111111111111111111111111111111111111111111111111111111111111111111111111111
`US007058822B2
`
`c12) United States Patent
`Edery et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,058,822 B2
`Jun.6,2006
`
`(54) MALICIOUS MOBILE CODE RUNTIME
`MONITORING SYSTEM AND METHODS
`
`(75)
`
`Inventors: Yigal Mordechai Edery, Pardesia (IL);
`Nimrod Itzhak Vered, Goosh
`Tel-Mond (IL); David R. Kroll, San
`Jose, CA (US)
`
`(73) Assignee: Finjan Software, Ltd., South Netanya
`(IL)
`
`( *) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 1013 days.
`
`(21) Appl. No.: 09/861,229
`
`(22) Filed:
`
`May 17, 2001
`
`(65)
`
`Prior Publication Data
`
`US 2002/0013910 Al
`
`Jan. 31, 2002
`
`Related U.S. Application Data
`
`(63)
`
`Continuation-in-part of application No. 09/551,302,
`filed on Apr. 18, 2000, now Pat. No. 6,480,962, which
`is a continuation-in-part of application No. 09/539,
`667, filed on Mar. 30, 2000, now Pat. No. 6,804,780.
`
`(60)
`
`Provisional application No. 60/205,591, filed on May
`17, 2000.
`
`(51)
`
`(52)
`(58)
`
`Int. Cl.
`(2006.01)
`G06F 11130
`U.S. Cl. ...................................................... 713/200
`Field of Classification Search ................ 713/176,
`713/175,200,201,150, 168; 701/223,229;
`717/120, 124, 126, 127, 130, 131, 134, 135;
`709/223-229
`See application file for complete search history.
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`5,077,677 A
`
`12/1991 Murphy eta!.
`
`5,359,659 A
`5,361,359 A
`5,485,409 A
`
`10/1994 Rosenthal
`1111994 Tajalli et al.
`111996 Gupta et a!.
`
`(Continued)
`
`OTHER PUBLICATIONS
`
`Zhong et a!, "Security in the large: is Java's sandbox
`scalable?", Oct. 1998, Seventh IEEE Symposium on Reli(cid:173)
`able Distributed Systems, pp 1-6.*
`
`(Continued)
`
`Primary Examiner--Christopher Revak
`(74)Attorney, Agent, or Firm-Squire, Sanders & Dempsey,
`L.L.P.
`
`(57)
`
`ABSTRACT
`
`Protection systems and methods provide for protecting one
`or more personal computers ("PCs") and/or other intermit(cid:173)
`tently or persistently network accessible devices or pro(cid:173)
`cesses from undesirable or otherwise malicious operations
`of Java™ applets, ActiveX™ controls, JavaScript™ scripts,
`Visual Basic scripts, add-ins, downloaded/uploaded pro(cid:173)
`grams or other "Downloadables" or "mobile code" in whole
`or part. A protection engine embodiment provides, within a
`server, firewall or other suitable "re-communicator," for
`monitoring information received by the communicator,
`determining whether received information does or is likely
`to include executable code, and if so, causes mobile protec(cid:173)
`tion code (MPC) to be transferred to and rendered operable
`within a destination device of the received information,
`more suitably by forming a protection agent including the
`MPC, protection policies and a detected-Downloadable. An
`MPC embodiment further provides, within a Downloadable(cid:173)
`destination, for initiating the Downloadable, enabling mali(cid:173)
`cious Downloadable operation attempts to be received by
`the MPC, and causing (predetermined) corresponding opera(cid:173)
`tions to be executed in response to the attempts, more
`suitably in conjunction with protection policies.
`
`35 Claims, 10 Drawing Sheets
`
`400
`
`~
`
`------------------------------------------------------------------------------1
`
`408
`
`r------..,
`Becurll)'l_
`:
`I
`:Authentication
`
`~iJ"":'_ :~,
`
`....
`
`1:
`
`Not ExeGUtable
`
`{NXEQ)
`
`L _J-:-Pouf!L -I
`~ Au~::~:on ~ -~
`I
`Analyzer
`1
`'
`L ______ l
`~
`
`! 401
`
`User, policy, interfacing
`or other infonnation
`
`BLUE COAT SYSTEMS - Exhibit 1016 Page 1
`
`

`
`US 7,058,822 B2
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`5,485,575 A
`5,572,643 A
`5,606,668 A
`5,623,600 A
`5,638,446 A
`5,692,047 A
`5,692,124 A
`5,720,033 A
`5,724,425 A
`5,740,248 A
`5,761,421 A
`5,765,205 A
`5,784,459 A
`5,796,952 A
`5,805,829 A
`5,832,208 A
`5,850,559 A
`5,859,966 A
`5,864,683 A
`5,892,904 A
`5,951,698 A
`5,956,481 A
`5,974,549 A
`5,978,484 A
`5,983,348 A
`6,092,194 A
`6,154,844 A
`6,167,520 A
`6,425,058 B1
`6,434,668 B1
`6,434,669 B1
`6,480,962 Bl
`6,519,679 B1
`6,732,179 B1*
`
`111996 Chess et al.
