United States Patent [191
`Tajalli et a1.
`
`[54] SYSTEM AND METHOD FOR
`CONTROLLING THE USE OF A COMPUTER
`[75] Inventors: Homayoon Tajalli, Ellicott City;
`Mark L. Badger; David I. Dalva, both
`of Rockville; Stephen T. Walker,
`Glenwood, all of Md.
`[73] Assignee: Trusted Information Systems, Inc.,
`Glenwood, Md.
`[21] Appl. No.: 937,424
`[22] Filed:
`Aug. 31, 1992
`[51] Int. Cl.5 ............................................. .. H04L 9/00
`[52] US. Cl. ........................... .. 395/700; 364/DIG. 2;
`364/9l8.7; 340/825.31
`[58] Field of Search ............................. .. 395/650, 700;
`_
`364/969.4, 969.3, 246.6, 246.9
`[56]
`References Cited
`U.S. PATENT DOCUMENTS
`
`3,827,029 7/1974 Schlotterer et a1. ........... .. 340/ 172.5
`
`4,200,770 4/ 1980 Hellman et a1. . . . . . .
`4,757,533 7/1988 Allen et a1. ..... ..
`4,885,789 12/1989 Burger et a1.
`4,918,653 4/1990 Johri et a1.
`5,012,515 4/1991 McVitie .......... ..
`5,032,979 7/1991 Hecht et a1. .... ..
`
`. . . . . . .. 178/22
`380/25
`380/25
`.. 364/900
`380/49
`.. 364/200
`
`. . . . .. 380/4
`5,224,160 6/ 1993 Paulini et a1. . . . . . . . . .
`.. 395/425
`5,263,147 11/1993 Francisco et a1.
`5,272,754 12/1993 Boerbert ............................. .. 380/25
`
`FOREIGN PATENT DOCUMENTS
`
`O325776A2 8/1989 European Pat. Off. .
`0432333A1 6/1991 European Pat. Off. .
`0468625A2 1/ 1992 European Pat. Off. .
`
`OTHER PUBLICATIONS
`IBM Technical Disclosure Bulletin, vol. 34, No. 8, Jan.
`1992, New York, US; pp. 214-215; Mechanism for
`Trusted Computing Base Isolation.
`Final Evaluation Report, Secure Communications Proces
`sor (SCOMP), Release 2.1, CSC-EPL-85/00l, 1985.
`Saydjari, et a1., Locking Computers Securely, 10th Na
`tional Computer Security Conference Proceedings,
`21-24 Sep. 1987.
`Maria M. King, Identifying and Controlling Undesirable
`Program Behaviors, 14th National Computer Security
`
`USOO5361359A
`Patent Number:
`Date of Patent:
`
`[11]
`[45]
`
`5,361,359
`Nov. 1, 1994
`
`Conference, Oct. 1-4, 1991, Omni Shoreham Hotel,
`Washington, DC.
`Russell Davis, PRC, Inc., Peeling the Viral Onion, 14th
`National Computer Security Conference, Oct. 1-4,
`1991, Omni Shoreham Hotel, Washington, DC.
`Final Evaluation Report of International Business Ma
`chines Corporation, VM/SP with RACE, 28 Sep. 1989,
`National Computer Security
`Center, CSC-E
`PL-89/O05.
`Final Evaluation Report of Unisys Corporation, OS 1100,
`Sep. 27, 1989, National Computer Security Center,
`CSC-EPL-89/0O4.
`Final Evaluation Report of Digital Equipment Corpora
`tion, VAX/VMS Version 4.3, 30 Jul. 1986, National
`Computer Security Center, CSC-EPL-86/O04.
`Final Evaluation Report of Trusted Information Systems
`Incorporated, Trusted Xenix, 22 Jan. 1991, National
`Computer Security Center, CSC-EPL-91/003, C-
`Evaluation No. 01-92.
`Operating Systems by H. M. Deitel pp. 535, 541, 542,
`1990.
