111111
`
`1111111111111111111111111111111111111111111111111111111111111
`US00764 7633B2
`
`c12) United States Patent
`Edery et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,647,633 B2
`*Jan. 12,2010
`
`(54) MALICIOUS MOBILE CODE RUNTIME
`MONITORING SYSTEM AND METHODS
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`(75)
`
`Inventors: Yigal Mordechai Edery, Pardesia (IL);
`Nimrod Itzhak Vered, Goosh Tai-Mond
`(IL); David R. Kroll, San Jose, CA
`(US); Shlomo Touboul, Kefar-Haim (IL)
`
`(73) Assignee: Finjan Software, Ltd., Netanya (IL)
`
`( *) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 917 days.
`
`This patent is subject to a terminal dis(cid:173)
`claimer.
`
`(21) Appl. No.: 11/159,455
`
`(22) Filed:
`
`Jun.22,2005
`
`(65)
`
`Prior Publication Data
`
`US 2006/0026677 Al
`
`Feb.2,2006
`
`Related U.S. Application Data
`
`(63)
`
`Continuation of application No. 09/861,229, filed on
`May 17, 2001, now Pat. No. 7,058,822, and a continu(cid:173)
`ation-in-part of application No. 09/551,302, filed on
`Apr. 18, 2000, now Pat. No. 6,480,962, and a continu(cid:173)
`ation-in-part of application No. 09/539,667, filed on
`Mar. 30, 2000, now Pat. No. 6,804,780.
`
`(60)
`
`Provisional application No. 60/205,591, filed on May
`17,2000.
`
`(51)
`
`(52)
`(58)
`
`Int. Cl.
`G06F 21124
`(2006.01)
`G06F 11130
`(2006.01)
`G06F 15116
`(2006.01)
`U.S. Cl. ........................................................ 726/22
`Field of Classification Search ....................... None
`See application file for complete search history.
`
`5,077,677 A
`
`12/1991 Murphy et al ................. 706/62
`
`(Continued)
`
`FOREIGN PATENT DOCUMENTS
`
`EP
`EP
`
`1091276
`1132796
`
`4/2001
`9/2001
`
`OTHER PUBLICATIONS
`
`Zhong, eta!., "Security in the Large: is Java's Sandbox Scalable?,"
`Seventh IEEE Symposium on Reliable Distributed Systems, pp. 1-6,
`Oct., 1998.
`
`(Continued)
`
`Primary Examiner-Christopher A Revak
`(74) Attorney, Agent, or Firm-King & Spalding LLP
`
`(57)
`
`ABSTRACT
`
`Protection systems and methods provide for protecting one or
`more personal computers ("PCs") and/or other intermittently
`or persistently network accessible devices or processes from
`undesirable or otherwise malicious operations of Java™
`applets, ActiveX™ controls, JavaScript™ scripts, Visual
`Basic scripts, add-ins, downloaded/uploaded programs or
`other "Downloadables" or "mobile code" in whole or part. A
`protection engine embodiment provides, within a server, fire(cid:173)
`wall or other suitable "re-communicator," for monitoring
`information received by the communicator, determining
`whether received information does or is likely to include
`executable code, and if so, causes mobile protection code
`(MPC) to be transferred to and rendered operable within a
`destination device of the received information, more suitably
`by forming a protection agent including the MPC, protection
`policies and a detected-Downloadable. An MPC embodiment
`further provides, within a Downloadable-destination, for ini(cid:173)
`tiating the Downloadable, enabling malicious Downloadable
`operation attempts to be received by the MPC, and causing
`(predetermined) corresponding operations to be executed in
`response to the attempts, more suitably in conjunction with
`protection policies.
`
`41 Claims, 10 Drawing Sheets
`
`400
`
`(
`
`408
`
`401
`
`'""'"
`
`ProlectedPackageEnglne
`
`User, policy, interfacing
`or other infonnalion
`
`Blue Coat Systems - Exhibit 1001
`
`

`
`US 7,647,633 B2
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`5,359,659 A
`5,361,359 A
`5,414,833 A
`5,485,409 A
`5,485,575 A
`5,572,643 A
`5,579,509 A
`5,606,668 A *
`5,623,600 A *
`5,638,446 A
`5,675,711 A
`5,692,047 A
`5,692,124 A
`5,720,033 A
`5,724,425 A
`5,740,248 A
`5,740,441 A
`5,761,421 A
`5,765,205 A
`5,784,459 A
`5,796,952 A
`5,805,829 A
`5,832,208 A
`5,832,274 A
`5,850,559 A
`5,859,966 A
`5,864,683 A
`5,881,151 A
`5,884,033 A
`5,892,904 A
`5,951,698 A
`5,956,481 A
`5,963,742 A
`5,974,549 A *
`5,978,484 A
`5,983,348 A *
`5,987,611 A
`6,088,801 A
`6,088,803 A
`6,092,194 A *
`6,154,844 A *
`6,167,520 A *
`6,339,829 Bl
`6,425,058 Bl
`6,434,668 Bl
`6,434,669 Bl
`6,480,962 Bl *
`6,487,666 Bl
`6,519,679 B2
`6,598,033 B2
`6,732,179 Bl*
`6,804,780 Bl *
`6,917,953 B2
`7,058,822 B2 *
`7,210,041 Bl
`7,343,604 B2
`7,418,731 B2
`2004/0073811 Al
`2004/0088425 Al
`2005/0172338 Al
`2006/0031207 Al
`
`10/1994 Rosenthal ... .. ... ... ... ... .. . 726/24
`1111994 Tajalli et a!.