`1111996 Judson
`2/1997 Shwed
`4/1997 Ji eta!.
`6/1997 Rubin
`1111997 McManis
`1111997 Holden eta!.
`2/1998 Deo
`3/1998 Chang eta!.
`4/1998 Fieres et al.
`6/1998 van Hoff et a!.
`6/1998 Breslau et a!.
`7/1998 Devarakonda et al.
`8/1998 Davis eta!.
`9/1998 Cohen eta!.
`1111998 Chen eta!.
`12/1998 Angelo eta!.
`111999 Hayman et a!.
`111999 Boebert et al.
`4/1999 Atkinson et a!.
`9/1999 Chen eta!.
`9/1999 Walsh et al.
`10/1999 Golan
`1111999 Apperson et al.
`1111999 Ji
`7/2000 Touboul
`1112000 Touboul et al.
`12/2000 Touboul
`7/2002 Arimilli et a!.
`8/2002 Arimilli et a!.
`8/2002 Arimilli et a!.
`1112002 Touboul
`2/2003 Devireddy et al.
`5/2004 Brown et a!. ............... 709/229
`
`OTHER PUBLICATIONS
`
`Rubin et a!, "Mobile code security" Dec. 1998, IEEE
`Internet, pp 30-34. *
`Schmid et a!, "Protecting data from malicious software",
`2002, Proceeding of the 18th Annual Computer Security
`Applications Conference, pp 1-10. *
`Corradi et a!, "A flexible access control service for Java
`mobile code", 2000, IEEE, pp 356-365.*
`Jim K. Omura, "Novel Applications of Cryptography in
`Digital Communications", IEEE Communications Maga(cid:173)
`zine, May, 1990; pp. 21-29.
`Okamoto, E. et a!., "ID-Based Authentication System For
`Computer Virus Detection", IEEE/IEE Electronic Library
`online, Electronics Letters, vol. 26, Issue 15, ISSN 0013-
`5194, Jul. 19, 1990, Abstract and pp. 1169-1170. URL:http://
`iel.ihs.com:SO/cgi-bin/iel_cgl?se ...
`2ehts%26ViewTemplate%3ddocview%5fb%2ehts.
`
`IBM AntiVirus User's Guide Version 2.4, International
`Business Machines Corporation, Nov. 15, 1995, p. 6-7.
`Norvin Leach eta!, "IE 3.0 Applets Will Earn Certification",
`PC Week vol. 13, No. 29, Jul. 22, 1996, 2 pages.
`"Finjan Software Releases SurfinBoard, Industry's First
`JAVA Security Product For the World Wide Web", Article
`published on the Internet by Finjan Software Ltd., Jul. 29,
`1996, 1 page.
`"Powerful PC Security for the New World of Java™ and
`Downloadables, Surfin Shield™" Article published on the
`Internet by Finjan Software Ltd., 1996, 2 Pages.
`Microsoft® Authenticode Technology, "Ensuring Account(cid:173)
`ability and Authenticity for Software Components on the
`Internet", Microsoft Corporation, Oct. 1996, including
`Abstract, Contents, Introduction and pp. 1-10.
`"Finjan Announces a Personal Java™ Firewall For Web
`Browsers-the SunfinShield™ 1.6 (formerly known as
`SurfinBoard)", Press Release of Finjan Releases
`SurfinShield 1.6, Oct. 21, 1996, 2 pages.
`Company Profile "Finjan-Safe Surfing, The Java Security
`Solutions Provider" Article published on the Internet by
`Finjan Software Ltd., Oct. 31, 1996, 3 pages.
`"Finjan Announces Major Power Boost and New Features
`for SurfinShield™ 2.0" Las Vegas Convention Center/Pa(cid:173)
`vilion 5 P5551, Nov. 18, 1996, 3 pages.
`"Java Security: Issues & Solutions" Articles published on
`the Internet by Finjan Software Ltd., 1996, 8 pages.
`"Products" Articles published on the Internet, 7 pages.
`Mark LaDue, "Online Business Consultant: Java Security:
`Whose Business Is It?'' Article published on the Internet,
`Home Page Press, Inc. 1996, 4 pages.
