 726/1
`6,088,803 A
`7/2000 Tso et al. .
`726/22
`6,092,194 A *
`7/2000 Touboul
`.. 726/24
`6,154,844 A * 11/2000 Touboulet al. ............. .. 726/24
`6,167,520 A 12/2000 Touboul
`6,339,829 B1
`1/2002 Beadle et al. ............... .. 726/15
`6,425,058 B1
`7/2002 Arimilliet al.
`711/134
`6,434,668 B1
`8/2002 Arimilliet al.
`711/128
`6,434,669 B1
`8/2002 Arimilliet al.
`.. 711/128
`6,480,962 B1* 11/2002 Touboul ...... ..
`.
`. 726/22
`6,487,666 B1
`11/2002 Shanklin et al.
`.
`6,519,679 B2
`2/2003 Devireddy et al.
`
`.. 726/23
`711/114
`
`7/2003 Ross et al. . . . . . . . .
`6,598,033 B2
`5/2004 Brown et al.
`6,732,179 B1 *
`6,804,780 B1* 10/2004 Touboul
`6,901,519 B1* 5/2005 Stewart et al. .
`6,917,953 B2
`7/2005 Simon et al.
`7,058,822 B2 *
`6/2006 Edery et al.
`7,093,135 B1* 8/2006 Radatti et al.
`7,210,041 B1
`4/2007 Gryaznov et al.
`7,343,604 B2
`3/2008 Grabarnik et al.
`7,418,731 B2
`8/2008 Touboul ...... ..
`
`. . . . .. 706/46
`. 709/229
`713/181
`726/24
`707/204
`726/22
`713/188
`713/188
`719/313
`.. 726/22
`
`2004/0073811 A1
`2004/0088425 A1
`2005/0172338 A1
`2006/0031207 A1
`
`.. 726/13
`4/2004 Sanin .......... ..
`709/230
`5/2004 Rubinstein et al.
`726/22
`8/2005 Sandu et al. ....... ..
`2/2006 Bjarnestam et al. .......... .. 707/3
`
`OTHER PUBLICATIONS
`
`Rubin, et al., “Mobile Code Security,” IEEE Internet, pp. 30-34, Dec.
`1998.Schmid, et al. “Protecting Data From Malicious Software,”
`Proceedings of the 18”‘ Annual Computer SecuriU/Applications Con
`ference, pp. 1-10, 2002.
`Corradi, et al., “A Flexible Access Control Service for Java Mobile
`Code,” IEEE, pp. 356-365, 2000.
`
`International Search Report for Application No. PCT/IB97/01626, 3
`pp., May 14, 1998 (mailing date).
`International Search Report for Application No. PCT/ IL05/ 00915, 4
`pp., dated Mar. 3, 2006.
`Written Opinion for Application no. PCT/IL05/00915, 5 pp., dated
`Mar. 3, 2006 (mailing date).
`International Search Report for Application No. PCT/1B0 1/01 138, 4
`pp., Sep. 20, 2002 (mailing date).
`International Preliminary Examination Report for Application No.
`PCT/IB01/01138, 2 pp., dated Dec. 19,2002.
`Gerzic, Amer, “Write Your Own Regular Expression Parser,” Nov.
`17, 2003, 18 pp.
`Power, James, “Lexical Analysis,” 4 pp., May 14, 2006.
`Sitaker, Kragen, “Rapid Genetic Evolution of Regular Expressions”
`[online], The Mia/Archive, Apr. 24, 2004 (retrieved on Dec. 7, 2004),
`5 pp.
`“Lexical Analysis: DFA Minimization & Wrap Up” [online], Fall,
`2004 [retrieved on Mar. 2, 2005], 8 pp.
`“Minimization of DFA” [online], [retrieved on Dec. 7, 2004], 7 pp.
`“Algorithm: NFS -> DFA” [online], Copyright 1999-2001 [retrieved
`on Dec. 7, 2004], 4 pp.
`“CS 3813: Introduction to Formal Languages and AutomataiState
`Minimization and OtherAlgorithms for Finite Automata,” 3 pp., May
`11, 2003.