`.................. 726/23
`5/1995 Hershey eta!. ............... 726/22
`.................. 726/25
`111996 Gupta et a!.
`111996 Chess eta!. ................... 714/38
`1111996 Judson ....................... 709/218
`1111996 Furtney et al ................. 703/27
`2/1997 Shwed ........................ 726/13
`4/1997 Ji et a!. ......................... 726/24
`6/1997 Rubin ......................... 705/51
`10/1997 Kephart eta!. ................ 706/12
`1111997 McManis .................... 713/167
`1111997 Holden et al ................... 726/2
`211998 Deo .. ... ... ... .. ... ... ... ... .. ... 726/2
`3/1998 Chang et al ................... 705/52
`................ 713/156
`4/1998 Fieres eta!.
`4/1998 Yellin et al .................. 717/134
`6/1998 van Hoff eta!.
`............ 709/223
`6/1998 Breslau eta!. .............. 7111203
`7/1998 Devarakonda eta!. ...... 713/165
`8/1998 Davis et al .................. 709/224
`9/1998 Cohen et al ................. 709/202
`1111998 Chen et a!. .................... 726/24
`1111998 Cutleretal. ................ 717/171
`12/1998 Angelo et al ................ 713/320
`111999 Hayman eta!. ............... 726/23
`111999 Boebert et a!. .............. 709/249
`3/1999 Yamamoto ................... 726/24
`3/1999 Duvall eta!. ................ 709/206
`4/1999 Atkinson et al ............... 726/22
`9/1999 Chen eta!. .................... 714/38
`9/1999 Walsh eta!. .................. 726/23
`10/1999 Williams .................... 717/143
`10/1999 Golan .. ... ... .. ... ... ... ... .. . 726/23
`1111999 Apperson eta!. ............. 705/54
`1111999 Ji ... ... ... ... ... .. ... ... ... ... .. . 726113
`1111999 Freund .......................... 726/4
`7/2000 Grecsek ... .. ... ... ... ... ... .. ... 726/1
`7/2000 Tso et al ....................... 726/22
`7/2000 Touboul
`...................... 726/24
`1112000 Touboul et a!.
`............... 726/24
`12/2000 Touboul
`...................... 726/23
`112002 Beadle eta!. ................. 726/15
`7/2002 Arimilli eta!. .............. 7111134
`8/2002 Arimilli eta!. .............. 7111128
`8/2002 Arimilli eta!. .............. 7111128
`.. ... .. ... ... ... ... .. . 726/22
`1112002 Touboul
`1112002 Shanklin et a!. ............... 726/23
`2/2003 Devireddy eta!. .......... 7111114
`7/2003 Ross eta!. .................... 706/46
`5/2004 Brown eta!. ................ 709/229
`10/2004 Touboul
`..................... 713/181
`7/2005 Simonet al ................. 707/204
`6/2006 Edery eta!. ................... 726/22
`4/2007 Gryaznov eta!. ........... 713/188
`3/2008 Grabarnik et al ............ 719/313
`.. ... .. ... ... ... ... .. . 726/22
`8/2008 Touboul
`4/2004 Sanin .......................... 726/13
`5/2004 Rubinstein et a!. .......... 709/230
`8/2005 Sandu eta!. .................. 726/22
`2/2006 Bjarnestam eta!. ............ 707/3
`
`OTHER PUBLICATIONS
`
`Rubin, eta!., "Mobile Code Security," IEEE Internet, pp. 30-34, Dec.,
`1998.
`Schmid, eta!. "Protecting Data From Malicious Software," Proceed(cid:173)
`
`ing of the 181h Annual Computer Security Applications Conference,
`pp. 1-10, 2002.
`Corradi, et al., "A Flexible Access Control Service for Java Mobile
`Code," IEEE, pp. 356-365, 2000.
`
`International Search Report for Application No. PCT /IB97 /01626, 3
`pp., May 14, 1998 (mailing date).