`Ron Moritz, "Why We Shouldn't Fear Java." Java Report,
`Feb., 1997, pp. 51-56.
`Web Page Article "Frequently Asked Questions About
`Authenticode", Microsoft Corporation, last updated Feb. 17,
`1997, Printed Dec. 23, 1998. URL: http://www.microsoft.
`com/workshop/ security/ authcode/ signfag.as p#9, pp. 1-13.
`Zhang, X.N., "Secure Code Distrubtion", IEEE/IEE Elec(cid:173)
`tronic Library online, Computer, vol. 30, Issue 6, Jun., 1997,
`pp.: 76-79.
`Khare, Rohit, "Microsoft Authenticode Analyzed", Jul. 22,
`1996, 2 pages. URL: http://www.xent.com/FoRK-archive/
`summer96/0338.html.
`"Release Notes for the Microsoft ActiveX Development
`Kit", Aug. 13, 1996, 11 pages URL: http://activex.adsp.or.
`jp/inetsdk/readme.txt.
`"Microsoft ActiveX Software Development Kit", Aug. 12,
`1996, 6 pages. URL: http://activex.adsp.or.jp/inetsdk/help.
`overview.htm.
`
`* cited by examiner
`
`BLUE COAT SYSTEMS - Exhibit 1016 Page 2
`
`

`
`U.S. Patent
`
`Jun.6,2006
`
`Sheet 1 of 10
`
`US 7,058,822 B2
`
`100
`~
`
`Redundancy Support
`
`Subsystem-1
`(Sandbox Protected)
`
`Subsystem-N
`(Unprotected)
`
`Subsystem-M
`(Protected)
`
`104a
`~
`
`ISP-Server
`
`Server
`
`Protection Engine
`(PE)
`
`r--
`:
`I MPC,D
`!
`i ~
`145a
`~_j ___ --]
`
`142a
`
`145
`
`l
`
`FIG. la
`
`104b
`~
`
`Corporate Server
`
`143
`
`FIG. lb
`
`FIG. lc
`
`BLUE COAT SYSTEMS - Exhibit 1016 Page 3
`
`

`
`200
`
`~
`
`(202
`
`(203
`
`( 204
`
`Processor( s)
`
`Input Device( s)
`
`Output Device( s)
`
`206
`
`Computer Readable
`Storage Medium
`
`~~ 05
`Computer Readable
`Storage Medium Reader
`
`201\
`
`( 207
`
`Communications
`Interface
`
`Storage
`
`FIG. 2
`
`r 2os
`
`r2o9
`
`Working Memory
`
`I Operating System r 291
`
`292
`I Other Programsr
`
`e .
`00 .
`
`~
`~
`~
`
`~ = ~
`
`2'
`:=
`
`~Cl\
`N
`0
`0
`Cl\
`
`('D
`('D
`
`rFJ =(cid:173)
`.....
`N
`0 .....
`....
`0
`
`d
`rJl
`
`00
`Oo
`N
`
`-....l = u.
`N = N
`
`BLUE COAT SYSTEMS - Exhibit 1016 Page 4
`
`

`
`300
`~
`
`331--,
`
`Not
`Executable
`
`341~-:
`
`343~
`342~-PoL-1
`~ t_ _________ ,
`(
`~-------·-----
`340
`\
`
`y
`303
`
`)
`
`301
`
`Server
`
`302
`
`Firewall
`
`'\,
`\
`'
`'
`'
`'
`
`I
`I
`I
`I
`1
`
`1,,
`/
`'
`'
`'
`
`'
`I
`I
`I
`I
`
`.
`r ___ j ____ t __ _
`~
`'
`
`(PE)
`
`Protection
`Engine (PE)
`
`310
`
`FIG. 3
`
`e .
`00 .
`
`~
`~
`~
`
`~ = ~
`
`2'
`:=
`
`~Cl\
`N
`0
`0
`Cl\
`
`rFJ =(cid:173)
`.....
`
`('D
`('D
`
`(.H
`
`0 .....
`....
`0
`
`Received
`Information
`
`(Non-Executable/
`Executable Info)
`
`320
`
`d
`rJl
`
`00
`Oo
`N
`
`-....l = u.
`N = N
`
`BLUE COAT SYSTEMS - Exhibit 1016 Page 5
`
`

`
`I r- - - -
`408
`- - ..,
`~ I
`Security/
`:
`: Authentication ~--
`t_/fl
`-------------------------------------------l
`1
`1
`Policies
`402 !
`481
`!
`AI
`_f I!_ _
`_
`L _.J.
