- G
`
`S-J-::2-oo
`
`/f/, Wj/
`
`Docket Number:
`
`40492.000,
`
`PJ!ase type a plus sign(+) inside this
`===n
`c : : : l - U1
`......... -
`~ ~ROVISIONAL APPLICATION FOR PATENT COVER SHEET (Large Entity)
`~
`This is a request for filing a PROVISIONAL APPLICATION FOR PATENT under 37 CFR 1.53 (c).
`c::;) il~
`
`--..::1
`c::;);;;;;;;;;;;;;;; {ll
`- -
`
`INVENTOR(S)/APPLICANT(S)
`
`~OGiven Name (first and middle [if any])
`
`Family Name or Surname
`
`Nimrod ltzhak
`Yigal Mordechai
`David R.
`
`Vered
`Edery
`Kroll
`
`Residence (City and either State or Foreign Country)
`
`Moshav Mismeret #81, Goosh Tei-Mond 40695, Israel
`Hashikma 11, POB 1115, Pardesia 42815, Israel
`1233 Klee Court, Sunnyvale, CA 94087
`
`J Additional inventors are being named on page 2 attached hereto
`
`TITLE OF THE INVENTION (280 characters max)
`
`COMPUTER NETWORK MALICIOUS CODE RUN-TIME MONITORING
`
`CORRESPONDENCE ADDRESS
`
`Direct all correspondence to:
`~ Customer Number I
`OR
`~~Firm or
`Individual Name Graham & James LLP
`Address
`600 Hansen Way
`
`23840
`
`I
`
`CA
`
`State
`
`Address
`
`City
`
`Country
`
`Palo Alto
`us
`
`Telephone 650-856-6500
`
`ENCLOSED APPLICATION PARTS (check all that apply)
`
`111"1
`--A..tft
`
`.~.-.- .
`Place Customer Number
`~ftf~Eili=Aetre
`
`ZIP
`
`Fax
`
`94304-1043
`
`650-856-3619
`
`Numb<vof Pago• 83
`
`~ Specification
`~ Drawing(s)
`
`Number of Sheets
`
`1
`
`D Other (specify)
`
`I
`
`I
`METHOD OF PAYMENT OF FILING FEES FOR THIS PROVISIONAL APPLICATION FOR PATENT (check one)
`FILING FEE
`AMOUNT($)
`
`A check or money order is enclosed to cover the filing fees
`
`credit any overpayment to Deposit Account Number:
`
`~
`~ The Commissioner is hereby authorized to charge filing fees or
`nc not en
`I
`""'-" '"""
`I
`The invention was made by an agency of the United States Government or under a contract with an agency of the United States Government.
`IZI No.
`D Yes, the name of the U S. Government agency and the Government contract number are:
`
`~
`
`A ~ n. ~ (}
`Respectfully subm.ii7r~ d,,
`SIGNATURE ~~ft-.~
`
`--~~~~~------~~~~---------
`
`DATE
`
`17,2000
`
`TYPED or PRINTED NAME Marc A. Sockol
`----------------------------
`
`REGISTRATION NO.
`(if appropriate)
`
`40,823
`
`TELEPHONE
`
`650-856-6500
`
`USE ONLY FOR FILING A PROVISIONAL APPLICATION FOR PATENT
`SEND TO: Box Provisional Application, Assistant Commissioner for Patents, Washington, DC 20231
`[Page 1 of 2
`
`]
`
`P19LARGEJREV04
`
`Blue Coat Systems - Exhibit 1040 Page 1
`
`

`
`I Docket Number: I
`
`40492.00013
`
`PROVISIONAL APPLICATION FOR PATENT COVER SHEET (Large Entity)
`
`Given Name (first and middle [if any])
`
`Family Name or Surname
`
`Residence (city and either State or Foreign Country)
`
`INVENTOR(S)/APPLICANT(S)
`
`Certificate of Mailing by Express Mail
`
`I certify that this aP.pliEtion and enclosed fee is being
`5/n oo
`deposited on
`with the U.S. Postal
`Service "Express Mail ost Office to Addressee" service
`under 37 C.F.R. 1.10 and is addressed to the Assistant
`Commissioner for Patents, Washington, D.C. 20231.
`
`{V\ ~"'- tn'ck
`
`Signature of Person Mailing Correspondence
`
`Marion Dick
`Typed or Printed Name of Person Mailing Correspondence
`
`EL515156294US
`"Express Mail" Mailing Label Number
`
`USE ONLY FOR FILING A PROVISIONAL APPLICATION FOR PATENT
`SEND TO: Box Provisional Application, Assistant Commissioner for Patents, Washington, DC 10131
`
`[Page 2 of2]
`
`P19LARGEIREV04
`
`Blue Coat Systems - Exhibit 1040 Page 2
`
`