`International Search Report for Application No. PCT/IL05/00915, 4
`pp., March 3, 2006.
`Written Opinion for Application NO. PCT/IL05/00915, 5 pp., Mar. 3,
`2006 (mailing date).
`International Search Report for Application No. PCT /IBO 1101138,
`44 pp., Sep. 20, 2002 (mailing date).
`International Preliminary Examination Report for Application No.
`PCT/IBO 1101138, 2 pp., dated Dec. 19, 2002.
`Gerzic, Amer, "Write Your Own Regular Expression Parser," Nov.
`17, 2003, 18 pp.,.
`Power, James, "Lexical Analysis," 4 pp., May 14, 2006, Retrieved
`from the Internet:.
`Sitaker, Kragen "Rapid Genetic Evolution of Regular Expression"
`[online], The Mia! Archive, Apr. 24, 2004 (retrieved on Dec. 7, 2004),
`5 pp.,.
`"Lexical Analysis: DFA Minimization & Wrap Up" [online], Fall,
`2004 [retrieved on Mar. 2, 2005], 8 pp.,.
`"Minimization ofDFA" [online], [retrieved on Dec. 7, 2004], 7 pp.,
`Retrieved from the Internet:
`"Algorithm: NFS -> DFA" [online], Copyright 1999-2001 [retrieved
`on Dec. 7, 2004], 4 pp.,.
`"CS 3813: Introduction to Formal Languages and Automata- State
`Minimization and Other Algorithms for Finite Automata," [retrieved
`on May 11, 2003], 38 pp.
`Watson, Bruce W., "Constructing Minimal Acyclic Deterministic
`Finite Automata," [retrieved on Mar. 20, 2005], 38 pp.
`Chang, Chia-Hsiang, "From Regular Expression to DFA's Using
`Compressed NFA's," Oct., 1992, 243 pp.
`"Products," Articles published on the Internet, "Revilutionary Secu(cid:173)
`rity for a New Computing Paradigm" regarding SurfinGate™, 7 pp.
`no date provided.
`"Release Notes for the Microsoft, ActiveX Development Kit," Aug.
`13, 1996, activex.adsp.or.jp/inetsdk/readme.txt, pp. 1-10.
`Doyle et al., "Microsoft Press Computer Dictionary," Microsoft
`Press, 2d Edition, pp. 137-138, 1993.
`Finjan Software Ltd., "Powerful PC Security for the New World of
`Java™ and Downloadables, SurfinShield™ " Article published on
`the Internet by Fin jan Software Ltd., 2 pp. 1996.
`Finjan Sofrtware Ltd., "Finjan Announces as Personal Java™
`Firewall for Web Browsers- The SurfinShield™ 1.6 (formerly known
`as SurfinBoard)," Press Release of Fin jan Releses SurfinShield 1.6,
`pp., Oct. 21, 1996.
`Finjan Software Ltd., "Finjan Announces Major Power Boost and
`New features for SurfinShield™ 2.0," Las Vegas Convention Center/
`Pavillion 5 P5551, 3 pp., Nov. 18, 1996.
`Finjan Software Ltd., "Finjan Software Releases SurfinBoard, Indus(cid:173)
`try's Fist JAVA Security Product for the World Wide Web," Article
`published on the Internet by Finjan Software Ltd., lp., Jul. 29, 1996.
`Finjan Software Ltd., "Java Security: Issues & Solutions," Article
`published on the Internet by Fin jan Software Ltd., 8 pp. 1996.
`Finjan Software Ltd., Company Profile, "Finjan - Safe Surfing, the
`Java Security Solutions Provider," Article published on the Internet
`by Finjan Software Ltd., 3 pp., Oct. 31, 1996.
`"IBM AntiVirus User's Guide, Version 2.4,", International Business
`Machines Corporation, pp. 6-7, Nov. 15, 1995.
`Khare, R., "Microsoft Authenticode Analyzed" [online], Jul. 22,
`1996 [retrieved on Jun. 25, 2003], 2 pp.
`LaDue, M., Online Business Consultant: Java Security: Whose Busi(cid:173)
`ness is It?, Article published on the Internet, Home Page Press, Inc.,
`4 pp., 1996.
`Leach, Norvin, eta!., "IE 3.0 Applets Will Earn Certification," PC
`Week, vol. 13, No. 29, 2 pp., Jul. 22, 1996.
`Moritz, R., "Why We Shouldn't Fear Java," Java Report, pp. 51-56,
`Feb., 1997.
`Microsoft, "MicrosoftActiveX Software Development Kit" [online],
`Aug. 12, 1996 [retrieved on Jun. 25, 2003], pp. 1-6.