`I
`Policy/
`~ Authentication
`I
`~---
`Reader-
`I
`I
`Analyzer
`L ______ l
`
`___ I
`1
`
`I
`I
`
`1
`
`482
`
`-
`
`-
`
`Detection Engine
`
`421
`
`400
`
`~
`
`:
`
`-------------------------------------
`
`I
`I
`:
`:
`:
`:
`:
`:
`:
`:
`
`I
`I
`I
`I
`I
`I
`I
`I
`
`I t
`
`Not Executable
`(NXEQ)
`
`340 341 342 343
`
`Transfer
`Engine
`
`-
`--
`
`Linking
`Engine
`
`406
`
`4ts I
`
`,
`
`!
`
`431
`~
`
`404
`
`' '
`'
`'
`
`~e
`
`Protected Package Engine
`
`FIG. 4
`
`401
`
`~
`
`I Information
`Monitor
`
`NXEQ
`
`XEQ
`
`U Buffer 1,..
`yJ
`
`407
`
`User, policy, interfacing
`or other information
`
`e .
`00 .
`
`~
`~
`~
`
`~ = ~
`
`2'
`:=
`
`~Cl\
`N
`0
`0
`Cl\
`
`rFJ =-('D
`.....
`
`('D
`
`.j;o.
`
`0 .....
`....
`0
`
`d
`rJl
`
`00
`Oo
`N
`
`-....l = u.
`N = N
`
`BLUE COAT SYSTEMS - Exhibit 1016 Page 6
`
`

`
`421
`
`~
`
`1
`
`506
`r-----
`\t'.. i
`l-------1 Content ~-
`- I. ~
`\1 \J
`1 Detector L_
`I Control I
`I I -
`- __ !....__ ......__
`._ ___ I
`
`1 Binary 1·~~ m 1 ~ Detector I~ 505
`
`I Pattern I
`551
`I 1 Detector ~
`552
`I
`1 ~ ~
`~~.'::'':_e:__~ 553
`:
`
`To Tra_ns
`Eng me
`
`0 Agent
`Generator
`To Linking
`Engine
`
`Executable File Parameters
`
`Executable Code Parameters
`
`Pattern Parameters
`
`611
`612
`613
`621
`
`601
`
`602
`
`FIG. 5
`
`FIG. 6a
`
`I Mnl Pnl Xn I
`
`405
`
`~
`
`FIG. 6b
`
`e .
`00 .
`
`~
`~
`~
`
`~ = ~
`
`2'
`:=
`
`~Cl\
`N
`0
`0
`Cl\
`
`('D
`('D
`
`rFJ =(cid:173)
`.....
`Ul
`0 .....
`....
`0
`
`d
`rJl
`
`00
`Oo
`N
`
`-....l = u.
`N = N
`
`BLUE COAT SYSTEMS - Exhibit 1016 Page 7
`
`

`
`U.S. Patent
`
`Jun.6,2006
`
`Sheet 6 of 10
`
`US 7,058,822 B2
`
`700
`~
`
`701
`
`702
`
`MwnoiY Space-N
`
`MemoiY Spaees-P1 and P2
`
`146
`
`342
`
`FIG. 7a
`
`704
`
`703
`
`341
`~
`
`Package Exttac:lor
`Executablelnstaler
`Sandbox Engine IMIIIJler
`Reaource Accas Dlverter
`Resource Acc:ell Analyzer
`Polley Enforcer
`MPC De-lnttaller
`
`FIG. 8
`
`FIG. 7b
`
`801
`802
`803
`804
`805
`806
`
`BLUE COAT SYSTEMS - Exhibit 1016 Page 8
`
`

`
`U.S. Patent
`
`Jun.6,2006
`
`Sheet 7 of 10
`
`US 7,058,822 B2
`
`Monitor re-communicator (e.g. server)
`operation
`
`Receive information having a protected
`information destination
`(a "potential-Downloadable")
`
`903
`
`~ -------------------------------------------------------------------'
`,
`Determine source trustworthiness
`L--------------------------------- ---------------------------------j
`
`r-v
`
`90 5
`
`No
`
`Determine whether the potential(cid:173)
`Downloadable includes executable code
`
`915
`
`No
`
`913
`
`909
`i----------------------
`-------------------------.
