(12) United States Patent
`Kumar et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 8,327,441 B2
`Dec. 4, 2012
`
`USOO8327441B2
`
`(54) SYSTEMAND METHOD FOR APPLICATION
`ATTESTATION
`(75) Inventors: Srinivas Kumar, Cupertino, CA (US);
`Gurudatt Shashikumar, Foster City,
`CA (US)
`(73) Assignee: Taasera, Inc., Erie, PA (US)
`(*) Notice:
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`is alm 2:
`3: 239
`2:
`... 73/87
`7984,304 B1* 7/20
`... 709/231
`8, 108,536 B1* 1/2012 Hernacki et al. o
`2005/0033987 A1* 2, 2005 Yan et al. .....
`... 73/20
`2005, 0132031 A1* 6/2005 Sailer et al. ................... 709,223
`2005/0132202 A1* 6/2005 Dillaway et al. .............. 713/179
`2005, 0138384 A1* 6, 2005 Brickell et al. .
`T13, 182
`ck
`38885. A
`3.58 E.O. SR
`2005/0289072 A1 12/2005 Sabharwal
`(Continued)
`
`OTHER PUBLICATIONS
`Notification of Transmittal of the International Search Report (Forms
`PCT/ISA/220 and PCT/ISA/210) and the Written Opinion of the
`International Searching Authority (Form PCT/ISA/237) dated Aug.
`27, 2012, issued in corresponding International Application No.
`PCT/US2012/025551. (9 pages).
`Primary Examiner — David Garcia Cervetti
`(74) Attorney, Agent, or Firm — Buchanan Ingersoll &
`Rooney PC
`ABSTRACT
`(57)
`An instrumented machine or platform having a target appli
`cation thereon is disclosed. An attestation service may gen
`erate an application artifact having associated therewith a
`name and an application statement having at least one of a
`plurality of attribute value assertions describing the examined
`runtime local execution and introspection based derived secu
`rity context. The application statements may represent the
`level of contextual trustworthiness, at near real time, of a
`running application on the instrumented target platform. A
`runtime process and network monitor may examine the local
`runtime execution context of the target application, and an
`U.S. PATENT DOCUMENTS
`identity provider may authenticate a user to the web applica
`6,091,835 A * 7/2000 Smithies et al. .............. 382,115
`tion based on a web services query for attestation of the target
`6,507.904 B1* 1/2003 Ellison et al. ..
`712,229
`application. A physical or logical authorization service may
`6,760,441 B1* 7/2004 Ellison et al. ..
`... 380/45
`control access of an authenticated user to the target applica
`3.357 R : 58. Histal
`2.
`7013481 B1* 3/2006 Ellisonet al. .
`.7264 tion, based on a dynamic application statement and multi
`7. 1947 59 B1
`3f2007 Chess et al. ....................... 726/2
`factor application attestation issued by the attestation service.
`7.587,607 B2* 9/2009 Brickell et al.
`713, 182
`7,797.544 B2 * 9/2010 Dillaway et al. .............. 713/179
`
`(21) Appl. No.: 13/399,065
`1-1.
`(22) Filed:
`(65)
`
`Feb. 17, 2012
`Prior Publication Data
`US 2012/0216244A1
`Aug. 23, 2012
`
`Related U.S. Application Data
`(60) typal application No. 61/443,854, filed on Feb.
`s
`(51) Int. Cl.
`(2006.01)
`H04L 29/06
`(52) U.S. Cl. ......................................................... 726/22
`(58) Field of Classification Search .................... 726/22,
`726/23, 24, 25
`See application file for complete search history.
`
`(56)
`
`References Cited
`
`26 Claims, 11 Drawing Sheets
`
`to
`11 - ".
`---
`
`
`
`
`
`to - Eat
`Qu--
`
`:
`8
`8
`
`8
`
`
`
`8
`8
`8
`8
`8
`8
`
`screprocessor-13s
`12
`~x&---------------- i.
`&
`&S ^ 48
`
`&
`
`308 -- ; :
`
`8 :
`8 :
`8 :
`
`8 :
`
`-<
`
`:
`
`10.
`
`s
`
`li
`
`s
`
`: :
`
`.
`s
`:::::::ck &cess
`:xx: Sy:::
`8&s:
`(is ex :
`{
`.
`&
`its P -- — — .
`Balacea, vrh
`Y
`-----------------------------------------------------
`Greay, etc.
`:
`(
`w
`8
`s
`2.
`:
`s
`-- ) :-
`is:
`
`8.
`
`:
`
`3.
`8
`ibistry Provides
`Sss,
`% &xxy
`
`:
`
`3
`
`&
`
`:
`
`115
`*
`:
`&
`SS
`is R
`
`3
`3
`8.
`i
`8.
`
`R
`Ass: g:sai
`go Y-- so
`Active/Passive
`-/
`3 N-A clief Aplication
`tarian,~
`
`IPR2023-01464
`CrowdStrike EX1001 Page 1
`
`