`Unix System Security by Rik Farrow, 1990, pp. 9-12,
`55, 56, 203-205.
`Primary Examiner-Gareth D. Shaw
`Assistant Examiner—Michael T. Richey
`Attorney, Agent, or Firm-—Sterne, Kessler, Goldstein &
`Fox
`ABSTRACT
`[57]
`A system and method for auditing and controlling the
`use of a computer. An operating system and selected
`programs and data , referred to as approved applica
`tions and approved data , are stored on a protected
`media which cannot be modi?ed by any ordinary user
`or application program, regardless of operating system
`privilege. The protected media can be modi?ed by the
`operating system, as well as by an administrator using a
`trusted path mechanism. The trusted path mechanism
`establishes a reliable communication channel between
`the administrator and the computer system. The present
`invention may be con?gured to collect user audit data
`concerning user activity and system status and to write
`the audit data to the protected media. Also, the present
`invention may be con?gured to limit execution of appli
`cation programs to the approved applications.
`
`33 Claims, 10 Drawing Sheets
`
`12D
`
`118
`
`119
`
`UserMa
`
`Palo Alto Networks, Inc. - Exhibit 1093 - Page 1
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2016-00159
`
`

`
`US. Patent
`
`Nov. 1, 1994
`
`Sheet 1 of 10
`
`5,361,359
`
`120
`/
`
`116
`/
`
`/114
`
`TPM =
`
`4'
`
`Interface Port
`
`110
`/
`
`114 /
`
`Memory
`
`126
`\
`O
`
`Administrator
`
`Interface Port
`
`124
`/
`
`-
`
`-
`
`- “4
`/
`
`Termina| <-> Interface Port
`
`1 12
`/
`CPU
`
`118
`/
`
`128
`\
`O
`-
`Q Ordinary User
`
`119
`/ Protected Media
`User Media
`
`109
`
`FIG. 1
`
`Palo Alto Networks, Inc. - Exhibit 1093 - Page 2
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2016-00159
`
`

`
`US. Patent
`
`Nov. 1, 1994
`
`Sheet 2 of 10
`
`5,361,359
`
`118 hi/ce
`
`Protected Media (PM)
`/ 21°
`Operating System Portion /215
`Operating System /216
`Kernel
`213
`/
`219
`Boot Program
`/
`Operating System Programs/22o
`Trusted Path Programs
`
`/212
`Swap/Page Portion
`/ 214
`Application/Data Portiyzzz
`Approved Application
`;
`>24
`/22
`Approved Appllcatlon/226
`Approved Data
`5
`/22>228
`
`Approved Data
`
`Palo Alto Networks, Inc. - Exhibit 1093 - Page 3
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2016-00159
`
`

`
`U.S. Patent
`
`Nov. 1, 1994
`
`Sheet 3 of 10
`
`5,361,359
`
`116
`
`114
`/
`
`TPM
`
`Interface Port
`
`1 18
`
`14
`/1
`
`Protected Media
`
`Interface Port
`
`120 "
`
`1 10
`/
`
`Memory
`
`112
`
`124
`
`.
`
`. .
`
`114 .
`
`Eli
`
`User Media
`
`Interface Port
`
`FIG. 3
`
`Palo Alto Networks, Inc. - Exhibit 1093 - Page 4
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2016-00159
`
`

`
`US. Patent
`
`Nov. 1, 1994
`
`Sheet 4 of 10
`
`5,361,359
`
`422
`
`Administrator
`requested single
`user mode?
`
`NO
`
`YES
`
`~
`
`424
`
`——'>"
`
`430
`
`receive request
`from administrator
`426
`
`requested multi-
`user mode?