`~ Prevent current delivery
`,
`
`: Notify Client(s), Administrator i
`
`9 ~~~~~~~~~~~~~~~~~~~~~~~l~~~~~~~~~~~~~~~~~~~~~~~~:
`l ______________________ l __________________________ :
`Qj 0_).------~._. - - - - - ,
`
`Cause potential-Downloadable
`to be delivered to the
`information-destination
`
`Form a protection agent corresp to mobile
`protection code, potential-Downloadable
`(now a detected-Downloadable) + any
`protection policies
`
`Cause the protection agent to be delivered
`to the information-Destination
`
`919
`
`921
`
`End
`
`FIG. 9
`
`BLUE COAT SYSTEMS - Exhibit 1016 Page 9
`
`

`
`913
`~
`
`Start
`
`919
`~
`
`Start
`
`Determine whether the potential(cid:173)
`Downloadable indicates an executable
`file type
`
`Determine whether the file contents
`include binary information or code patterns
`
`If steps1001 and 1003 indicate that the
`potential-Downloadable more likely
`includes executable code,
`consider the potential-Downloadable a
`detected-Downloadable
`
`1001
`
`1003
`
`1005
`
`Retrieve protection parameters and form
`mobile protection code according to the
`parameters
`
`1011
`
`Retrieve protection parameters and form
`protection policies according to the
`parameters
`
`Couple the mobile protection code,
`protection policies and received(cid:173)
`information to form a protection agent (e.g.
`MPC first, policies second, and Rl third)
`
`1015
`
`End
`
`FIG. lOA
`
`End
`
`FIG. lOB
`
`e .
`00 .
`
`~
`~
`~
`
`~ = ~
`
`2'
`:=
`
`~Cl\
`N
`0
`0
`Cl\
`
`rFJ =-('D
`.....
`
`('D
`
`QO
`
`0 .....
`....
`0
`
`d
`rJl
`
`00
`Oo
`N
`
`-....l = u.
`N = N
`
`BLUE COAT SYSTEMS - Exhibit 1016 Page 10
`
`

`
`U.S. Patent
`
`Jun.6,2006
`
`Sheet 9 of 10
`
`US 7,058,822 B2
`
`Start
`
`Install mobile protection code elements
`and policies within a destination device
`
`'
`
`Load the downloadble without actually
`initiating it
`
`1101
`
`1102
`
`Form an access interceptor for intercepting
`downloadable destination device access
`attempts within the destination device
`
`1103
`
`Initiate the Downloadable within the
`destination device
`
`Determine policies in accordance with the
`access attempt
`
`Execute the policies (including causing an
`allowable response expected by the
`Donwloadable to be returned to the
`Downloadable)
`
`End
`
`FIG. 11
`
`BLUE COAT SYSTEMS - Exhibit 1016 Page 11
`
`

`
`U.S. Patent
`
`Jun.6,2006
`
`Sheet 10 of 10
`
`US 7,058,822 B2
`
`1103
`~
`
`Start
`
`1201
`
`1203
`
`Install the Downloadable
`
`Modify the Downloadable API to divert
`malicious access requests to the mobile
`protection code
`
`J
`
`c~En~d )
`
`FIG. 12a
`
`1109
`~
`
`Start
`
`Receive a Downloadable access request
`via the modified API
`
`Query stored policies to determine a policy
`corresponding to the Downloadable
`access request
`
`1211
`
`1213
`
`End
`
`FIG. 12b
`
`BLUE COAT SYSTEMS - Exhibit 1016 Page 12
`
`

`
`US 7,058,822 B2
`
`1
`MALICIOUS MOBILE CODE RUNTIME
`MONITORING SYSTEM AND METHODS
`
`PRIORITY REFERENCE TO RELATED
`APPLICATIONS
`
`2
`content and operational analysis, and modification of the
`Downloadable component; Shuang further fails to detect or
`protect against additional program code included within a
`tested Downloadable. U.S. Pat. No. 5,974,549 to Golan
`teaches a protection system that further focuses only on
`protecting against ActiveX controls and not other distribut(cid:173)
`able components, let alone other Downloadable types. U.S.
`Pat. No. 6,167,520 to Touboul enables more accurate pro(cid:173)
`tection than Shuang or Golan, but lacks the greater flexibility
`10 and efficiency taught herein, as do Shuang and Golan.
`Accordingly, there remains a need for efficient, accurate
`and flexible protection of computers and other network
`connectable devices from malicious Downloadables.
`
`SUMMARY OF THE INVENTION
`
`This application claims benefit of and hereby incorporates
`by reference provisional application Ser. No. 60/205,591,
`entitled "Computer Network Malicious Code Run-time
`Monitoring," filed on May 17, 2000 by inventors Nimrod
`Itzhak Vered, et a!. This application is also a Continuation(cid:173)
`In-Part of and hereby incorporates by reference patent
`application Ser. No. 09/539,667, now U.S. Pat. No. 6,804,
`780, entitled "System and Method for Protecting a Com(cid:173)
`puter and a Network From Hostile Downloadables" filed on 15
`Mar. 30, 2000 by inventor Shlomo Touboul. This application
`is also a Continuation-In-Part of and hereby incorporates by
`reference patent application Ser. No. 09/551,302, now U.S.