`

`U.S. PATENT DOCUMENTS
`ck
`
`38885. A
`
`US 8,327.441 B2
`Page 2
`
`2009/0172814 A1* 7/2009 Khosravi et al. ................ T26/23
`2009,0178138 A1* 7, 2009 Weiss et al. .....
`726/22
`
`3.58 ERA. O. 2, 2009/0204806 Air 82009 Kanemura et al... 713,155
`
`T13, 193
`
`2007,0005992 A1* 1/2007 Schuessler et al.
`2007.0143474 A1
`6, 2007 Sheng et al.
`2007/01744.06 A1
`7, 2007 Morris et al.
`2007/018585.6 A1* 8, 2007 Mittal et al. ...................... 707/5
`2008, OO15808 A1* 1/2008 Wilson et al.
`702/123
`2008, 0083.039 A1* 4, 2008 Choi et al. ..
`726/27
`2008. O141027 A1* 6, 2008 Kim et al. ...
`713,156
`2008, 0235372 A1* 9, 2008 Sailer et al. .
`709,224
`2008/0289028 A1* 11/2008 Jansen et al. .................... T26/11
`39Si. A
`3: Phael
`Ula ca.
`2009, O138939 A1
`5, 2009 Kumar et al.
`2009. O144818 A1
`6/2009 Kumar et al.
`
`2009/0204964 A1* 8/2009 Foley et al. ....................... T18, 1
`2009,0241170 A1
`9, 2009 Kumar et al.
`2009/0276204 A1 11/2009 Kumar et al.
`2009/0328.186 A1 12/2009 Pollutro et al.
`2010/0281273 A1* 11/2010 Lee et al. ...................... T13, 190
`2011 0035577 A1* 2, 2011 Lin et al. ..
`T13,150
`2011/O154500 A1* 6, 2011 Sahita et al. .................... T26/26
`2011/0173643 A1* 7, 2011 Nicolson et al. .............. T19,328
`2011/0179477 A1* 7, 2011 Starnes et al. ..
`T26.9
`2012,0084850 A1* 4, 2012 Novak et al. .
`... 726.8
`ck
`2012,031334 Al
`5/2012 Haikney et al. ............... T13,156
`* cited by examiner
`
`
`
`IPR2023-01464
`CrowdStrike EX1001 Page 2
`
`

`

`U.S. Patent
`
`Dec. 4, 2012
`
`Sheet 1 of 11
`
`US 8,327,441 B2
`
`NOLLWODddyANSTIDOS.OTT
`
`BALSSVd/JALIIY
`
`
`
`
`
`OST
`
`
`
`YOLSaNOsYSsa20V
`
`eT\
`
`O0T
`
`POT
`
`
`
`WALSASONTLVHdQ
`
`(A83n5#O1601)
`
`
`
`HOTIwoTddy
`
`NOLLNDIY
`
`"DINED
`
`NOLOad
`
`ALDINVIS_vLtt
`LNEING
`
`
`
`NOLLVODidely
`
`SINSREIVLS
`
`sit
`
`60
`
`
`
`ssa00ywHOMGN
`
`
`
`avoy“rwagutg)
`
`NdA‘waONvIVG
`
`
`
`Coosa“aveav®
`
`wasuoINg
`
`
`
`WAGIADUALLINIGT
`
`
`
`C38“oss*S18)
`
`T o
`
`Id
`
`
`
`SIOIAWASNOTLYNOaYTION
`
`IPR2023-01464
`CrowdStrike EX1001 Page 3
`
`IPR2023-01464
`CrowdStrike EX1001 Page 3
`
`
`
`
`
`
`
`