`
`PROVISIONAL APPLICATION FOR
`UNITED STATES PATENT
`IN THE NAME
`
`of
`
`NIMROD ITZHAK VERED, YIGAL MORDECHAI EDERY
`
`AND DAVID R. KROLL
`
`for
`
`COMPUTER NETWORK MALICIOUS CODE
`
`RUN-TIME MONITORING
`
`DOCKET NO. 40492.00013
`
`Please direct communications to:
`GRAHAM & JAMES LLP
`600 Hansen Way
`Palo Alto, CA 94304-1043
`( 650) 856-6500
`Express Mail Number: EL515156294US
`
`Blue Coat Systems - Exhibit 1040 Page 3
`
`

`
`n
`
`Pr
`
`Computer Network Malicious Code Run-time Monitoring
`(Patent Application)
`
`Nimrod V ered, Director Product Management
`Yigal Edery, Director R&D
`Dave Kroll, Director of Marketing
`
`~·:
`
`Abstract
`
`A network security content-inspection server with a sandbox agent that performs runtime
`monitoring of application programs (e.g. Executables (.exe files) or ActiveX controls)
`received over the Internet or an Intranet. Static scanning at the network server level (e.g.,
`HTTP proxy server or plug-in to an existing Proxy or Firewall server) identifies
`application programs and wraps the application programs with a sandbox agent. During
`runtime of the program at the client computer, the sandbox agent self-extracts and
`modifies certain programs running in the memory, thereby creating a sandbox
`environment that monitors for security policy violations. Execution of an instruction is
`prevented in the event of a policy violation.
`
`Claims
`
`1)
`
`2)
`
`3)
`
`4)
`
`5)
`
`6)
`
`7)
`
`8)
`
`A method of detecting application programs while arriving through the Internet or
`Intranet (e.g. SMTP, HTTP or FTP traffic) and wrapping them with a sandbox
`agent.
`The method of claim 1, wherein the computer network includes a server and client
`computers, and wherein the wrapping takes place at the server, wherein the
`executing the application program takes place at the client.
`The method of claim 1, wherein the sandbox agent contains the code needed to
`create the sandbox environment without instrumenting the original application
`program.
`The method of claim 1, further using a white list to create exception list of those
`application programs that are not to be wrapped with the sandbox agent.
`The method of claim 4, wherein the identification of those specific application
`programs that are not to be wrapped will be done using either MD-5 hash for all
`the users or all the application programs for a specific user or a group of users.
`A method of creating a sandbox environment for a secure execution of an
`application program on a client computer while no installation of a software
`module is taking place.
`The method of claim 6, wherein the sandbox agent checks the specific client
`computer security policy before starting the execution of the application program.
`The method of claim 6, wherein the sandbox agent facilitates a filtering layer
`where all of the application programs calls are compared in to the given security
`policy.
`
`The information contained herein is proprietary to Finjan Software Ltd. (Finjan) and may not be stored, reproduced,
`translated, or transmitted in any from or by any means, in whole or in part, without the prior written consent of Fin jan.
`
`Blue Coat Systems - Exhibit 1040 Page 4
`
`