`Pat. No. 6,480,962, entitled "System and Method for Pro(cid:173)
`tecting a Client During Runtime From Hostile Download- 20
`abies", filed on Apr. 18, 2000 by inventor Shlomo Touboul.
`
`BACKGROUND OF THE INVENTION
`
`1. Field of the Invention
`This invention relates generally to computer networks,
`and more particularly provides a system and methods for
`protecting network-connectable devices from undesirable
`downloadable operation.
`2. Description of the Background Art
`Advances in networking technology continue to impact an
`increasing number and diversity of users. The Internet, for
`example, already provides to expert, intermediate and even
`novice users
`the
`informational, product and service
`resources of over 100,000 interconnected networks owned
`by governments, universities, nonprofit groups, companies,
`etc. Unfortunately, particularly the Internet and other public
`networks have also become a major source of potentially
`system-fatal or otherwise damaging computer code com(cid:173)
`monly referred to as "viruses."
`Efforts to forestall viruses from attacking networked
`computers have thus far met with only limited success at
`best. Typically, a virus protection program designed to
`identify and remove or protect against the initiating of
`known viruses is installed on a network firewall or individu(cid:173)
`ally networked computer. The program is then inevitably
`surmounted by some new virus that often causes damage to
`one or more computers. The damage is then assessed and, if
`isolated, the new virus is analyzed. A corresponding new
`virus protection program (or update thereof) is then devel- 50
`oped and installed to combat the new virus, and the new
`program operates successfully until yet another new virus
`appears-and so on. Of course, damage has already typi(cid:173)
`cally been incurred.
`To make matters worse, certain classes of viruses are not 55
`well recognized or understood, let alone protected against. It
`is observed by this inventor, for example, that Downloadable
`information comprising program code can include distrib(cid:173)
`utable components (e.g. Java™ applets and JavaScript
`scripts, ActiveX™ controls, Visual Basic, add-ins and/or 60
`others). It can also include, for example, application pro(cid:173)
`grams, Trojan horses, multiple compressed programs such as
`zip or meta files, among others. U.S. Pat. No. 5,983,348 to
`Shuang, however, teaches a protection system for protecting
`against only distributable components including "Java 65
`applets or ActiveX controls", and further does so using
`resource intensive and high bandwidth static Downloadable
`
`The present invention provides protection systems and
`methods capable of protecting a personal computer ("PC")
`or other persistently or even intermittently network acces(cid:173)
`sible devices or processes from harmful, undesirable, sus(cid:173)
`picious or other "malicious" operations that might otherwise
`be effectuated by remotely operable code. While enabling
`the capabilities of prior systems, the present invention is not
`nearly so limited, resource intensive or inflexible, and yet
`25 enables more reliable protection. For example, remotely
`operable code that is protectable against can include down(cid:173)
`loadable application programs, Trojan horses and program
`code groupings, as well as software "components", such as
`Java™ applets, ActiveX™ controls, JavaScript™/Visual
`30 Basic scripts, add-ins, etc., among others. Protection can
`also be provided in a distributed interactively, automatically
`or mixed configurable manner using protected client, server
`or other parameters, redirection, local/remote logging, etc.,
`and other server/client based protection measures can also
`35 be separately and/or interoperably utilized, among other
`examples.
`In one aspect, embodiments of the invention provide for
`determining, within one or more network "servers" (e.g.
`fireballs, resources, gateways, email relays or other devices/
`40 processes that are capable of receiving-and-transferring a
`Downloadable) whether received
`information includes
`executable code (and is a "Downloadable"). Embodiments
`also provide for delivering static, configurable and/or exten(cid:173)
`sible remotely operable protection policies to a Download-
`45 able-destination, more typically as a sandboxed package
`including the mobile protection code, downloadable policies
`and one or more received Downloadables. Further client(cid:173)
`based or remote protection code/policies can also be utilized
`in a distributed manner. Embodiments also provide for
`causing the mobile protection code to be executed within a
`Downloadable-destination in a manner that enables various
`Downloadable operations to be detected, intercepted or
`further responded to via protection operations. Additional
`server/information-destination device security or other pro(cid:173)
`tection is also enabled, among still further aspects.