`

`U.S. Patent
`
`Dec. 4, 2012
`
`Sheet 2 of 11
`
`US 8,327,441 B2
`
`
`
`NOLLVEOEYTOD
`
`SSILABAS
`
`
`
` wOLTes1[ady>S02
`
`
`
`BOL38915L084
`
`pue
`
`wOLIBDLyL2uaDT
`
`£02
`
`£02
`
`NOTLVISILLY
`
`wanoug
`
`OT?
`
`asvevivd
`
`
`
`SOLIEILLONehueuDIewiuenwoLanasxeuoiae9.pddy.
`
`
`
`
`
`
`
`@“SId
`
`XQ02
`
`p02
`
`102
`
`
`
`
`
`asuegsutuolipsiiddyseasiiey
`
`
`
`{yeplsywotyeqipddygumeudeanss~—
`
`
`
`
`
`aNL-NNA
`
`wOLINGY
`
`CANIWNYLSNT
`
`LIOWL
`
`WHOdLVIg
`
`002
`
`IPR2023-01464
`CrowdStrike EX1001 Page 4
`
`IPR2023-01464
`CrowdStrike EX1001 Page 4
`
`
`
`
`
`
`

`

`U.S. Patent
`
`Dec. 4, 2012
`
`Sheet 3 of 11
`
`US 8,327,441 B2
`
`SOENe
`
`OSE
`
`€“SIs
`
`POE
`
`NOLLVYORVTIOD|GOLEBILgLNOPT>wayaeide
`4:RLY
`
`
`
`uouseresLianB0€asenbey
`
`
`
`
`
`
`
`
`
`uoLjeoLiddyHinmanVOLEHOLLAIEKGUOLIEDL[doymomSsa70y.>uoLjeo.ody|oneL0€»|720€90€
`
`saptnasgO0E:
`
`NOLLVISALIOTEwopseoiiddy
`
`
`
`|axB2uOD.
`
`LumALINIOSEV60ENOLLVDIIdd¥
`wovaeaydiyHf>oan
`
`
`waoud5._eye
`
`pooSSB-eteAgLuBA
`
`$[O0IUeD
`
`
`
`
`
`pddy BaCTAGE5§TEALLINIGTSLUMROLERS»uoLinoi
`
`9TE
`
`WHOdLYId
`
`GALNSANLSNT
`
`LowyTOE
`
`
`
`Srv1BLUBPR.I4H)UOLSSESSOdJOJoos
`
`riometonenmersnonsomersoneditt|PGISBTYRHE
`
`ETE
`
`PTE
`
`IPR2023-01464
`CrowdStrike EX1001 Page 5
`
`IPR2023-01464
`CrowdStrike EX1001 Page 5
`
`
`
`

`

`U.S. Patent
`
`Dec. 4, 2012
`
`Sheet 4 of 11
`
`US 8,327,441 B2
`
`£0P
`
`NOTLYNOSWTION
`SaDLAWaS
`607>BOLIPILgsLNapT
`
`
`
`woiiesi(ddy
`
`HOLVE3£4LIGA
`
`nue
`
`uoujeospidy
`
`ALLaTORS
`
`Ax@LUDD
`
`OTP
`
`wsasfeyC90%
`UOLIBDLZLDNebutyDIxelveDuoLaNoex2oman>|
`
`
`
`~~GBPSUBwoLiesiiddy
`
`
`NOLLVLSALIy
`
`panos
`
`OSF
`
`
`
`§UBAN10)OdLiasansJ1eashow
`
`eTP
`
`
`
`nceEBATTSBILTLAMALSbide
`
`
`
`
`
`0b
`
`
`
`CLINGSWIELSNT
`
`Lape
`
`wHOsLV1d
`
`*HOMLAN
`woresiiddy
`
`ssa00y
`
`wa0WOANY
`
`TTtyC25enbex
`
`ssory=
`
`SOP
`
`00F
`
`IPR2023-01464
`CrowdStrike EX1001 Page 6
`
` 2O0¥
`
`vy“SIs
`
`20¢Tor
`
`
`
`
`
`yeRLYHOLEaddyDuNeUAGanssT—NOLINOA
`
`Sw)~NIy
`
`IPR2023-01464
`CrowdStrike EX1001 Page 6
`
`
`
`
`