`
`n
`
`Pr
`9) The method of claim 8, wherein if the application program violated the security
`program it will be either automatically stopped from running or the user will
`manually stop it from running. In both cases a message will be presented to the
`computer user.
`
`Field of Invention
`
`The invention pertains to computer network security and specifically to secure execution
`of program applications.
`
`Background
`
`The rapid development of the Internet brought the concept of distributed computing,
`where small application programs 'travel' over the Internet from Web servers to client
`computers and execute on the clients, saving the processing resources of the servers. This
`concept is now being implemented by busineses worldwide, especially in the era of e(cid:173)
`commerce. Because of the connectivity that the Internet provides, computer users are
`sharing and opening more programs voluntarily.
`In addition, there are active Web
`programs run automatically in Web browsers without user permission. Hackers are taking
`advantage of technologies and techniques to develop malicious code for attacking
`unsuspecting and protected computer users.
`
`Executable programs (.exe) are a popular technology used to create self-contained
`programs for commercial use as well as for hacking purposes. An example of commercial
`usage of executables is in thee-greeting card/e-games market where tens of thousands of
`small executable programs are sent between users every day. An example of a popular
`hacking tool that is delivered as an executable is Back Orifice, a remote access tool used
`to take control of PCs. There are many tools available freely on the Internet that allow
`hackers to combine or "bind" a benign e-greeting card and a malicious attack together so
`only the greeting card will be visible to the user.
`
`However, no products exist that monitor the behavior of executable programs during
`runtime. Many computer users have been attacked while running executables that they
`trusted. Often, as with a computer worm attack, malicious code arrives from a spoofed e(cid:173)
`mail source, which the user might trust without knowing that the e-mail was spoofed.
`
`Executable files are written in a low-level computer language and cannot be scanned by a
`gateway server because its behavior can only be determined at the time it runs on a
`specific computer. In fact, its behavior might change from computer to computer or may
`have instructions only to execute on a specific date or at a specific time
`
`Hence programs that will be able to monitor application programs during runtime are
`needed.
`
`2
`The information contained herein is proprietary to Finjan Software Ltd. (Finjan) and may not be stored, reproduced,
`translated, or transmitted in any from or by any means, in whole or in part, without the prior written consent of Fin jan.
`
`Blue Coat Systems - Exhibit 1040 Page 5
`
`

`
`Product~anagernent
`
`At least three products that provide security for computer networks are available
`commercially: Trend Micro's AppletTrap, Security-7's SafeAgent (now owned by CA),
`and Aladdin's E-Safe Gateway.
`
`AppletTrap provides static scanning for Java applets while instrumenting suspicious code
`with additional code so when it runs inside the Java Virtual Machine (JVM) of a given
`browser it will be protected by this Java agent. AppletTrap cannot instrument ActiveX
`controls or executable programs (i.e., application program code). AppletTrap uses black
`lists to block specific known malicious ActiveX controls or executables. Furthermore,
`protecting the user's computer from malicious Java applets from within the JVM, which
`itself is vulnerable, extends the same vulnerability to the protecting Java agent.
`
`SafeAgent provides only static scanning for Java applets with no regard to the connection
`between the different classes of the given Java applet. SafeAgent cannot protect from
`malicious executables.
`
`E-Safe Gateway provides only blocking capabilities to known malicious attacks, it does
`not provide static scanning nor runtime monitoring of application program.
`
`Technical Description of the Sandbox Agent
`
`The incoming program file is directed to a wrapper (sandbox agent) that is attached to
`executable files (or ActiveX controls) at the gateway level on their way to a user's
`computer. When the user invokes the executable at the desktop computer, the wrapper
`runs the original executable in a sandbox environment, where all of its operations are
`monitored during runtime.
`
`The sandboxing technology is based on the technology that already exists in another
`Finjan Software product called SurfinShield. The sandbox agent is a small win32
`executable that has the ability to do the following:
`• Extract the original executable from the wrapped file
`• Extract the policy from the wrapped file
`•
`Inject itself into the memory space of the original executable
`•
`Install operating system level hooks (probes) on any system API call. This is used
`for monitoring all of the file, registry and network operations done by the original
`executable, as well as other operations that have the potential of being used for
`violating the policy.
`• Compare (at run time) every attempt to perform a probed operation, with the
`policy that was packed inside the wrapped file, and stop any forbidden operations.
`• Completely stop the original executable (kill the entire process) in case it violates
`the policy.
`
`3
`The information contained herein is proprietary to Fin jan Software Ltd. (Finjan) and may not be stored, reproduced,
`translated, or transmitted in any from or by any means, in whole or in part, without the prior written consent ofFinjan.
`
`Blue Coat Systems - Exhibit 1040 Page 6
`
`