`
`YES
`
`mount root file
`system read only
`
`432
`
`mount user file
`
`systems)
`
`read/wn e
`
`execute command
`
`PI’OCGSS non
`administrative re uest
`of admlnlstra or
`and ordinary user
`
`"
`
`administrator
`requested single
`
`436
`/
`NO
`user W YES
`
`438
`
`remount I'OOt
`file system read/
`write
`
`FIG.4B
`
`Palo Alto Networks, Inc. - Exhibit 1093 - Page 5
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2016-00159
`
`

`
`US. Patent
`
`Nov. 1, 1994
`
`Sheet 5 of 10
`
`5,361,359
`
`ROM determines the
`boot device
`
`410
`
`412
`
`Load the boot program
`and execute it
`
`Boot loads the kernel
`into memory and
`executes it
`
`Kernel initializes all
`devices
`
`Kernel loads root file
`system from PM and
`mounts read/write
`
`Kernel runs letc/init
`
`414
`
`416
`
`418
`
`420
`
`Palo Alto Networks, Inc. - Exhibit 1093 - Page 6
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2016-00159
`
`

`
`U.S. Patent
`
`Nov. 1, 1994
`
`Sheet 6 of 10
`
`5,361,359
`
`Memory
`
`110
`
`51 0
`/
`
`/514
`Application
`Program
`
`AP Protection State
`/514
`Application
`Program
`/514
`Application
`Program
`
`/512
`
`OS Protection State
`/516
`operating
`system processes
`
`FIG.5
`
`Palo Alto Networks, Inc. - Exhibit 1093 - Page 7
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2016-00159
`
`

`
`US. Patent
`
`Nov. 1, 1994
`
`Sheet 7 of 10
`
`5,361,359
`
`/514
`aggogram
`
`lication
`
`/514
`iiglaogram
`
`a lication
`
`/514
`IEa‘r’ogram
`
`a lication
`
`610
`
`216
`612
`118
`lllllllllll /
`./
`Protefgig)Medla <-> Keme| kernel entry points
`
`Other attached
`devices such as
`terminms and
`disk drives
`614/
`
`_
`_
`4+ Flle system access Device access
`(/etc/audit_config)
`(/dev/kmem)
`
`FIG.6
`
`Palo Alto Networks, Inc. - Exhibit 1093 - Page 8
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2016-00159
`
`

`
`US. Patent
`
`Nov. 1, 1994
`
`'
`
`Sheet 8 of 10
`
`5,361,359
`
`118 aa/aar
`/
`
`Protected Media (PM)
`
`/ 21°
`215
`Operating System Portion /
`Operating System
`/216
`Kernel
`218
`- /
`Boot- Program
`219
`Operating System Programs/220
`Trusted Path Programs
`
`Swap/Page Portion
`
`/212
`/71()
`
`Audit portion
`
`audit log
`
`712
`/
`
`/7
`14
`
`audit configuration data _
`
`FIG.7
`
`Palo Alto Networks, Inc. - Exhibit 1093 - Page 9
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2016-00159
`
`

`
`US. Patent
`
`Nov. 1, 1994
`
`Sheet 9 of 10
`
`5,361,359
`
`810
`
`user re uest to
`AA sic/‘stem
`
`814
`
`v
`
`812
`
`process the request
`
`is the request in
`the set of requests
`to be audlted?
`
`YES
`
`816
`
`extract information about
`the associated program, user,
`and objects, If any
`
`Is there room on the PM
`to record the new information?
`
`NO
`
`consult audit
`configuration data
`
`820
`
`write extracted information
`into an audit log on the PM
`
`FIG. 8
`
`Palo Alto Networks, Inc. - Exhibit 1093 - Page 10
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2016-00159
`
`

`
`US. Patent
`
`Nov. 1, 1994
`
`Sheet 10 of 10
`
`5,361,359
`
`910
`
`Currently running program requests to
`execute another program by calling the
`exec system call
`
`912
`
`The Kernel examines the path
`name passed to the exec system call
`
`Does the application
`reside on the PM?
`
`NO
`_.> Return a no__aocess
`.