`

`U.S. Patent
`
`Dec. 4, 2012
`
`Sheet 5 of 11
`
`US 8,327,441 B2
`
`POs605606TTSets905
`
`wOLIRa4|aaLAsasaadHES)weiworeaiidde
`
`
`eendeyaanwadweqaRaLiddyuavesiiddyseaseneeras
`
`oust:@QepLTAWoLJJOA8SaqepLeaJjeraonw
`
`
`
`txeuo3Wephiw©siveMIISdyesslummaqeTs«=19egayteeauod
`
`
`'APURTYTdy~Svv.'
`
`TOS“)Norworddy80SNOLIVIDlddy
`
`
`
`
`
`PHY"|(anewIsws)vues(aavavngISVS)
`
`WaAeaSa-,__instT}
`
`TESOES‘
`
`4xa3U03AYLIN985iXMALLIS3xO2U83ZOAap
`
`uoLEotiddyMLLSRAgasuoLraLody
`
`
`ao0$aopes,iddywove)deAapanes
`
`ers0somessomesenoOSBORN
`
`OTS
`
`paulaBIE
`
`JHBLOasanbexu
`
`=Ne1UO3axequ03
`Stsf£T§
`
`SITARIGNOTLWEOSVTIOD
`ozs=6TS'
`
`Hay0UgNOLLVLSALIy
`§“SIs
`
`(S71awed)|
`isanheyJFOASS
`ia/XYoss
`
`28449
`
`
`
`IPR2023-01464
`CrowdStrike EX1001 Page 7
`
`IPR2023-01464
`CrowdStrike EX1001 Page 7
`
`
`
`
`
`

`

`U.S. Patent
`
`Dec. 4, 2012
`
`Sheet 6 of 11
`
`US 8,327,441 B2
`
`
`
`9 "OI
`
`IPR2023-01464
`CrowdStrike EX1001 Page 8
`
`

`

`U.S. Patent
`
`Dec. 4, 2012
`
`Sheet 7 of 11
`
`US 8,327,441 B2
`
`
`
`Z
`
`IPR2023-01464
`CrowdStrike EX1001 Page 9
`
`

`

`U.S. Patent
`
`Dec. 4, 2012
`
`Sheet 8 of 11
`
`US 8,327,441 B2
`
`awLiunsTevoles.pdde
`
`
`
`
`
`atiduns|ya“4OLLuOWauiLdunyouaAq‘pues
`
`
`
`up*u0LLUOwswiaUunaayaAgaALajey
`
`
`
`AXO]U09UOLINDeKS
`
`0£6
`
`026
`
`
`
`aya2BsolLuowswLaunaeyaAg‘alesaueD
`
`006-6“SIsOT6
`
`008J
`
`“org
`
`8“SIs
`
`UOLUNIeNAsuLUNAB“usojie_dBuLindeos
`
`
`suapOseanqizaaeGuLpe>ipeLaxeau0D
`
`
`
`
`
`auLjund@CE)‘wiosie,dGupandwoosyamouy
`
`
`O70W8sJGAesUOLTeIseqieayyAq‘eaLazey
`
`
`
`#0S95NqLaj1eGuLjesipulixequo2uoLnoexe
`
`
`
`
`
`
`
`eB(7)pue*ewiqunsyevoLIeoiiddeay2
`
`
`
`
`
`
`
`AxcanoesGuipracidaxequeaAgpunpes
`
`
`
`
`
`
`
`MULIUNBYl“JIeZLLseuoLjeaiiddeayaSuisa
`
`
`
`
`
`wOLInoexspoyepdnuese*{xelue)uoLINnoexe
`
`
`
`
`
`*{xe1UGDUOLINIeXepelepdnuese*ixeluEs
`
`@Yt4OSHINQLIGIE84203SALsuodseu
`
`
`
`shuey>@GuljeaipuLuo.ped.idde
`
`
`
`
`
`
`
`
`
`4XS}U02UGLUNIEXSsmLIUN.aya03sebuEY>
`
`
`
`JO]LuOWeHLundOyaAq‘puesguesaepdn
`
`OF6
`
`
`
`@uiUILMPe_eLooSsse11Nse.voOLyEUse1Ie
`
`voLzesi_dde
`
`
`
`
`
`ayl*48Ag8sWOLIEAselaeey1Aq“pues
`
`
`
`quenbesqnsGulyoeu}4OjJoepLaueuoLgeDLidde
`
`
`
`
`
`
`
`
`
`
`
`uoLaeo.tddeay3anogeuoLpemsoju,
`
`paqepoossysysiuAqiinoesBuLpeopu.quod@‘aeases
`
`
`
`
`UOLJeiselieayaAg‘aqeseua9
`
`028
`
`
`
`
`
`
`
`PSALO9e4SYAUOpasequOLiesiiddeouLyiiM
`
`
`
`
`
`peALeoauaypueIxaquODUOLINDeKeaMLqURY
`
`
`
`
`
`A(NS84UOLWeISeITeuese“LxeUODALLinoas
`
`Ors
`
`IPR2023-01464
`CrowdStrike EX1001 Page 10
`
`IPR2023-01464
`CrowdStrike EX1001 Page 10
`
`
`
`
`
`