`Watson, Bruce W., “Constructing Minimal Acyclic Deterministic
`Finite Automata,” [retrieved on Mar. 20, 2005], 38 pp.
`Chang, Chia-Hsiang, “From Regular Expressions to DFA’s Using
`Compressed NFA’s,” Oct. 1992, 243 pp.
`“Products,” Articles published on the Internet, “Revolutionary Secu
`rity for a New Computing Paradigm” regarding Sur?nGateTM, 7 pp.
`“Release Notes for the Microsoft ActiveX Development Kit,” Aug.
`13, 1996, pp. 1-10.
`Doyle, et al., “Microsoft Press Computer Dictionary,” Microsoft
`Press, 2d Edition, pp. 137-138, 1993.
`Finjan Software Ltd., “Powerful PC Security for the New World of
`JavaTM and Downloadables, Sur?n ShieldTM,” Article published on
`the Internet by Finjan Software Ltd., 2 pp. 1996.
`Finjan Sofrtware Ltd., “FinjanAnnounces a Personal JavaTM Firewall
`for Web Browsersithe Sur?nShieldTM 1.6 (formerly known as
`Sur?nBoard),” Press Release of Finjan Releases Sur?nShield 1.6, 2
`pp., Oct. 21, 1996.
`Finjan Software Ltd., “Finjan Announces Major Power Boost and
`New Features for Sur?nShieldTM 2.0,” Las Vegas Convention Center/
`Pavillion 5 P5551, 3 pp., Nov. 18, 1996.
`Finjan Software Ltd., “Finjan Software Releases Sur?nBoard, Indus
`try’s First JAVA Security Product for the World Wide Web,” Article
`published on the Internet by Finjan Software Ltd., 1 p., Jul. 29, 1996.
`Finjan Software Ltd., “Java Security: Issues & Solutions,” Article
`published on the Internet by Finjan Software Ltd., 8 pp. 1996.
`Finjan Software Ltd., Company Pro?le, “FinjaniSafe Sur?ng, The
`Java Security Solutions Provider,” Article published on the Internet
`by Finjan Software Ltd., 3 pp., Oct. 31, 1996.
`“IBM AntiVirus User’s Guide, Version 2.4,”, International Business
`Machines Corporation, pp. 6-7, Nov. 15, 1995.
`Khare, R., “Microsoft Authenticode Analyzed” [online], Jul. 22,
`1996 [retrieved on Jun. 25, 2003], 2 pp.
`LaDue, M., Online Business Consultant: Java Security: Whose Busi
`ness is It?, Article published on the Internet, Home Page Press, Inc.,
`4 pp., 1996.
`Leach, Norvin, et al., “IE 3.0 Applets Will Earn Certi?cation,” PC
`Week, vol. 13, No. 29, 2 pp., Jul. 22, 1996.
`Moritz, R., “Why We Shouldn’t Fear Java,” Java Report, pp. 51-56,
`Feb. 1997.
`Microsoft, “Microsoft ActiveX Software Development Kit”
`[Online], Aug. 12, 1996 [retrieved on Jun. 25, 2003], pp. 1-6.
`Microsoft® Authenticode Technology, “Ensuring Accountability
`and Authenticity for Software Components on the Internet,”
`Microsoft Corporation, Oct. 1996, including Abstract, Contents,
`Introduction, and pp. 1-10.
`Microsoft Corporation, Web Page Article “Frequently Asked Ques
`tions About Authenticode,” last updated Feb. 17, 1997, printed Dec.
`23, 1998, pp. 1-13.
`
`

`
`US 7,613,926 B2
`Page 3
`
`Okamoto, E., et al., “ID-Based Authentication System for Computer
`Virus Detection,” IEEE/IEE Electronic Library online, Electronics
`Letters, vol. 26, Issue 15, ISSN 0013-5194, Jul. 19, 1990, Abstract
`and pp. 1169-1170.
`Omura, J. K., “Novel Applications of Cryptography in Digital Com
`munications,” IEEE Communications Magazine, pp. 21-29, May
`1990.
`
`Schmitt, D.A., “.EXE ?les, OS-2 style,”PC Tech Journal, vol. 6, No.
`11, p. 76(13), Nov. 1988.