`
`The two main technologies that are used to implement the sandbox agent are wrapping
`and in-memory API hooking (also called memory injections).
`
`Wrapping
`When the server detects an executable being downloaded or received from the Internet or
`Intranet, it will wrap the executable with the sandbox agent. Wrapping at the gateway
`level means bundling together (into one file) the following code objects:
`• The sandbox agent itself,
`• A structure containing the policy for this specific executable. The policy depends
`on the permissions/settings for the specific user who will receive the executable,
`and
`• The original executable.
`
`After the executable arrives at the desktop and is launched, the sandbox agent (being the
`first code object in the chain) will be activated, and will then extract the security policy
`ahd the original executable. After creating the sandbox environment by using in-memory
`API hooking, the security policy will be enforced on the running executable.
`
`API Hooking technology
`
`This technology enables the sandbox agent to monitor each and every system API call
`that the original executable performs, without the need to pre-install software code on the
`desktop (such as pre-fixed system hooks, filter drivers, etc.).
`
`When the sandbox agent is ready to run the original executable in the sandbox
`environment, it loads the executable into the computer memory (by starting the process in
`suspended mode), scans the process' import table pointers in memory, looking for any
`pointers to API call that need to be trapped, and modifies these pointers to point to a
`function within the wrapper. This function, in tum, will call the original function after
`deciding if this API call is valid or not, according to the given security policy.
`
`White Lists and Black Lists
`
`White lists are used to allow "trusted" executables to run outside the sandbox (without
`being monitored). The white list is created for executables based on a unique MD-5 hash
`for each program. The list contains the MD-5 hash for those executables that the
`administrator wants to allow to run. Each time a new executable passes through
`SurfinGate an MD- 5 hash is generated for it. Once the administrator chooses to white list
`a particular executable, he/she only needs to add the MD-5 hash to the white list.
`Another way to use the white list is to use the SurfinGate URL List to "white list" a
`specific URL, which will enable the administrator to specify a Web site from which
`approved executables will be available for download (e.g., an internal server used to
`distribute software application executables).
`
`4
`The information contained herein is proprietary to Fin jan Software Ltd. (Fin jan) and may not be stored, reproduced,
`translated, or transmitted in any from or by any means, in whole or in part, without the prior written consent of Finjan.
`
`Blue Coat Systems - Exhibit 1040 Page 7
`
`

`
`p
`
`Black listing an executable uses the same unique ID (Binary signature) to create a list of
`known executables that an administrator does not want to allow to run inside an
`organization's network.
`
`5
`The information contained herein is proprietary to Finjan Software Ltd. (Fin jan) and may not be stored, reproduced,
`translated, or transmitted in any from or by any means, in whole or in part, without the prior written consent ofFinjan.
`
`Blue Coat Systems - Exhibit 1040 Page 8
`
`

`
`Pr
`
`Executable is
`requested by a
`given computer
`
`Executable arrives"!
`and M D-5 hash is I
`created for it. j
`
`
`
`!(
`
`1"
`
`Is the
`Executable
`allowed for IM!}-~--Nol
`specific user/
`group or all?
`
`/' -···-·--···-·--'---- \
`l
`Wrap the
`xecutable with the I
`sandbox agent
`)
`- - - , - - - - - - /
`
`1
`
`~.
`
`..
`
`t.
`
`'
`
`..
`
`Drawings
`
`Yes
`
`Send executable
`to the requesting
`computer
`WITHTOUT the
`sandbox agent
`
`Send executable
`to the requesting
`computer WITH
`the sandbox
`agent
`
`Figure 1: Flow chart of executable when it arrives to the network computer
`
`Original
`Executable
`
`Figure 2: Original executable inside a Sandbox agent wrapper
`
`6
`The information contained herein is proprietary to Finjan Software Ltd. (Finjan) and may not be stored, reproduced,
`translated, or transmitted in any from or by any means, in whole or in part, without the prior written consent ofFinjan.
`
`Blue Coat Systems - Exhibit 1040 Page 9