`error code
`
`918
`
`W
`
`916
`
`Load the requested program into
`memory from the PM and start it running
`
`FIG. 9
`
`Palo Alto Networks, Inc. - Exhibit 1093 - Page 11
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2016-00159
`
`

`
`SYSTEM AND METHOD FOR CONTROLLING
`THE USE OF A COMPUTER
`
`15
`
`CROSS-REFERENCE TO OTHER
`APPLICATIONS
`The following application of common assignee con
`tains some common disclosure and is believed to have
`the same effective ?ling date as the present invention:
`SYSTEM AND METHOD FOR CONTROLLING
`THE USE OF A COMPUTER AT A REGULATED
`SITE
`BACKGROUND Ol“ THE INVENTION
`1. Field of the Invention ‘
`The present invention relates generally to controlling
`the use of a computer system and, more particularly, to
`a system and method for restricting access to speci?ed
`application programs and/or data and to reliably audit
`ing computer usage.
`2. Related Art
`Computer Security
`Many organizations (e.g., businesses, government
`agencies) wish to control how data will be processed or
`25
`stored by computer systems that are owned, operated
`by, or otherwise related to the organizations. The ?eld
`of computer security is broadly concerned with design
`ing and building computer systems that permit organi
`zations that employ computer systems to control how
`data is processed using the computing systems accord
`ing to particular security policies. A security policy (in
`this context) is a set of rules about how data may be
`processed.
`The need to control how computer systems are used
`is related to organizational goals. For example, a busi
`ness might want to protect inventory records from
`unauthorized modi?cations; a government agency pro
`cessing sensitive information might want to control
`access to data so that users can only access information
`according to their security clearances. To allow organi
`zations control over their computer systems, many con
`ventional computer systems provide security controls
`that allow a computer system administrator to limit the
`actions that may be taken by users of the computer
`45
`system. Security controls fall broadly into two groups:
`discretionary controls and mandatory controls.
`Discretionary security controls are generally based
`on the identity of users as they are known to a computer
`system and the “ownership of’ or “control over” data
`stored for particular users by the computer system.
`Each user can employ discretionary controls to reduce
`the access of other users to data that is owned or con
`trolled by that user. A weakness of discretionary con
`trols is that, in conventional computer systems, each
`application program that is executed by a user possesses
`all of that user’s discretionary rights and can use those
`rights to change controls on the user’s data contrary to
`the user’s wishes. An application program that is de
`signed to do this is known as a “Trojan Horse” program
`because it often performs an undesirable function with
`out the user’s knowledge.
`Mandatory security controls are generally based on
`some computer system-maintained attribute of users and
`the data that users access. Often, this attribute is a “secu
`rity level” that is used by the computer system to decide
`if a particular user may access data stored on the com
`puter system. For instance, a user with a “Con?dential”
`
`35
`
`55
`
`65
`
`1
`
`5,361,359
`
`2
`clearance may be prohibited access to data that is classi
`?ed as “Top Secret.”
`The mandatory and discretionary controls are imple
`mented, at least in part, by an operating system of the
`computer system. The operating system is a body of
`software that controls (i.e., manages the usage of) physi
`cal resources such as central processing units (CPU)s,
`random access memory (RAM) (also referred to as
`“memory”), disk drives, networks, monitors, etc. By
`managing these resources, the software provides a way
`for users and application programs to use the resources
`in a more convenient way. The operating system in
`cludes a kernel, or resident portion, that is always in
`RAM. The kernel acts as the “traf?c cop” to manage
`both other pans of the operating system and the applica
`tion programs. Additionally, the operating system usu
`ally includes numerous utility programs that are to be
`used only by an “administrator”.
`As used in this document, an “administrator” is a user
`or organization with current authority to perform sys
`tem administrative functions such as maintaining and
`updating the operating system, whereas an “ordinary
`user” is a person who currently lacks such authority.
`Note that the same person could at some times be an
`administrator and at some times be an ordinary user.
`For example, a person may be an administrator when
`logged in with one login name and password, and an
`ordinary user when logged in with a different login
`name and password. In different systems, various proce
`dures are used by administrators and ordinary users to
`take on their respective roles.