`Zhang, X. N., “Secure Code Distribution,” IEEE/IEE Electronic
`Library online, Computer, vol. 30, Issue 6, pp. 76-79, Jun. 1997.
`D. Grune, et al., “Parsing Techniques: A Practical Guide,” John Wiley
`& Sons, Inc., NeWYork, New York, USA, pp. 1-326, 2000.
`* cited by examiner
`
`

`
`US. Patent
`
`Nov. 3, 2009
`
`Sheet 1 0f 10
`
`US 7,613,926 B2
`
`100
`
`107
`Redundancy Support W/
`
`Subsystem-1
`(Sandbox Protected)
`
`104
`”/
`
`Subsystem-N
`(Unprotected)
`
`A/
`
`Subsystem-M
`(Protected)
`
`102
`ResourceServer-1 W
`121
`Resource-1 V-I/
`
`1 o3
`‘0/
`131
`\ ResourceServer-N
`132
`Resource M
`Resource“ W
`
`_ ?/
`
`External
`Network
`(Internet)
`
`FIG. 1a
`
`1043
`
`104b
`
`Corporate Server
`
`140b
`W143
`V
`141b
`w\~ Sewer _____ Firewall /
`r
`
`PE
`
`PE
`
`4
`D
`
`1402
`ISP-Server W
`
`1411:)
`w\ Server
`
`Protection Engine
`(PE)
`
`<—
`D
`
`X“
`\‘\
`142a
`
`-
`
`lMPQD
`
`145a ______________ I.
`
`145
`User
`Device-n W
`145
`Client W
`
`&
`5
`'~-
`
`:
`
`\Y\
`142b
`
`in
`\W
`142b
`
`MPC,D
`<
`
`145%‘ User
`Device-n
`146
`\“ Client
`
`User W145
`Device-n
`146
`Client ?/
`
`FIG. 1b
`
`FIG. 1c
`
`

`
`US. Patent
`
`Nov. 3, 2009
`
`Sheet 2 0f 10
`
`US 7,613,926 B2
`
`
`
`
`
`bwmoz E382 vwEoHw
`
`won \\
`
`
`
`QSSHOM b25500
`
`
`
`E332 omEBm
`
`
`
`0:33am 63.550
`
`gm .\
`
`mam \\
`
`@hommouo?
`
`/ ecu
`
`
`
`$0982 @5103
`
`wcu K
`
`wGQEQOMQDHGEOU
`
`

`
`U.S. Patent
`
`NOV. 3, 2009
`
`01f03AI.6ehS
`
`US 7,613,926 B2
`
`B3B=ouxm.:oZv
`
`
`
`3%:ufifisuuxm
`
`co_..oQ.2n_
`
`me2_9m_
`
`__m..>>®.__n_
`
`cosmficomfi
`
`wuzooomm._nE:umxm_
`
`82
`
`

`
`U.S. Patent
`
`NOV. 3, 2009
`
`Sheet 4 of 10
`
`US 7,613,926 B2
`
`....o-_____-.—-.-
`
`-I
`
`.I
`
`..._—.._........_
`
`:2.
`
`1-mm
`
`$_o__on_
`
`=o_au_._§==<__
`
`3.:zumw
`
`
`
`N9»9__.m._mcozoflmo
`
`
`
`w=_8,,§§§__&.35
`
`ocacmammm9:o_»mE._o.«:_.u£o5.mxon_u£u.n_
`
`mmfisw
`
`_-I__
`
`..o_.8_E2==<_
`
`.E_mo__m..fi“._._2.§...z
`...unamxz
`
`
`=o_fiE._B:_:.50on_s_Emcmc.
`
`_.__awEonm_E_:os_Baum9:cw
`In11.1
`
`._o§o:o0.5m<022
`
`9%NSSmowm
`
`
`
`
`
`.1.-IIIIIIIIIIIIIIlllltlllllllllllluIIIJIIIIIIIIIIOIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIll
`
`
`
`
`
`
`
`

`
`U.S. Patent
`
`NOV. 3, 2009
`
`01f05LI.6ehS
`
`US 7,613,926 B2
`
`
`
`
`
`£2wEm._mn_w__u_OESJDDXW
`
`
`
`
`
`2£mEw._mn_u_uo0m_nmSooxm_o§._.2E
`
`
`
`
`
`22mEEmmEmzum._2o2un_
`
`.w_mz_.__
`
`~u£w_u.2&
`
`commmuoa
`
`
`
`0.2055mm.353._mm._mn_
`
`Snow“.