`

`U.S. Patent
`
`Dec. 4, 2012
`
`Sheet 9 of 11
`
`US 8,327,441 B2
`
`oort—~OrEL
`—-4NC
`}\OTOT
`
`o00t—~*
`
`TT“SIs
`
`QT“SIs
`
`uoppeotddeBuluunsayaJouoLjeoigtao”
`
`
`
`Bevopeoipddegs414eyJoseinqiaqie
`
`
`GuLaeoipuruoparwotiddeasatyayayo
`
`goAqipeanyd&40gsuorjgdisosqnsseasibey
`
`
`
`abueysIMOIUODE40)SusgLiosqns
`
`
`
`$XBHUO3UOLINIOXSeuLQUNGLsui4&‘smogueyd
`
`6uigndmo>puosespue3544)ayiwouy
`
`
`
`
`
`P10WGAJOAIESUOLIwiseiaeeyaAg‘eaiaoeu
`
`
`
`
`
`GuaeoLpuLvotyeo.iddepuosessyago3KequO2
`
`
`
`
`
`YOLINGOX®GWIQUMApuooesEpueewLaun
`
`
`
`
`
`
`
`
`
`SILAUSSUOLLELSe1}eueBuisnuoLpeoLpdde
`
` SuLuunseyInoqEesuoLjuesseeirveue>\O¢TT
`
`tevoideotiddepuedesaya4osagnq.ui3e
`
`oukauna
`
`“0201
`
`
`SysisAliungesBulaeoipulquedeu
`
`
`
`
`
`
`tsi®CT)i4saseswOLJeseiyeay]Ag‘aqezaue5
`
`
`
`
`
`pasequoljeoLpdde3sulpeu)WLMpeqeLoasse
`
`
`
`UOLANIGNSOWLIUTYJS4LyPOALeDesayauO
`
`
`
`
`
`
`
`
`
`
`SoLulaWSQuaplyuODIswa]/uotzeoiiddeGuLuurd9yyOysiuARLUNOSSyo|(BAO,BGuLQeoLpUL
`Liou|aBurysxaIUODaYyiJoUoLadazey03asuodsou|uluoLyeoijdde
`
`
`|28GuLpn[oulsuoLiuesseaya“UOLIEOLp
`
`
`Guiuuns8y3Josuoiquesse
`
`
`UOLTRISSDIEpuozegBSe“{xeQuOoUOLINnSexe
`
`
`eWL4un.PudwespeALede.ay]uOpease
`
`4pnsed
`
`
`
`384i)9U1‘ueasesUOLZeaseqgeayaAq‘pues
`
`\O£0T
`
`
`
`
`
`uoLaBoLddepuosesey]WLLMpeleLoossesysLs
`
`
`
`
`
`SUL)U2YLLMPSIELIOSSEApNse.2uOL.Eisad.e
`
`
`
`
`
`wiojieldGupindwoopuoses9u303votives.dde
`
`
`
`
`
`pueCL[NSesUOLIBIS8LTEJsulj&Se*ixeluOD
`
`
`
`AytanoesGuryeoipu,ducdeupuoses&(7)
`
`
`
`
`
`
`
`
`
`PSPELIOSSE[NSS4UOLBISeTIepuoses|ay1pue
`
`
`
`
`
`
`
`
`
`1Ssl,29O1UOLIPaLpddepuoses|y4YyLLa
`
`
`
`
`
`uoLaRIsayie[eninwuoywiogze,dBuLandwos
`
`IPR2023-01464
`CrowdStrike EX1001 Page 11
`
`IPR2023-01464
`CrowdStrike EX1001 Page 11
`
`
`
`
`
`
`
`