`The operating system utilities may be distinct from
`the application programs. Although the dividing line
`between the two can be somewhat fuzzy, an operating
`system utility generally is distributed as part of an oper
`ating system, and maintains and supports the functions
`of the operating system. Also, an operating system util
`ity may require special privileges (only possessed by the
`administrator) to perform its function. An application
`program, on the other hand, is a program that is de
`signed to address a speci?c problem domain and that
`“uses” the services provided by the operating system.
`A single program can be both an operating system
`utility and an application program, depending on how it
`is used. When executed by an administrator and with
`the privileges to perform its intended function, it is an
`operating system program. When executed by an ordi
`nary user with no special privilege, it is an application
`program.
`Most multi-user computer systems provide some dis?
`cretionary security controls. Additionally, a number of
`computer systems provide mandatory controls and a set
`of features that facilitate the administration of computer
`security policies. The Trusted Computer Security Eval
`uation Criteria (TCSEC) is a National Computer Secu
`rity Center (NCSC) standard for evaluating computers
`that provide security features. The TCSEC, also known
`as the “Orange Book”, is fully described in the National
`Computer Security Center, Department of Defense
`Trusted Computer System Evaluation Criteria, DoD
`5200.28-STD, Dec. 1985. The TCSEC has been used to
`evaluate numerous computer systems, including Mul
`tics, SCOMP, and Trusted XENIX.
`Computer systems that provide access controls also
`must provide privileges that allow the controls to be
`overridden for system maintenance, software installa
`tion, etcetera. In the Unix operating system, for exam
`ple, every process has an identi?er that indicates the
`
`Palo Alto Networks, Inc. - Exhibit 1093 - Page 12
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2016-00159
`
`

`
`15
`
`25
`
`30
`
`35
`
`3
`user for which the process is running. (Unix is a regis
`tered trademark of Unix System Laboratories, Inc. Dif
`ferent versions of Unix are commercially available from
`a number of sources.) Many Unix access controls are
`relaxed for a process running as the administrator (also
`called the root user). In other operating systems, such as
`V AX VMS, privilege is also associated with processes.
`(VAX VMS is a product of Digital Equipment Corpo
`ration.)
`Although computer systems found to be trusted ac
`cording to the TCSEC provide strong controls over the
`use of privilege, such systems are prohibitively expen
`sive for many applications.
`Most conventional operating systems (including
`Unix) control privilege using only discretionary access
`controls. Controlling privilege using discretionary ac
`cess controls is a serious de?ciency in conventional
`systems because discretionary controls do not provide
`high assurance that ordinary users cannot obtain inap
`propriate privileges and then use those privileges to
`modify the operating system or the applications. A
`typical example of a potential circumvention of discre
`tionary access controls occurs when the password of a
`privileged user is observed. This is not an unusual oc
`currence, as passwords are notoriously dif?cult to keep
`secret. This de?ciency is a particular concern for com
`puter systems that are exposed to network-based at
`tacks, because an intruder can obtain total control over
`a remote system.
`Conventional mandatory and discretionary security
`controls assume an operating environment where ordi
`nary users and application programs are potentially
`malicious. In such an environment, it is the responsibil
`ity of the computer system (and its administrators) to
`ensure that malicious programs or ordinary users can
`not disrupt organizational goals. conventionally, the
`computer system and administrators focus primarily on
`protecting data that is stored or processed on the com
`puter system, and on protecting the continuous avail
`ability of the computer system.
`Because conventional security controls make this
`assumption, they do not adequately support policies
`that prohibit execution of certain programs or algo
`rithms. Execution control policies could provide signi?
`cant bene?ts both for improved utilization of computer
`resources and data protection. For instance, execution
`control can prevent the execution of programs that
`might misuse computing resources. Furthermore, exe
`cution control can prevent the execution of programs
`that might attack the traditional mandatory and discre
`tionary controls.