`
`23
`
`
`
`m.2wESmn_.9950§u2un_
`
`m._9uEw.an_EaimIIIII.
`
`
`
`1IIII.V_Eofioo
`
`
`
`
`
` Emzmn___mom_._oG9oo_m_2mEu.aa8»:2..../é//7.7..kmm_:mI
`
`.550_N3uFmmfi
`
`aw.UHm
`
`8%
`
`\\V\
`
`Bx:_._Swmwuoa
`
`
` s2u_...m2_ msmcmm::_:_..
`
`eonwaaEou.
`
`
`
`as.322.umS_N
`
`N©W2.55.
`
`m_._I..58
`
`
`nmn._2a..u:oo2.__m:m_
`
`|l.|.Jl_E&<o._.._o§_«.Foh
`
`

`
`US. Patent
`
`Nov. 3, 2009
`
`Sheet 6 6f 10
`
`US 7,613,926 B2
`
`700
`
`W
`
`701
`W
`Memory Space-N
`
`340
`\M
`55165125"
`i .....
`..... -i
`146
`—_""—'—_—“>l_—_m__|_;_—l/V
`MCI- t
`711
`nitia or
`WM, W
`
`702
`)4/
`Memory Spaces-P1 and P2
`343
`(553%) W 5 Destination
`4 ,1? Resources
`Sandbox Engine ‘’
`\x
`\\
`341
`721
`
`POL
`
`342
`
`FIG. 7a
`
`704
`)4/
`Memory Space-P1
`342
`
`703
`)4/
`Memory Space~P2
`343
`731
`
`341
`
`MP0
`
`FIG. 7b
`
`341
`
`\N
`
`801
`4/802
`Package Extractor
`W803
`Executable installer
`Sandbox Engine Installer W804
`Resource Access Dwerter W80 5
`Resource Access Analyzer i4/ 806
`Policy Enforcer
`4/807
`MPG De-lnstaller
`4/
`
`FIG. 8
`
`

`
`U.S. Patent
`
`. 3, 2009
`
`01f07LI.6ehS
`
`US 7,613,926 B2
`
`nu...-.-uuaauluunul
`
`
`_._.®...................1%.....1..........
`x\.m.......m.,.m_,m..§m.amm_.m...
`
`
`
`-_m_.._s3o5._m£mE.>mc_::£on
`
`......©Ua=_—=._0«flUE=
`
`5]...............1........................................3
`
`mom
`
`:2n%mo_=3on._m_=_2o._..£coumczmmu
`:oumE._£c_
`
`.
`
`
`
`
`
`§mw0C_£tO>>«m:._«muSomm..__E_m._mo
`
`
`
`
`
`vm_u2o._amm..__>mc:o=mE._oE_ozmumm
`
`co=m._mao
`
`
`
`uuoumfiflaomxuwm.u:_o:_u_n_m_umo_Eson_
`
`
`
`
`
`
`
`asEu2o>__muB2o_nmumu_Esoo._m_E2oammzmo
`
`co__m:_.mmu.:o_umE._oE_
`
`muu=_u:_
`
`N.88
`
`
`
`
`
`w__noE8%m.._._ooEmmacozufloamE5“.