`Microsoft® Authenticode Technology, "Ensuring Accountability
`and Authenticity for Software Components on the Internet,"
`
`

`
`US 7,647,633 B2
`Page 3
`
`Microsoft Corporation, Oct., 1996, including Abstract, Contents,
`Introduction, and pp. 1-10.
`Microsoft Corporation, Web Page Article "Frequently Asked Ques(cid:173)
`tions About Authenticode," last updated Feb. 17, 1997, printed Dec.
`23, 1998.
`Okamoto, E., eta!., "ID-BasedAuthentication System for Computer
`Virus Detection," IEEE/IEE Electronic Library online, Electronics
`Letters, vol. 26, Issue 15, ISSN 0013-5194, Jul. 19, 1990, Abstract
`andpp. 1169-1170.
`
`Omura, J. K., "Novel Applications of Cryptography in Digital Com(cid:173)
`munications," IEEE Communications Magazine, pp. 21-29, May,
`1990.
`Schmitt, D.A., ".EXE files, OS-2 style," PC Tech Journal, vol. 6, No.
`11, p. 76(13), Nov., 1988.
`Zhang, X. N., "Secure Code Distribution," IEEE/IEE Electronic
`Library online, Computer, vol. 30, Issue 6, pp. 76-79, Jun., 1997.
`D. Grune, et a!., "Parsing Techniques: A Practical Guide," John
`Wiley & Sons, Inc., New York, New York, USA, pp. 1-326,2000.
`* cited by examiner
`
`

`
`U.S. Patent
`
`Jan.12,2010
`
`Sheet 1 of 10
`
`US 7,64 7,633 B2
`
`100
`~
`
`Redundancy Support
`
`Subsystem-1
`(Sandbox Protected)
`
`104
`
`Subsystem-N
`(Unprotected)
`
`Subsystem-M
`(Protected)
`
`104a
`
`"-..
`
`ISP-Server
`
`Server
`
`Protection Engine
`(PE)
`
`142a
`
`ResourceServer-1
`
`Resource-1
`
`ResourceServer-N
`
`Resource-M
`Resource-N
`
`102
`
`103
`
`131
`132
`
`FIG. la
`
`104b
`~
`
`140a
`
`Corporate Server
`
`140b
`
`143
`
`FIG. lb
`
`FIG. lc
`
`

`
`200
`
`~
`
`1 2o2
`
`Processor( s)
`
`Input Device(s)
`
`1 2o3
`
`1 2o4
`Output Device(s)
`
`206
`
`Computer Readable
`Storage Medium
`
`...
`!j. 05
`I
`Computer Readable
`Storage Medium Reader
`
`~
`00
`•
`~
`~
`~
`
`~ = ~
`
`~
`
`~ := ....
`~
`N
`0 ....
`
`0
`
`201\
`
`/207
`
`Communications
`Interface
`
`1 2os
`
`r2o9
`
`Working Memory
`
`r291
`
`I Operating System .
`I Other Programs r 292
`
`Storage
`
`FIG. 2
`
`rFJ =(cid:173)
`('D a
`N
`0 .....
`....
`0
`
`d
`rJl
`-....l
`0..,
`~
`-....l
`0..,
`w
`
`w = N
`
`

`
`300
`~
`
`Server
`
`Firewall
`
`302
`
`,
`
`I
`I
`
`I
`I
`I
`
`Received
`Information
`
`(Non-Executable/
`Executable Info)
`
`320
`
`~
`00
`•
`~
`~
`~
`
`~ = ~
`
`~
`
`~ := ....
`J'J
`N
`0 ....
`
`0
`
`rFJ =(cid:173)
`.....
`
`('D
`('D
`
`(.H
`
`0 .....
`....
`0
`
`d
`rJl
`-....l
`0..,
`~
`-....l
`0..,
`w
`
`w = N
`
`.
`.
`.
`.
`.
`:
`l ____ l ___ t __ _
`' ' l (PE)
`
`----------.
`
`I
`
`I
`I
`
`I
`
`I
`I
`
`Not
`331 ~ Executable
`341 --A--MPC I !
`343 ii XEQ I!
`342 ---t,rPoL-1 !
`(1 I
`340
`\...
`
`...................
`____ ...
`..
`•••' I
`~·--------
`
`y
`303
`
`.
`.
`.
`.
`.
`
`'
`
`'
`•
`
`\
`
`\
`1
`I
`
`' I
`
`I
`
`Protection
`Engine (PE)
`
`310
`
`)
`
`FIG. 3
`
`

`
`400
`
`~
`
`-------------------------------------------------------------------------------, ~?Vr __ ,
`422
`421
`IJI1/
`;II
`-
`
`408
`
`r------~
`
`1
`Security/
`I
`I Authentication , .