`A protection engine according to an embodiment of the
`invention is operable within one or more network servers,
`firewalls or other network connectable information re-com(cid:173)
`municating devices (as are referred to herein summarily one
`or more "servers" or "re-communicators"). The protection
`engine includes an information monitor for monitoring
`information received by the server, and a code detection
`engine for determining whether the received information
`includes executable code. The protection engine also
`includes a packaging engine for causing a sandboxed pack(cid:173)
`age, typically including mobile protection code and down-
`loadable protection policies to be sent to a Downloadable-
`
`BLUE COAT SYSTEMS - Exhibit 1016 Page 13
`
`

`
`US 7,058,822 B2
`
`4
`The method also includes determining, by the MPC, a
`resource access attempt by the Downloadable, and initiating,
`by the MPC, one or more predetermined operations corre(cid:173)
`sponding to the attempt. (Predetermined operations can, for
`example, comprise initiating user, administrator, client, net(cid:173)
`work or protection system determinable operations, includ(cid:173)
`ing but not limited to modifYing the Downloadable opera(cid:173)
`tion, extricating the Downloadable, notifYing a user/another,
`maintaining a local/remote log, causing one or more MPCs/
`10 policies to be downloaded, etc.)
`Advantageously, systems and methods according to
`embodiments of the invention enable potentially damaging,
`undesirable or otherwise malicious operations by even
`unknown mobile code to be detected, prevented, modified
`15 and/or otherwise protected against without modifying the
`mobile code. Such protection is further enabled in a mauner
`that is capable of minimizing server and client resource
`requirements, does not require pre-installation of security
`code within a Downloadable-destination, and provides for
`20 client specific or generic and readily updateable security
`measures
`to be flexibly and efficiently
`implemented.
`Embodiments further provide for thwarting efforts to bypass
`security measures (e.g. by "hiding" undesirable operation
`causing information within apparently inert or otherwise
`25 "friendly" downloadable information) and/or dividing or
`combining security measures for even greater flexibility
`and/or efficiency.
`Embodiments also provide for determining protection
`policies that can be downloaded and/or ascertained from
`30 other security information (e.g. browser settings, adminis(cid:173)
`trative policies, user input, uploaded information, etc.).
`Different actions in response to different Downloadable
`operations, clients, users and/or other criteria are also
`enabled, and embodiments provide for implementing other
`35 security measures, such as verifYing a downloadable source,
`certification, authentication, etc. Appropriate action can also
`be accomplished automatically (e.g. programmatically) and/
`or in conjunction with alerting one or more users/adminis(cid:173)
`trators, utilizing user input, etc. Embodiments further enable
`40 desirable Downloadable operations to remain substantially
`unaffected, among other aspects.
`
`3
`destination in conjunction with the received information, if
`the received information is determined to be a Download(cid:173)
`able.
`A sandboxed package according to an embodiment of the
`invention is receivable by and operable with a remote
`Downloadable-destination. The
`sandboxed
`package
`includes mobile protection code ("MPC") for causing one or
`more predetermined malicious operations or operation com(cid:173)
`binations of a Downloadable to be monitored or otherwise
`intercepted. The sandboxed package also includes protection
`policies (operable alone or in conjunction with further
`Downloadable-destination stored or received policies/
`MPCs) for causing one or more predetermined operations to
`be performed if one or more undesirable operations of the
`Downloadable is/are intercepted. The sandboxed package
`can also include a corresponding Downloadable and can
`provide for initiating the Downloadable in a protective
`"sandbox". The MPC/policies can further include a com(cid:173)
`municator for enabling further MPC/policy information or
`"modules" to be utilized and/or for event logging or other
`purposes.
`A sandbox protection system according to an embodiment
`of the invention comprises an installer for enabling a
`received MPC to be executed within a Downloadable(cid:173)
`destination (device/process) and further causing a Down(cid:173)
`loadable application program, distributable component or
`other received downloadable code to be received and
`installed within the Downloadable-destination. The protec(cid:173)
`tion system also includes a diverter for monitoring one or
`more operation attempts of the Downloadable, an operation
`analyzer for determining one or more responses to the
`attempts, and a security enforcer for effectuating responses
`to the monitored operations. The protection system can
`further include one or more security policies according to
`which one or more protection system elements are operable
`automatically (e.g. programmatically) or in conjunction with
`user intervention (e.g. as enabled by the security enforcer).
`The security policies can also be configurable/extensible in
`accordance with further downloadable and/or Download(cid:173)
`able-destination information.
`A method according to an embodiment of the invention
`includes receiving downloadable information, determining
`whether the downloadable information includes executable
`code, and causing a mobile protection code and security
`policies to be communicated to a network client in conjunc- 45
`tion with security policies and the downloadable information
`if the downloadable information is determined to include
`executable code. The determining can further provide mul(cid:173)
`tiple tests for detecting, alone or together, whether the
`downloadable information includes executable code.