`
`
`
`
`
`w_nmumo_:;oo-_m_E8oqduou:o__u£o.a
`
`‘Em+Am_nmnmo_Esoo-nEum.wum255
`
`mm__&:o_~o£o._n_
`
`um._m>__wuma2“commcozufloao£wmsmo
`
`co_fic=wwo.co=mE.o_:_G59
`
`
`
`evzmm.m.£._2mu_E._EEou.2._o.Eo_2
`
`
`
`
`
`

`
`U.S. Patent
`
`Nov. 3, 2009
`
`LI.6ehS
`
`01f000
`
`US 7,613,926 B2
`
`
`
`
`
`E8.ucm€BmEm.ma8:863m>mEmm-_m_E28mfi.m£m;>>wc_E._8on_
`
`
`
`
`
`
`
`
`
`
`
`9.:2mc_u._ooomwuoocozofloaw__noEmfimsomxwcmm3mo_n:_m_nmcmo_EsoQ
`
`
`
`
`
`
`
`m_BwEEmo_339:
`
`
`
`
`
`FCQ.ucmm._3oEEmacozoeoam>mEmm
`
`
`
`
`
`m52mczeooommm_o__oacozofloa
`
`w.9mEm.ma
`
`
`
`mEwEoom_cm5._m£m.._.$o:_E._2oo
`
`
`
`
`
`2:32once.5:o:mE._oE_bmcfimu:_o:_
`
`
`
`
`
`.m.$Emmacozufloaw::22:o_.mE_oE__w_uoom3mSomxmmmn:_u:_
`
`.298co_.o2oamicewew_%oo9:as98_9__82ea.SS2_2m:
`
`
`
`
`-um>_wom.ucwmw_o__oacozofloa>_wx__w._oEm_nmumo_E>oo-_m_E2oq
`
`
`
`
`¢:_£Eucmficoommmo_o__oa.35on__2mm_nmumo_§>on_-_m_E9oa9:._mu_wcoo
`
`
`
`<3.05
`
`o5mumo_E>oo-u9o9m6
`
`

`
`US. Patent
`
`Nov. 3, 2009
`
`Sheet 9 0f 10
`
`US 7,613,926 B2
`
`Install mobile protection code elements $101
`and policies within a destination device
`I
`V
`-
`1102
`Load the downioadble without actually W
`initiating it
`i
`Y
`
`1103
`Form an access interceptor for intercepting
`downloadable destination device access 4/
`attempts within the destination device
`
`. .
`‘I
`.
`.
`1105
`lnitlate the Downloadable within the 4,
`destination device
`
`Malicious
`access
`
`No
`
`.
`
`.
`
`.
`
`.
`
`Determine policies in accordance with the 4/
`access attempt
`
`.
`
`1109
`
`Execute the policies (including causing an
`allowable response expected by the
`Donwloadable to be returned to the
`Downloadable)
`
`/V1 111
`
`FIG. 11
`
`

`
`U.S. Patent
`
`NOV. 3, 2009
`
`01r1001AleehS
`
`US 7,613,926 B2
`
`
`
`«Nu.U~,m
`
`asdumb
`
`
`
`muooco_uo£o.a
`
`Em
`
`_n_<E5859:m_>
`
`
`
`>26;mo_.__E._9wu2wm_o__onumzembmao
`
`m_nmumo_Eson_9:2mcficoamwtoo
`
`
`
`.wm:vm._wmmoom
`
`Em
`
`
`
`
`
`ummzam.mwmoumm_nwumo_Esoamwzwumm
`
`
`
`m_nmumo_sson_mg.__Emc_
`
`
`
`
`
`Egg9_n_<¢_fiumo_ssoo2E_uc2
`
`
`
`
`
`m_5oEm53Emwacm.mwmoomm:o_o__mE
`
`

`
`US 7,613,926 B2
`
`1
`METHOD AND SYSTEM FOR PROTECTING
`A COMPUTER AND A NETWORK FROM
`HOSTILE DOWNLOADABLES
`
`PRIORITY REFERENCE TO RELATED
`APPLICATIONS
`
`This application is a continuation of assignee’ s application
`Ser. No. 09/861,229, ?ledonMay 17, 2001,now US. Pat. No.
`7,058,822, entitled “Malicious Mobile Code Runtime Moni
`toring System And Methods”, which is hereby incorporated
`by reference. US. application Ser. No. 09/861,229 claims
`bene?t of provisional application Ser. No. 60/205,591,
`entitled “Computer Network Malicious Code Run-time
`Monitoring,” ?led on May 17, 2000 by inventors Nimrod
`ItZhak Vered, et al., which is hereby incorporated by refer
`ence. US. application Ser. No. 09/861,229 is also a Continu
`ation-In-Part of US. patent application Ser. No. 09/ 539,667,
`entitled “System and Method for Protecting a Computer and
`a Network From Hostile Downloadables” ?led on Mar. 30,
`2000 by inventor Shlomo Touboul, now US. Pat. No. 6,804,
`780, and hereby incorporated by reference, which is a con
`tinuation of assignee’s patent application U.S. Ser. No.