`I
`Policies
`1
`
`1
`
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`
`-I- -·
`•
`'
`
`402
`
`403
`J{1/
`
`481
`_/1f_
`:y/
`I
`cation : .
`ler-
`1
`•zer
`___ I
`
`Not Executable
`(NXEQ)
`
`Detection Engine
`
`!Inspection Param
`I
`Code Detector
`
`340 341 342 343
`\f\
`\f\
`~ \f\
`II MPC I POL I XEQ ll
`
`-
`....
`
`'
`
`Transfer
`Engine
`
`406
`
`XEQ
`
`,,
`
`Linking
`Engine
`
`N
`405
`
`-
`
`~
`
`Agent Generator
`
`MPCGen.
`
`MPC
`
`POL
`
`'
`'
`1
`'
`[
`40~
`
`PolicyGen
`:
`'
`' '
`' '
`
`Storage
`
`431
`¥Y
`432 U Buffer '--=
`r J
`
`433
`
`407
`
`NXEQ
`Information ~
`Monitor
`
`~
`
`XEQ
`
`User, policy, interfacing
`or other infonnation
`
`Protected Package Engine
`
`FIG. 4
`
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`
`401
`....
`
`~
`00
`•
`~
`~
`~
`
`~ = ~
`
`~
`
`~ :=
`......
`J'J
`N
`0 ......
`0
`
`rFJ =(cid:173)
`
`('D
`('D
`'""""
`.j;o.
`0 ......
`......
`0
`
`d
`rJl
`-....l
`0..,
`~
`-....l
`0..,
`w
`
`w = N
`
`

`
`r-~n;~l.-
`I -------: D~~-~
`I ,-~··~ ks--.
`\!\, L L
`
`ToTmo~oAgool
`
`Engin=er I ienerator
`
`To Linking
`Engine
`
`421
`
`~
`
`506
`
`1
`1
`Control
`'----1
`
`505
`
`551
`I I Detector I
`I ---;,-J
`1 1- Pattern N'--..
`1 I D':!.':~ovr 552
`I ~-~ther
`~-----
`
`553
`
`Executable File Parameters
`
`Executable Code Parameters
`
`Pattern Parameters
`
`User Parameters
`
`System Parameters
`
`General Parameters
`
`Interface Parameters
`
`Other
`
`FIG. 5
`
`FIG. 6a
`
`405
`
`~
`
`FIG. 6b
`
`~
`00
`•
`~
`~
`~
`
`~ = ~
`
`~
`
`~ := ....
`0 ....
`
`~
`
`N
`N
`
`0
`
`rFJ =(cid:173)
`('D a
`Ul
`0 .....
`....
`0
`
`d
`rJl
`-....l
`0..,
`~
`-....l
`0..,
`w
`
`w = N
`
`

`
`U.S. Patent
`
`Jan.12,2010
`
`Sheet 6 of 10
`
`US 7,64 7,633 B2
`
`700
`~
`
`340
`·-----~-----.. -,
`!
`
`1 Proteclio n
`Agent
`J
`t-............... _ .. _______ ..,.
`
`1
`
`701
`
`702
`
`Memory Space-N
`
`146
`
`FIG. 7a
`
`704
`
`703
`
`Memory Space-P1
`342
`
`Memory Space-P2
`343
`
`FIG. 7b
`
`341
`~
`
`Package Extractor
`
`Executable installer
`
`Sandbox Engine Installer
`Resource Access Oivester
`
`Resource Access Analyzer
`Polley Enforcer
`
`MPC De-lnslaller
`
`FIG. 8
`
`

`
`U.S. Patent
`
`Jan.12,2010
`
`Sheet 7 of 10
`
`US 7,64 7,633 B2
`
`Monitor re-communicator (e.g. server)
`operation
`
`Receive information having a protected
`information destination
`(a "potential-Downloadable")
`
`901
`
`903
`
`905
`r···································································;
`!
`Determine source trustworthiness
`j.--'2/
`!. ................. -----------··---- ------- -------------------- _____________ J
`
`No
`
`Determine whether the potential(cid:173)
`Downloadable includes executable code
`
`915
`
`No
`
`913
`
`,---------------------- -------------------------·
`909
`~ Prevent current delivery
`t. ............•••••••.. t·--··········-·--··------:
`911
`~-------·-···--·------· ·····---·--·--·······--··;
`: Notify Client(s), Administrator !
`•------··---··--··--·-·1········ ... ········ ·······'
`0------L... -----.