`Certain execution control policies can be imple
`mented through suitable con?guration of mandatory
`and discretionary access controls of a conventional
`system. On some conventional systems, the administra
`tor can con?gure the discretionary controls to prevent
`ordinary users from executing any but a preselected set
`of programs. For example, a Unix system can be con?g
`ured to allow ordinary users to execute only a speci?ed
`set of application programs. One way to accomplish this
`is where the administrator removes execute access from
`all programs except for those in the speci?ed set, and
`then removes write and read discretionary access from
`these programs. Such an execution control policy is not
`practical, however, because almost all useful systems
`require applications (e.g., text editors) that allow ordi
`nary users to create arbitrary ?les. Once ?les are cre~
`
`5,361,359
`4
`ated, it is possible (under Unix and under most operating
`systems) to execute them as new programs.
`Some operating systems allow any ?le to be executed
`(e.g., MS-DOS). Others, including Unix, however, re
`quire that ?les be designated as “executable” before an
`ordinary user can execute them. Using this feature, it
`would appear that execution control could be achieved
`by making small changes to an operating system to
`prevent ordinary users (other than the root ordinary
`user) from ever adding execute status to a ?le. With this
`modi?cation, however, the strength of the execution
`control would depend on the proper use of the root user
`id. That is, the strength would depend on the discretion
`ary controls that are available to the root user. As dis
`cussed above, discretionary controls are vulnerable to
`Trojan Horse attacks.
`A typical Trojan Horse attack in a Unix system in
`volves an unauthorized ordinary user gaining root ac
`cess. Numerous Unix processes usually run with the
`root id. Using a discretionary control based solution
`would make execution controls dependent on the cor
`rectness of all of those programs. Installing new ver
`sions of programs that run with the root privilege is a
`typical system administrative task. The introduction of
`any corrupted program would render the execution
`controls ineffective for the entire system. The execution
`control policies available with conventional operating
`systems thus do not adequately assure system security.
`Often, a malicious ordinary user (called an attacker)
`relies on the ability to create and execute malicious
`programs on the target computer system. A ?rst tech
`nique the attacker often uses is to create a Trojan Horse
`program that performs an apparently useful function
`and then saves the access rights of its ordinary user.
`Once a “victim” ordinary user runs the program, his
`access rights are saved in the form of a new executable
`program that runs with the victim’s attributes when
`executed by the attacker. A second technique the at
`tacker may use is to take advantage of errors in access
`controls or other system services so as to enable him to
`manipulate the operating system to his advantage. Of
`ten, these errors can only be exploited by writing a
`Trojan Horse program. A system with a strong mecha
`nism for controlling execution could prevent the at
`tacker from creating and executing programs, and could
`therefore prevent penetration by these two common
`techniques.
`A related de?ciency in the conventional art is that,
`once an attacker has penetrated a system, he can often
`“erase his footprints” by altering system logs that might
`reveal the attack. The privileges that enabled the at
`tacker to penetrate the system commonly enable him to
`modify such logs.
`The de?ciencies in the conventional techniques for
`controlling how computers are used indicate that what
`is needed is a computer system which enables an admin
`istrator to reliably control what application programs
`are executed, and which provides the administrator
`with a reliable audit trail of how it has been used.
`Computer Viruses
`Another vulnerability of conventional computer sys
`tems is infection by computer viruses. A computer virus
`is a program that replicates itself by inserting copies of
`itself (or some derivation of itself) into existing pro
`grams. A program is said to be infected when it has been
`so modi?ed. When an infected program is run, it exe
`cutes the viral code that usually attempts to infect more
`programs.
`
`45
`
`55
`
`65
`
`Palo Alto Networks, Inc. - Exhibit 1093 - Page 13
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2016-00159
`
`

`
`20
`
`25
`
`30
`
`5,361,359
`5
`6
`In addition to propagating, virus programs may per
`providing restrictions which cannot be changed by any
`form other functions. Although these functions may be
`application program or ordinary user, regardless of the
`bene?cial, virus programs are generally malicious and
`privileges or attributes given to the application program
`take advantage of their stealth to alter program behav
`or ordinary user by the underlying operating system.