`08/964,388, ?led on Nov. 6, 1997, now US. Pat. No. 6,092,
`194, also entitled “System and Method for Protecting a Com
`puter and a Network from Hostile Downloadables” and
`hereby incorporated by reference. U.S. Ser. No. 09/861,229 is
`also a Continuation-In-Part of US. patent application Ser.
`No. 09/551,302, entitled “System and Method for Protecting
`a Client During Runtime From Hostile Downloadables”, ?led
`on Apr. 18, 2000 by inventor Shlomo Touboul, now US. Pat.
`No. 6,480,962, which is hereby incorporated by reference.
`
`BACKGROUND OF THE INVENTION
`
`20
`
`25
`
`30
`
`35
`
`2
`information comprising program code can include distribut
`able components (eg JavaTM applets and JavaScript scripts,
`ActiveXTM controls, Visual Basic, add-ins and/or others). It
`can also include, for example, application programs, Trojan
`horses, multiple compressed programs such as Zip or meta
`?les, among others. US. Pat. No. 5,983,348 to Shuang, how
`ever, teaches a protection system for protecting against only
`distributable components including “Java applets or ActiveX
`controls”, and further does so using resource intensive and
`high bandwidth static Downloadable content and operational
`analysis, and modi?cation of the Downloadable component;
`Shuang further fails to detect or protect against additional
`program code included within a tested Downloadable. US.
`Pat. No. 5,974,549 to Golan teaches a protection system that
`further focuses only on protecting against ActiveX controls
`and not other distributable components, let alone other
`Downloadable types. US. Pat. No. 6,167,520 to Touboul
`enables more accurate protection than Shuang or Golan, but
`lacks the greater ?exibility and ef?ciency taught herein, as do
`Shuang and Golan.
`Accordingly, there remains a need for e?icient, accurate
`and ?exible protection of computers and other network con
`nectable devices from malicious Downloadables.
`
`SUMMARY OF THE INVENTION
`
`The present invention provides protection systems and
`methods capable of Protecting a personal computer (“PC”) or
`other persistently or even intermittently network accessible
`devices or processes from harmful, undesirable, suspicious or
`other “malicious” operations that might otherwise be effec
`tuated by remotely operable code. While enabling the capa
`bilities of prior systems, the present invention is not nearly so
`limited, resource intensive or in?exible, and yet enables more
`reliable protection. For example, remotely operable code that
`is protectable against can include downloadable application
`programs, Trojan horses and program code groupings, as well
`as software “components”, such as JavaTM applets,
`ActiveXTM controls, JavaScriptTM/Visual Basic scripts, add
`ins, etc., among others. Protection can also be provided in a
`distributed interactively, automatically or mixed con?gurable
`manner using protected client, server or other parameters,
`redirection, local/remote logging, etc., and other server/client
`based protection measures can also be separately and/or
`interoperably utiliZed, among other examples.
`In one aspect, embodiments of the invention provide for
`determining, within one or more network “servers” (e.g. ?re
`walls, resources, gateways, email relays or other devices/
`processes that are capable of receiving-and-transferring a
`Downloadable) whether received information includes
`executable code (and is a “Downloadable”). Embodiments
`also provide for delivering static, con?gurable and/ or exten
`sible remotely operable protection policies to a Download
`able-destination, more typically as a sandboxed package
`including the mobile protection code, downloadable policies
`and one or more received Downloadables. Further client
`based or remote protection code/policies can also be utiliZed
`in a distributed manner. Embodiments also provide for caus
`ing the mobile protection code to be executed within a Down
`loadable-destination in a manner that enables various Down
`loadable operations to be detected, intercepted or further
`responded to via protection operations. Additional server/
`information-destination device security or other protection is
`also enabled, among still further aspects.