`cp
`
`917
`
`Cause potential-Downloadable
`to be delivered to the
`information-destination
`
`Form a protection agent corresp to mobile
`protection code, potential-Downloadable
`(now a detected-Downloadable) + any
`protection policies
`
`Cause the protection agent to be delivered
`to the information-Destination
`
`919
`
`921
`
`End
`
`FIG. 9
`
`

`
`913
`~
`
`Start
`
`919
`~
`
`Start
`
`Determine whether the potential(cid:173)
`Downloadable indicates an executable
`file type
`
`Determine whether the file contents
`include binary information or code patterns
`--~ --__,,_---
`
`If steps 1001 and 1003 indicate that the
`potential-Downloadable more likely
`includes executable code,
`consider the potential-Downloadable a
`detected-Downloadable
`
`1001
`
`1003
`
`1005
`
`Retrieve protection parameters and form
`mobile protection code according to the
`parameters
`
`1011
`
`Retrieve protection parameters and form
`protection policies according to the
`parameters
`
`Couple the mobile protection code,
`protection policies and received(cid:173)
`information to form a protection agent (e.g.
`MPC first, policies second, and Rl third)
`
`1015
`
`End
`
`FIG. lOA
`
`FIG. lOB
`
`~
`00
`•
`~
`~
`~
`
`~ = ~
`
`~
`
`~ := ....
`J'J
`N
`0 ....
`
`0
`
`rFJ =(cid:173)
`.....
`
`('D
`('D
`
`QO
`
`0 .....
`....
`0
`
`d
`rJl
`-....l
`0..,
`~
`-....l
`0..,
`w
`
`w = N
`
`

`
`U.S. Patent
`
`Jan.12,2010
`
`Sheet 9 of 10
`
`US 7,64 7,633 B2
`
`Install mobile protection code elements
`and policies within a destination device
`
`Load the downloadble without actually
`initiating it
`
`Form an access interceptor for intercepting
`downloadable destination device access
`attempts within the destination device
`
`Initiate the Downloadable within the
`destination device
`
`No
`
`Determine policies in accordance with the
`access attempt
`
`Execute the policies (including causing an
`allowable response expected by the
`Donwloadable to be returned to the
`Downloadable)
`
`1101
`
`1102
`
`1103
`
`1105
`
`1109
`
`1111
`
`FIG. 11
`
`

`
`U.S. Patent
`
`Jan.12,2010
`
`Sheet 10 of 10
`
`US 7,64 7,633 B2
`
`1103
`~
`
`Start
`
`Install the Downloadable
`
`Modify the Downloadable API to divert
`malicious access requests to the mobile
`protection code
`
`1201
`
`1203
`
`End
`
`FIG. 12a
`
`1109
`~
`
`Receive a Downloadable access request
`via the modified API
`
`Query stored policies to determine a policy
`corresponding to the Downloadable
`access request
`
`1211
`
`1213
`
`End
`
`)
`
`FIG. 12b
`
`

`
`US 7,647,633 B2
`
`1
`MALICIOUS MOBILE CODE RUNTIME
`MONITORING SYSTEM AND METHODS
`
`PRIORITY REFERENCE TO RELATED
`APPLICATIONS
`
`2
`distributable components including "Java applets or ActiveX
`controls", and further does so using resource intensive and
`high bandwidth static Downloadable content and operational
`analysis, and modification of the Downloadable component;
`Shuang further fails to detect or protect against additional
`program code included within a tested Downloadable. U.S.
`Pat. No. 5,974,549 to Golan teaches a protection system that
`further focuses only on protecting against ActiveX controls
`and not other distributable components, let alone other
`10 Downloadable types. U.S. Pat. No. 6,167,520 to Touboul
`enables more accurate protection than Shuang or Golan, but
`lacks the greater flexibility and efficiency taught herein, as do
`Shuang and Golan.
`Accordingly, there remains a need for efficient, accurate
`15 and flexible protection of computers and other network con(cid:173)
`nectable devices from malicious Downloadables.
`
`SUMMARY OF THE INVENTION
`
`This application is a continuation of and incorporates by
`reference patent application Ser. No. 09/861,229, filed May
`17, 2001 now U.S. Pat. No. 7,058,822, which claims benefit
`of reference provisional application Ser. No. 60/205,591
`entitled "Computer Network Malicious Code Runtime Moni(cid:173)
`taring," filed on May 17, 2000 by inventors Nimrod Itzhak
`Vered, et a!. This application also incorporates by reference
`the provisional application Ser. No. 60/205,591. This appli(cid:173)
`cation is also a Continuation-In-Part of and hereby incorpo(cid:173)
`rates by reference patent application Ser. No. 09/539,667,
`now U.S. Pat. No. 6,804,780, entitled "System and Method
`for Protecting a Computer and a Network from Hostile
`Downloadables" filed on Mar. 30, 2000 by inventor Shlomo
`Touboul. This application is also a Continuation-In-Part of 20
`and hereby incorporates by reference patent application Ser.