`ior in undesirable ways without the knowledge of ordi
`These restrictions enable modi?cation of the operating
`system kernel and of any selected operating system
`nary users.
`To reduce the chance of detection, a virus usually
`programs, application programs, and/or data to be lim
`attempts to avoid infecting programs multiple times
`ited to an administrator.
`(which would increase the program size without
`The administrator designates the restrictions for pro
`bound). To avoid multiple infections, viruses typically
`grams and data through a trusted path mechanism
`add a “virus signature” to infected programs. Before
`(T PM). The TPM provides a reliable communication
`infecting a program, a virus checks for its signature to
`channel between the administrator and the underlying
`determine if the program is already infected.
`operating system. Use of the TPM assures the adminis
`Virus countermeasures fall into two groups: infection
`trator that his administrative actions are not intercepted
`prevention and infection detection (and removal). Most
`or modi?ed by malicious application programs, and
`anti-virus products (e.g., Norton Antivirus, available
`assures the underlying operating system that administra
`from Norton Utilities, Inc. and Flu-shot, available from
`tive actions are issued only by the administrator.
`Semantec, Inc.) perform virus detection by scanning
`There is an inherent tradeoff in computer systems
`executable ?les for particular virus signatures and by
`between the desired levels of security, ?exibility and
`computing checksums. Other detection methods are
`cost. The levels of these three factors are varied in three
`presented in M. M. King, “Identifying and Controlling
`embodiments of the invention. The preferred embodi
`Undesirable Program Behaviors,” Proceedings of the
`ment for a particular use depends on the trustworthiness
`14th National Computer Security Conference, Oct. l-4,
`of the ordinary users, the resources that may be avail
`1991, Washington DC. pp. 283-294; as well as in R.
`able to potential attackers, the threats to which the
`Davis, “Peeling the Viral Onion,” Proceedings of the
`system will be exposed, and the intended applications to
`14th National Computer Security Conference, Oct. l-4,
`be run on the system.
`1991, Washington DC. pp. 417-426. There are no reli
`A ?rst embodiment, called a High Integrity (HI)
`able software-based forms of virus prevention. Two
`system, provides protection from system penetrations
`serious de?ciencies of current anti-virus techniques are
`and from either malicious or unintentional modi?ca
`thus that virus code may execute before a virus is de
`tions of the underlying operating system. It provides
`tected, and that viruses whose signatures or behaviors
`protection of any number of selected application pro
`are not known to the detection program may not be
`grams and selected data. The selected application pro
`detected.
`grams are referred to as approved applications and the
`Typically, virus propagation is slowed but not com
`selected data are referred to as approved data. An exam
`pletely impeded by discretionary controls. The reason is
`ple of the selected data is a Unix ?le. A collection of
`that viruses take on the discretionary abilities of the
`zero or more approved applications is referred to as an
`ordinary users that (unknowingly) execute the virus
`approved application set, and a collection of zero or
`programs. (A virus can be viewed as a special kind of
`more approved data is referred to as an approved data
`Trojan Horse program.) When a privileged user exe
`set. The operating system, the approved applications
`cutes a virus-infected program, other programs may
`40
`and the approved data are stored on a protected media
`become vulnerable.
`(PM) to which the ordinary user and application pro
`A possible approach to controlling virus propagation
`grams cannot write.
`is to prevent insertion to, modi?cation to, or removal of
`The HI system enables the administrator to write to
`an approved set of executable programs. Such an ap
`the PM. The administrator can therefore maintain and
`proach would not prevent all kinds of viruses. For in
`upgrade the operating system and can specify the ap
`stance, some viruses are in programs that are not di
`proved applications and data. The HI system uses a
`rectly executed by a machine’s CPU, but are instead
`Trusted Path Mechanism CYPM) to positively identify
`“interpreted” by a directly executable program. Such
`the administrator, and can therefore reliably limit PM
`viruses are “data” as far as the computer operating
`write permission to him. The PM may not be the only
`system is concerned, and it is not currently feasible to
`media available to an HI system. Additional, unpro
`identify the kinds of data that might be interpreted as
`tected media are designated user media (UM). A UM
`programs by other programs. Some conventional com
`may hold user programs and data that users can modify
`puter systems attempt to prevent virus attacks by stor
`without using a TPM.