`

`U.S. Patent
`
`Dec. 4, 2012
`
`Sheet 10 of 11
`
`US 8,327,441 B2
`
`
`
`
`
`JS4LfBY)“UOLIIeSuEs9ed-07-se0d
`
`oost7»O1gT
`ooer7otet
`
`UOLZBISeITe8uiAq‘puaspurayeseue5
`
`Je}L4euoLeoLddeisals&‘4eAags
`
`
`
`
`asuLgbCt)i*48asasvoLpeiseqieayabutsn‘eae4aua9
`
`
`
`Gulyse4avO},JORpLQueUoLpeaLLdde
`
`
`FNOLUOOUOLINOSxeeuLjunu&ULseburys
`
`“$U8L)BYRUL4veL]>BUaLMpeleLoosse
`
`€—T“SIs
`
`Zt“SIs
`
`
`
`
`
`SURUL490dBeuLjBWOUOLZDESuRU]soAuaS
`
`
`
`JBAGBS-LUBLLDOY4ULJOAGeSBWOU,JeAues
`
`
`
`ay}ULaedIsuty©WoyJOwOLIESUeNg
`
`
`
`
`WOLRISaa1e|g]Aq“BLEPLLRApuraaleney
`
`
`
`
`uOLIIeSUR]weed-ol-ueedayULused
`
`puctes©40UOLQOPSUBUTJOAJOS—1UGL[3YEULJeAIESBULMpeleioosse
`
`GoepLivevoLpeoLpdde
`
`
`
`
`
`puosese(7)pue‘uoigoesuesassed-o4-i9ad
`
`
`
`
`
`WOLPBISSRIESULAdWesBOeLLLeuo.wo.idde
`
`
`
`~d9ad993ULagedpuovesBO]uouoLjoRsuEZy
`
`JBASBS-~LUBL[IEULUUPLLDE0]senaes
`
`
`
`uoLjoesuesuead-02
`
`
`
`BY}OFJDepLQueUOLIeoLdeJessyoupues
`
`
`
`pucoesey)pueveedAsa1yey)4O2ueL,>
`
`
`
`BY)FOJBAISSSY02FOBgLIUevoLpEoLydde
`
`OftT
`
`
`
`deedpuoses
`
`
`
`Oo}Sjusweyeisusqesiyddepuespueejeueues
`
`
`
`
`
`
`
`pue1S41Lj94)40uSAs9SBY4purdueL[>3ua
`
`
`
`~QEET
`
`
`
`
`
`SuOgeo.ddesusequipoleanogesusedpuoszes
`
`
`
`
`
`
`
`
`
`Jgad-O]~J9adJOJ9A00S~-LUBL{3BURULpasn
`
`
`
`SuaLasesues4y
`
`
`
`uoLgeoiiddepuooesspuejsutyayaebueyoxs
`
`
`
`4@J9AUBSPUR1U9L(D343Jey)yonssaoepae
`
`
`
`
`
`
`
`By}BABYYee‘teedPuoIeSPURIsulyBua
`
`
`
`
`
`O}S1DeLLIWeuOLiediyddeputespusdsaij
`
`
`
`UOLNOSNSBWLAUNAULsebueyoyorsaAjpenine
`
`
`
`
`
`
`
`
`
`SY}PU1USL1>SYaYRLMpodeLoOEsesyxequ0.|
`
`
`
`GU]46SUGLIIESUEI]J9AI9S~1U8L(920)JdAses
`
`
`
`
`
`~O]~ueedBy}JO)seedpudseselpukeasvLs|
`
`
`
`suoLjoesuesdseed
`
`IPR2023-01464
`CrowdStrike EX1001 Page 12
`
`IPR2023-01464
`CrowdStrike EX1001 Page 12
`
`
`
`

`

`U.S. Patent
`
`Dec. 4, 2012
`
`Sheet 11 of 11
`
`US 8,327,441 B2
`
`00:1_^
`
`90 #1
`
`
`
`
`
`
`
`
`
`20?T
`
`? ?* * * * * * * * * * *
`
`80p I
`
`
`
`abejuemur Keldspo
`
`
`
`kuonaw uyew
`
`ZIvT
`
`
`
`Audiuaw kuepuopas
`
`al qeaouaa
`
`ngun ebeuons
`
`et qenouaa
`
`ngun abeuous
`
`8:2 #1
`
`wzy?l
`
`----&---
`apeguamur
`
`apeguamur
`
`
`
`
`
`aunqunua seu quae
`
`IPR2023-01464
`CrowdStrike EX1001 Page 13
`
`