`No. 09/551,302, now U.S. Pat. No. 6,480,962, entitled "Sys(cid:173)
`tem and Method for Protecting a Client During Runtime
`From Hostile Downloadables", filed on Apr. 18, 2000 by
`inventor Shlomo Touboul.
`
`BACKGROUND OF THE INVENTION
`
`1. Field of the Invention
`This invention relates generally to computer networks, and
`more particularly provides a system and methods for protect(cid:173)
`ing network-connectable devices from undesirable down(cid:173)
`loadable operation.
`2. Description of the Background Art
`Advances in networking technology continue to impact an
`increasing number and diversity of users. The Internet, for
`example, already provides to expert, intermediate and even
`novice users the informational, product and service resources
`of over 100,000 interconnected networks owned by govern(cid:173)
`ments, universities, nonprofit groups, companies, etc. Unfor(cid:173)
`tunately, particularly the Internet and other public networks
`have also become a major source of potentially system-fatal
`or otherwise damaging computer code commonly referred to
`as "viruses."
`Efforts to forestall viruses from attacking networked com(cid:173)
`puters have thus far met with only limited success at best.
`Typically, a virus protection program designed to identify and
`remove or protect against the initiating of known viruses is
`installed on a network firewall or individually networked
`computer. The program is then inevitably surmounted by 50
`some new virus that often causes damage to one or more
`computers. The damage is then assessed and, if isolated, the
`new virus is analyzed. A corresponding new virus protection
`program (or update thereof) is then developed and installed to
`combat the new virus, and the new program operates success- 55
`fully until yet another new virus appears-and so on. Of
`course, damage has already typically been incurred.
`To make matters worse, certain classes of viruses are not
`well recognized or understood, let alone protected against. It
`is observed by this inventor, for example, that Downloadable 60
`information comprising program code can include distribut(cid:173)
`able components (e.g. Java™ applets and JavaScript scripts,
`ActiveX™ controls, Visual Basic, add-ins and/or others). It
`can also include, for example, application programs, Trojan
`horses, multiple compressed programs such as zip or meta 65
`files, among others. U.S. Pat. No. 5,983,348 to Shuang, how(cid:173)
`ever, teaches a protection system for protecting against only
`
`The present invention provides protection systems and
`methods capable of protecting a personal computer ("PC") or
`other persistently or even intermittently network accessible
`devices or processes from harmful, undesirable, suspicious or
`other "malicious" operations that might otherwise be effec-
`25 tuated by remotely operable code. While enabling the capa(cid:173)
`bilities of prior systems, the present invention is not nearly so
`limited, resource intensive or inflexible, and yet enables more
`reliable protection. For example, remotely operable code that
`is protectable against can include downloadable application
`30 programs, Trojan horses and program code groupings, as well
`as software "components", such as Java™ applets,
`ActiveX™ controls, JavaScript™Nisual Basic scripts, add(cid:173)
`ins, etc., among others. Protection can also be provided in a
`distributed interactively, automatically or mixed configurable
`35 manner using protected client, server or other parameters,
`redirection, local/remote logging, etc., and other server/client
`based protection measures can also be separately and/or
`interoperably utilized, among other examples.
`In one aspect, embodiments of the invention provide for
`40 determining, within one or more network "servers" (e.g. fire(cid:173)
`walls, resources, gateways, email relays or other devices/
`processes that are capable of receiving-and-transferring a
`Downloadable) whether received
`information
`includes
`executable code (and is a "Downloadable"). Embodiments
`45 also provide for delivering static, configurable and/or exten(cid:173)
`sible remotely operable protection policies to a Download(cid:173)
`able-destination, more typically as a sandboxed package
`including the mobile protection code, downloadable policies
`and one or more received Downloadables. Further client-
`based or remote protection code/policies can also be utilized
`in a distributed manner. Embodiments also provide for caus(cid:173)
`ing the mobile protection code to be executed within a Down(cid:173)
`loadable-destination in a manner that enables various Down(cid:173)
`loadable operations to be detected, intercepted or further
`responded to via protection operations. Additional server/
`information-destination device security or other protection is
`also enabled, among still further aspects.
`A protection engine according to an embodiment of the
`invention is operable within one or more network servers,
`firewalls or other network connectable information re-com(cid:173)
`municating devices (as are referred to herein summarily one
`or more "servers" or "re-communicators"). The protection
`engine includes an information monitor for monitoring infor(cid:173)
`mation received by the server, and a code detection engine for
`determining whether the received information includes
`executable code. The protection engine also includes a pack-
`aging engine for causing a sandboxed package, typically
`
`

`
`US 7,647,633 B2
`
`4
`method also includes determining, by the MPC, a resource
`access attempt by the Downloadable, and initiating, by the
`MPC, one or more predetermined operations corresponding
`to the attempt. (Predetermined operations can, for example,
`comprise initiating user, administrator, client, network or pro(cid:173)
`tection system determinable operations, including but not
`limited to modifying the Downloadable operation, extricating
`the Downloadable, notifying a user/another, maintaining a
`local/remote log, causing one or more MPCs/policies to be
`10 downloaded, etc.)