`A protection engine according to an embodiment of the
`invention is operable within one or more network servers,
`?rewalls or other network connectable information re-com
`
`1. Field of the Invention
`This invention relates generally to computer networks, and
`more particularly provides a system and methods for protect
`ing network-connectable devices from undesirable down
`loadable operation.
`2. Description of the Background Art
`Advances in networking technology continue to impact an
`increasing number and diversity of users. The Internet, for
`example, already provides to expert, intermediate and even
`novice users the informational, product and service resources
`of over 100,000 interconnected networks owned by govem
`ments, universities, nonpro?t groups, companies, etc. Unfor
`tunately, particularly the Internet and other public networks
`have also become a major source of potentially system-fatal
`or otherwise damaging computer code commonly referred to
`as “viruses.”
`Efforts to forestall viruses from attacking networked com
`puters have thus far met with only limited success at best.
`Typically, a virus protection program designed to identify and
`remove or protect against the initiating of known viruses is
`installed on a network ?rewall or individually networked
`computer. The program is then inevitably surmounted by
`some new virus that often causes damage to one or more
`computers. The damage is then assessed and, if isolated, the
`new virus is analyZed. A corresponding new virus protection
`program (or update thereof) is then developed and installed to
`combat the new virus, and the new program operates success
`fully until yet another new virus appearsiand so on. Of
`course, damage has already typically been incurred.
`To make matters worse, certain classes of viruses are not
`well recogniZed or understood, let alone protected against. It
`is observed by this inventor, for example, that Downloadable
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`

`
`US 7,613,926 B2
`
`3
`municating devices (as are referred to herein summarily one
`or more “servers” or “re-communicators”). The protection
`engine includes an information monitor for monitoring infor
`mation received by the server, and a code detection engine for
`determining Whether the received information includes
`executable code. The protection engine also includes a pack
`aging engine for causing a sandboxed package, typically
`including mobile protection code and doWnloadable protec
`tion policies to be sent to a DoWnloadable-destination in
`conjunction With the received information, if the received
`information is determined to be a DoWnloadable.
`A sandboxed package according to an embodiment of the
`invention is receivable by and operable With a remote DoWn
`loadable-destination. The sandboxed package includes
`mobile protection code (“MPC”) for causing one or more
`predetermined malicious operations or operation combina
`tions of a DoWnloadable to be monitored or otherWise inter
`cepted. The sandboxed package also includes protection poli
`cies (operable alone or in conjunction With further
`DoWnloadable-destination stored or received policies/MPCs)
`for causing one or more predetermined operations to be per
`formed if one or more undesirable operations of the DoWn
`loadable is/are intercepted. The sandboxed package can also
`include a corresponding DoWnloadable and can provide for
`initiating the DoWnloadable in a protective “sandbox”. The
`MPC/policies can further include a communicator for
`enabling further MPC/policy information or “modules” to be
`utiliZed and/or for event logging or other purposes.
`A sandbox protection system according to an embodiment
`of the invention comprises an installer for enabling a received
`MPC to be executed Within a DoWnloadable-destination (de
`vice/process) and further causing a DoWnloadable applica
`tion program, distributable component or other received
`doWnloadable code to be received and installed Within the
`DoWnloadable-destination. The protection system also
`includes a diverter for monitoring one or more operation
`attempts of the DoWnloadable, an operation analyZer for
`determining one or more responses to the attempts, and a
`security enforcer for effectuating responses to the monitored
`operations. The protection system can further include one or
`more security policies according to Which one or more pro
`tection system elements are operable automatically (e.g. pro
`grammatically) or in conjunction With user intervention (eg
`as enabled by the security enforcer). The security policies can
`also be con?gurable/extensible in accordance With further
`doWnloadable and/or DoWnloadable-destination informa
`tion.
`A method according to an embodiment of the invention
`includes receiving doWnloadable information, determining
`Whether the doWnloadable information includes executable
`code, and causing a mobile protection code and security
`policies to be communicated to a netWork client in conjunc
`tion With security policies and the doWnloadable information
`if the doWnloadable information is determined to include
`executable code. The determining can further provide mul
`tiple tests for detecting, alone or together, Whether the doWn
`loadable information includes executable code.