`

`1.
`SYSTEMAND METHOD FORAPPLICATION
`ATTESTATION
`
`US 8,327,441 B2
`
`2
`Mobile OS, a device running the Microsoft Windows(R Phone
`OS, a device running the Symbian OS, a device running the
`webOS from Hewlett Packard, Inc., a mobile phone, a Black
`Berry(R) device, a Smartphone, a hand held computer, a net
`book computer, a palmtop computer, a laptop computer, an
`ultra-mobile PC, a portable gaming system, a gaming con
`sole, or another similar type of computing device having a
`computer, microprocessor). The application statements may
`include at least one statement (or claim) about an inspected
`runtime execution context and/or an intelligence based secu
`rity context.
`The runtime monitor may be configured to inspect the
`execution context of the application after using a local attes
`tation process. The execution context of each respective
`application may include associated files, processes, and/or
`network epochs (e.g., socket events). The system may include
`any type of identity provider configured to authenticate a user
`to web or non-web applications (for example, client-server or
`peer-to-peer applications) based on a request for attestation of
`and a security context of a target application on a computing
`platform (e.g., the instrumented target platform).
`The presently disclosed technology also may be embodied
`as a method, apparatus and/or system that may include a
`network access enforcer for controlling the authenticated
`user's physical access to the target application on the instru
`mented target platform, responsive to one or more issued
`application statements (e.g., issued by the attestation service
`or another entity).
`The presently disclosed technology also may be embodied
`as another method, apparatus and/or system to include an
`identity provider for controlling the authenticated user's
`authorization to commence transactions with a target appli
`cation on the instrumented target platform, responsive to one
`or more issued application statements (e.g., issued by the
`attestation service).
`The presently disclosed technology also may be embodied
`with an application artifact that may include at least a regis
`tered name (e.g., a registered globally unique security prin
`cipal name) for the running application instance (e.g., a user
`program or a service program, among others). The attestation
`service may be configured to generate an artifact based on a
`runtime local execution context of the running application
`instance on the instrumented target platform.
`The presently disclosed technology also may be embodied
`with one or more application statements or claims which may
`include at least one of: (1) a registered name (e.g., a registered
`globally unique security principal name) for the running
`application instance; (2) a digitally signed certificate; (3)
`creation and/or modification timestamps; (4) assertions of a
`security context from a plurality of collaboration services; (5)
`a list of active listening and/or open network ports (e.g.,
`well-known and/or ephemeral); (6) network addresses used
`by the application; (7) a product publisher; (8) a product
`version; and/or (9) other runtime local execution context
`information.
`The presently disclosed technology also may be embodied
`with one or more application statements or claims, which may
`include attribute value assertions about an introspected Secu
`rity context of one or more running applications. The intro
`spected security context may be received from one (e.g., any
`one) of the plurality of collaboration services.
`The presently disclosed technology may also be embodied
`with a plurality of collaboration services which may include:
`(1) an application whitelisting services (e.g., any application
`whitelisting services); (2) a Vulnerability assessment service;
`(3) a patch management service; (4) an anti-virus service (5)
`a predictive and behavioral analytics engine; (6) and orches
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`
`The present application claims the benefit of U.S. Provi
`sional Appl. No. 61/443,854 entitled “SYSTEM AND
`METHOD FORAPPLICATIONATTESTATION, filed Feb.
`17, 2011, which is incorporated by reference herein in its
`entirety.
`
`10
`
`BACKGROUND OF THE DISCLOSURE
`
`1. Field of the Disclosure
`The present disclosure relates to the field of data center
`virtualization and, more particularly, to a system and method
`to provide attestation of applications at runtime.
`2. Description of the Related Art
`One recent trend in computing is the trend towards cloud
`computing in which, for example, enterprise Software is no
`longer owned by the customer, but instead the Information
`Technology infrastructure can be provided by a third party
`and the Software applications may be sold as service offer
`1ngS.
`
`SUMMARY OF THE DISCLOSURE
`
`15
`
`25
`
`30
`
`35
`
`The presently disclosed technology may be embodied as a
`method, apparatus and/or system to discover one or more
`applications and/or to attest for the applications on an instru
`mented target platform at runtime using or based on a plural
`ity of assertions (or statements).
`The presently disclosed technology also may be embodied
`as a method, apparatus, and/or system for a plurality of Ser
`vices that enable visibility, control, and/or compliance in a
`cloud computing environment with dynamic application dis
`covery, identification, monitoring and/or attestation based on
`a plurality of factors.
`The presently disclosed technology also may be embodied
`as a further method, apparatus and/or system to establish
`user-to-application connections based on dynamic attestation
`of applications, and/or security controls provisioned based on
`context-aware business logic instead of, for example, topol
`ogy based coordinates associated with encapsulation headers
`in network packets.
`The presently disclosed technology also may be embodied
`as a yet further method, apparatus and/or system to authorize
`user-to-application transactions and/or data exchange in an
`established connection, during the authentication phase
`based on dynamic attestation of applications.
`The presently disclosed technology also may be embodied
`as an additional method, apparatus and/or system for a runt
`ime monitor to inspect web and non-web applications (e.g.,
`all web and non-web applications) running on the instru
`mented target platform. The system may include an attesta
`tion service (or broker) using an attestation server and con
`figured to generate application artifacts and/or to issue
`application statements or claims. The application artifact may
`represent an identified application instance (e.g., at runtime,
`globally unique, opaquely and/or in a time-sensitive manner,
`for example, using an application artifact having a specified
`or predetermined lifetime) on an instrumented platform (such
`as but not limited to a, Personal Digital Assistant (PDA), a
`tablet computing device, an iPhone TM, an iPodTM, an iPadTM,
`a device operating the Android operating system (OS) from
`Google Inc., a device running the Microsoft Windows.(R)
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`IPR2023-01464
`CrowdStrike EX1001 Page 14
`
`