`Advantageously, systems and methods according to
`embodiments of the invention enable potentially damaging,
`undesirable or otherwise malicious operations by even
`unknown mobile code to be detected, prevented, modified
`15 and/or otherwise protected against without modifying the
`mobile code. Such protection is further enabled in a mauner
`that is capable of minimizing server and client resource
`requirements, does not require pre-installation of security
`code within a Downloadable-destination, and provides for
`20 client specific or generic and readily updateable security mea(cid:173)
`sures to be flexibly and efficiently implemented. Embodi(cid:173)
`ments further provide for thwarting efforts to bypass security
`measures (e.g. by "hiding" undesirable operation causing
`information within apparently inert or otherwise "friendly"
`25 downloadable information) and/or dividing or combining
`security measures for even greater flexibility and/or effi(cid:173)
`ciency.
`Embodiments also provide for determining protection
`policies that can be downloaded and/or ascertained from
`30 other security information (e.g. browser settings, administra(cid:173)
`tive policies, user input, uploaded information, etc.). Differ(cid:173)
`ent actions in response to different Downloadable operations,
`clients, users and/or other criteria are also enabled, and
`embodiments provide for implementing other security mea-
`35 sures, such as verifying a downloadable source, certification,
`authentication, etc. Appropriate action can also be accom(cid:173)
`plished automatically (e.g. programmatically) and/or in con(cid:173)
`junction with alerting one or more users/administrators, uti(cid:173)
`lizing user input, etc. Embodiments further enable desirable
`40 Downloadable operations to remain substantially unaffected,
`among other aspects.
`
`3
`including mobile protection code and downloadable protec(cid:173)
`tion policies to be sent to a Downloadable-destination in
`conjunction with the received information, if the received
`information is determined to be a Downloadable.
`A sandboxed package according to an embodiment of the
`invention is receivable by and operable with a remote Down(cid:173)
`loadable-destination. The sandboxed package
`includes
`mobile protection code ("MPC") for causing one or more
`predetermined malicious operations or operation combina(cid:173)
`tions of a Downloadable to be monitored or otherwise inter(cid:173)
`cepted. The sandboxed package also includes protection poli(cid:173)
`cies
`(operable alone or
`in conjunction with further
`Downloadable-destination stored or received policies/MPCs)
`for causing one or more predetermined operations to be per(cid:173)
`formed if one or more undesirable operations of the Down(cid:173)
`loadable is/are intercepted. The sandboxed package can also
`include a corresponding Downloadable and can provide for
`initiating the Downloadable in a protective "sandbox". The
`MPC/policies can further include a communicator for
`enabling further MPC/policy information or "modules" to be
`utilized and/or for event logging or other purposes.
`A sandbox protection system according to an embodiment
`of the invention comprises an installer for enabling a received
`MPC to be executed within a Downloadable-destination (de(cid:173)
`vice/process) and further causing a Downloadable applica(cid:173)
`tion program, distributable component or other received
`downloadable code to be received and installed within the
`Downloadable-destination. The protection system also
`includes a diverter for monitoring one or more operation
`attempts of the Downloadable, an operation analyzer for
`determining one or more responses to the attempts, and a
`security enforcer for effectuating responses to the monitored
`operations. The protection system can further include one or
`more security policies according to which one or more pro(cid:173)
`tection system elements are operable automatically (e.g. pro(cid:173)
`grammatically) or in conjunction with user intervention (e.g.
`as enabled by the security enforcer). The security policies can
`also be configurable/extensible in accordance with further
`downloadable and/or Downloadable-destination informa(cid:173)
`tion.
`A method according to an embodiment of the invention
`includes receiving downloadable information, determining
`whether the downloadable information includes executable
`code, and causing a mobile protection code and security
`policies to be communicated to a network client in conjunc- 45
`tion with security policies and the downloadable information
`if the downloadable information is determined to include
`executable code. The determining can further provide mul(cid:173)
`tiple tests for detecting, alone or together, whether the down-
`loadable information includes executable code.
`A further method according to an embodiment of the
`invention includes forming a sandboxed package that
`includes mobile protection code ("MPC"), protection poli(cid:173)
`cies, and a received, detected-Downloadable, and causing the
`sandboxed package to be communicated to and installed by a 55
`receiving device or process ("user device") for responding to
`one or more malicious operation attempts by the detected(cid:173)
`Downloadable from within the use