`A further method according to an embodiment of the
`invention includes forming a sandboxed package that
`includes mobile protection code ("MPC"), protection poli(cid:173)
`cies, and a received, detected-Downloadable, and causing
`the sandboxed package to be communicated to and installed 55
`by a receiving device or process ("user device") for respond(cid:173)
`ing to one or more malicious operation attempts by the
`detected-Downloadable from within the user device. The
`MPC/policies can further include a base "module" and a
`"communicator" for enabling further up/downloading of one 60
`or more further "modules" or other information (e.g. events,
`user/user device information, etc.).
`Another method according to an embodiment of the
`invention includes installing, within a user device, received
`mobile protection code ("MPC") and protection policies in 65
`conjunction with the user device receiving a downloadable
`application program, component or other Downloadable(s).
`
`50
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. la is a block diagram illustrating a network system
`in accordance with an embodiment of the present invention;
`FIG. lb is a block diagram illustrating a network sub(cid:173)
`system example in accordance with an embodiment of the
`invention;
`FIG. lc is a block diagram illustrating a further network
`subsystem example in accordance with an embodiment of
`the invention;
`FIG. 2 is a block diagram illustrating a computer system
`in accordance with an embodiment of the invention;
`FIG. 3 is a flow diagram broadly illustrating a protection
`system host according to an embodiment of the invention;
`FIG. 4 is a block diagram illustrating a protection engine
`according to an embodiment of the invention;
`FIG. 5 is a block diagram illustrating a content inspection
`engine according to an embodiment of the invention;
`FIG. 6a is a block diagram illustrating protection engine
`parameters according to an embodiment of the invention;
`FIG. 6b is a flow diagram illustrating a linking engine use
`in conjunction with ordinary, compressed and distributable
`sandbox package utilization, according to an embodiment of
`the invention;
`
`BLUE COAT SYSTEMS - Exhibit 1016 Page 14
`
`

`
`5
`FIG. 7a is a flow diagram illustrating a sandbox protection
`system operating within a destination system, according to
`an embodiment of the invention;
`FIG. 7b is a block diagram illustrating memory allocation
`usable in conjunction with the protection system of FIG. 7a,
`according to an embodiment of the invention;
`FIG. 8 is a block diagram illustrating a mobile protection
`code according to an embodiment of the invention;
`FIG. 9 is a flowchart illustrating a server based protection
`method according to an embodiment of the invention;
`FIG. lOa is a flowchart illustrating method for determin(cid:173)
`ing if a potential-Downloadable includes or is likely to
`include executable code, according to an embodiment of the
`invention;
`FIG. lOb is a flowchart illustrating a method for forming 15
`a protection agent, according to an embodiment of the
`invention;
`FIG. 11 is a flowchart illustrating a method for protecting
`a Downloadable destination according to an embodiment of
`the invention;
`FIG. 12a is a flowchart illustrating a method for forming
`a Downloadable access interceptor according to an embodi(cid:173)
`ment of the invention; and
`FIG. 12b is a flowchart illustrating a method for imple(cid:173)
`menting mobile protection policies according to an embodi- 25
`ment of the invention.
`
`DETAILED DESCRIPTION
`
`In providing malicious mobile code runtime monitoring
`systems and methods, embodiments of the invention enable
`actually or potentially undesirable operations of even
`unknown malicious code to be efficiently and flexibly
`avoided. Embodiments provide, within one or more "serv(cid:173)
`ers" (e.g. firewalls, resources, gateways, email relays or
`other information re-communicating devices), for receiving
`downloadable-information and detecting whether the down(cid:173)
`loadable-information includes one or more instances of
`executable code (e.g. as with a Trojan horse, zip/meta file
`etc.). Embodiments also provide for separately or interop- 40
`erably conducting additional security measures within the
`server, within a Downloadable-destination of a detected(cid:173)
`Downloadable, or both.
`Embodiments further provide for causing mobile protec(cid:173)
`tion code ("MPC") and downloadable protection policies to
`be communicated to, installed and executed within one or
`more received information destinations in conjunction with
`a detected-Downloadable. Embodiments also provide,
`within an information-destination, for detecting malicious
`operations of the detected-Downloadable and causing
`responses thereto in accordance with the protection policies
`(which can correspond to one or more user, Downloadable,
`source, destination, or other parameters), or further down(cid:173)
`loaded or downloadable-destination based policies (which
`can also be configurable or extensible). (Note that the term
`"or", as used herein, is generally