`A further method according to an embodiment of the
`invention includes forming a sandboxed package that
`includes mobile protection code (“MPC”), protection poli
`cies, and a received, detected-DoWnloadable, and causing the
`sandboxed package to be communicated to and installed by a
`receiving device or process (“user device”) for responding to
`one or more malicious operation attempts by the detected
`DoWnloadable from Within the user device. The MPC/poli
`cies can further include a base “module” and a “communica
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`4
`tor” for enabling further up/doWnloading of one or more
`further “modules” or other information (eg events, user/user
`device information, etc.).
`Another method according to an embodiment of the inven
`tion includes installing, Within a user device, received mobile
`protection code (“MPC”) and protection policies in conjunc
`tion With the user device receiving a doWnloadable applica
`tion program, component or other DoWnloadable(s). The
`method also includes determining, by the MPC, a resource
`access attempt by the DoWnloadable, and initiating, by the
`MPC, one or more predetermined operations corresponding
`to the attempt. (Predetermined operations can, for example,
`comprise initiating user, administrator, client, netWork or pro
`tection system determinable operations, including but not
`limited to modifying the DoWnloadable operation, extricating
`the DoWnloadable, notifying a user/another, maintaining a
`local/remote log, causing one or more MPCs/policies to be
`doWnloaded, etc.)
`Advantageously, systems and methods according to
`embodiments of the invention enable potentially damaging,
`undesirable or otherWise malicious operations by even
`unknoWn mobile code to be detected, prevented, modi?ed
`and/or otherWise protected against Without modifying the
`mobile code. Such protection is further enabled in a manner
`that is capable of minimiZing server and client resource
`requirements, does not require pre-installation of security
`code Within a DoWnloadable-destination, and provides for
`client speci?c or generic and readily updateable security mea
`sures to be ?exibly and e?iciently implemented. Embodi
`ments further provide for thWarting efforts to bypass security
`measures (eg by “hiding” undesirable operation causing
`information Within apparently inert or otherWise “friendly”
`doWnloadable information) and/or dividing or combining
`security measures for even greater ?exibility and/or e?i
`ciency.
`Embodiments also provide for determining protection
`policies that can be doWnloaded and/or ascertained from
`other security information (eg broWser settings, administra
`tive policies, user input, uploaded information, etc.). Differ
`ent actions in response to different DoWnloadable operations,
`clients, users and/or other criteria are also enabled, and
`embodiments provide for implementing other security mea
`sures, such as verifying a doWnloadable source, certi?cation,
`authentication, etc. Appropriate action can also be accom
`plished automatically (e.g. programmatically) and/ or in con
`junction With alerting one or more users/ administrators, uti
`liZing user input, etc. Embodiments further enable desirable
`DoWnloadable operations to remain substantially unaffected,
`among other aspects.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1a is a block diagram illustrating a netWork system in
`accordance With an embodiment of the present invention;
`FIG. 1b is a block diagram illustrating a netWork sub
`system example in accordance With an embodiment of the
`invention;
`FIG. 10 is a block diagram illustrating a further netWork
`sub system example in accordance With an embodiment of the
`invention;
`FIG. 2 is a block diagram illustrating a computer system in
`accordance With an embodiment of the invention;
`FIG. 3 is a How diagram broadly illustrating a protection
`system host according to an embodiment of the invention;
`FIG. 4 is a block diagram illustrating a protection engine
`according to an embodiment of the invention;
`
`

`
`US 7,6l3,926 B2
`
`5
`FIG. 5 is a block diagram illustrating a content inspection
`engine according to an embodiment of the invention;
`FIG. 6a is a block diagram illustrating protection engine
`parameters according to an embodiment of the invention;
`FIG. 6b is a ?ow diagram illustrating a linking engine use
`in conjunction with ordinary, compressed and distributable
`sandbox package utiliZation, according to an embodiment of
`the invention;
`FIG. 7a is a ?ow diagram illustrating a sandbox protection
`system operating within a destination system, according to an
`embodiment of the invention;
`FIG. 7b is a block diagram illustrating memory allocation
`usable in conjunction with the protection system of FIG. 7a,
`according to an embodiment of the invention;
`FIG. 8 is a block