`ing executable programs in ?les and protecting the ?les
`The HI system assures the integrity of the operating
`from unauthorized reading, writing, creation or dele
`system, the approved applications and the approved
`tion using discretionary access controls. As has been
`data while still enabling the ordinary user to create and
`noted above, discretionary access controls do not pro
`execute application programs and to modify application
`vide strong protection, and therefore do not adequately
`programs and data which are not on the protected me
`control the spread and other damaging effects of vi
`dia. The HI system can therefore be used to protect
`certain critical applications and data without compro
`ruses.
`The de?ciencies of the conventional techniques for
`mising system ?exibility for non-critical applications
`controlling viruses indicate that what is needed is a
`and data.
`computer system which prevents the infection of com
`A second embodiment is an Assured Audit (AA)
`puter systems and the spread of viruses.
`system which collects audit information about the activ
`ities of ordinary users and application programs. As
`with the HI embodiment, the AA system employs a
`TPM and a PM. Using the TPM, the administrator
`speci?es the nature of the audits by specifying audit
`
`SUMMARY OF THE INVENTION
`The present invention addresses the de?ciencies of
`the conventional computer systems described above by
`
`35
`
`45
`
`55
`
`65
`
`Palo Alto Networks, Inc. - Exhibit 1093 - Page 14
`Palo Alto Networks, Inc. v. Finjan, Inc., IPR2016-00159
`
`

`
`8
`A bene?t inherent in all of the embodiments of the
`present invention is its broad applicability. The HI, CE
`and AA systems can be built using any underlying oper
`ating system that has at least two protection states that
`generally prevents application programs and ordinary
`users from normally modifying the operating system.
`This makes the invention relatively generic to operating
`systems.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`FIG. 1 shows a block diagram of the high integrity
`(HI) system in which a protected media and a user
`media are internal to the system cabinet.
`FIG. 2 shows a block diagram of the protected media
`of the HI system and of the CE system.
`FIG. 3 shows a block diagram of the HI system in
`which a protected media and user media are external to
`the system cabinet.
`FIGS. 4A and 4B show a ?owchart of the method of
`initialization of the HI system.
`FIG. 5 depicts the two protection states of an under
`lying operating system of FIG. 1.
`FIG. 6 depicts the kernel-provided access points (to
`memory and to devices) of the underlying operating
`system.
`FIG. 7 shows a block diagram of a protected media of
`an assured audit (AA) system.
`FIG. 8 shows a ?owchart of the method of auditing
`of the AA system.
`FIG. 9 shows a ?owchart of the method of control
`ling execution of the CE system.
`
`20
`
`25
`
`30
`
`5,361,359
`7
`con?guration data. The AA system collects audit infor
`mation as speci?ed by the con?guration data and gener
`ates audit logs from the information. Both the con?gu
`ration data and the audit logs are stored on the PM.
`Therefore, application programs and ordinary users
`(other than the administrator) are prevented from dis
`abling the auditing speci?ed by the administrator and
`from erasing or modifying the audit data collected.
`The AA system thereby enables the administrator to
`accurately monitor system uses, to the extent he desires.
`The AA system provides a high level of ?exibility, as it
`permits ordinary users to create, modify and execute
`application programs which do not interfere with the
`auditing.
`A third embodiment, referred to as a Controlled Exe
`cution (CE) system, has all of the elements and func
`tions of the HI system, plus an additional feature. The
`CE system prevents ordinary users and application
`programs from executing any application program
`which is not an approved application program.
`The various embodiments of the invention provide
`the following bene?ts:
`HI System:
`Provides protection to both the operating system and
`selected application programs and/ or data from
`changes introduced by system break-ins or mali
`cious app