`

`3
`tration service; (7) a network intrusion detection or preven
`tion service; (8) an open flow switch controller; and/or (9) a
`malware analysis system.
`The presently disclosed technology may also be embodied
`with: (1) an identity provider that may include a single sign
`on service or a brokered authentication service; (2) a network
`access enforcer, which may include devices Such as for
`example network firewalls, load balancers, and/or VPN gate
`ways, and which may be configured as a policy enforcement
`point to control access based on an application statement or
`claim.
`The presently disclosed technology also may be embodied
`as a method, apparatus and/or system for evaluating authen
`ticity of a web application (for example, a servlet in a con
`tainer element). The method may include requesting a runt
`ime application artifact for the web application from an
`attestation service, and requesting, based on the application
`artifact, an application statement from the attestation service.
`The method may further include requesting from a plurality
`of collaboration services, for example by the attestation ser
`vice, a context (e.g., an introspection based security context)
`for the web application on the instrumented target platform.
`The method may also include establishing a communication
`channel (e.g., a secure communications channel) between the
`instrumented target platform and the server providing attes
`tation service, and generating an application statement corre
`sponding to at least one component of the web application.
`The method may include generating the statement about the
`application components, based on a parent/child association
`and/or a loader dependency, and transmitting the application
`statement to an identity provider. The method may further
`include generating a multi-factor confidence metric of the
`web application to be included with and rendered natively by
`a passive web client or browser.
`The presently disclosed technology may be embodied as
`another method, apparatus and/or system for evaluating
`authenticity of a non-web client-server application and/or a
`peer-to-peer application. The method may include requesting
`an application artifact for the application from an attestation
`service, for example, by a runtime monitor, and requesting an
`application statement from the attestation service, for
`example, by network access enforcer(s). The method may
`further include requesting, by the attestation service from a
`plurality of collaboration services, a context (e.g., an intro
`spection based security context) for the application on the
`instrumented target platform. The method may also include
`requesting a notification of or Subscribing to a change (e.g.,
`any change) in the execution context of the application on the
`instrumented target platform. The method may additionally
`include generating and publishing one or more application
`statements or claims about (regarding) the application based
`on at least one of a Subscription request by a plurality of
`identity providers and/or network access enforcers. The
`method may further include receiving or generating, and pub
`lishing a multi-factor confidence metric of the application for
`55
`a physical or logical access control decision.
`The presently disclosed technology also may be embodied
`as a method, apparatus and/or system for client-server and/or
`peer-to-peer applications to evaluate the authenticity of peers
`prior to commencing a transaction or data exchange (e.g., any
`transaction or data exchange). The method may include a
`client-server application and/or a peer-to-peer application
`that may request an application artifact for each of the appli
`cations from an attestation service (or attestation server), and
`further may request, based on an artifact exchange, one or
`more application statements from the attestation service for
`each peer application. The method may further include
`
`4
`requesting, by the attestation service from a plurality of col
`laboration services, a context (e.g., an introspection based
`security context) for these applications on the instrumented
`target platforms. The method may further include a secure
`exchange of the issued application artifacts between the
`applications, and a verification process (such as a back-chan
`nel verification of the exchanged artifacts with the attestation
`service). This method may further include requesting one or
`more application statements, based on (or responsive to) the
`exchanged application artifact, from the attestation service,
`and determining by the peer applications, or by the network
`access enforcer(s) receiving the one or more application State
`ments, responsive to receiving the application statements, the
`authenticity of the other, or each application in the transac
`tion.
`The presently disclosed technology also may be embodied
`as a method, apparatus and/or system for displaying and
`continuously updating in real time or near real time (e.g.,
`within a threshold period) the identity, attribution, and/or
`attestation information of executing or running (e.g., all run
`ning) applications hosted in the private an/or public virtual
`data centers in a cloud computing infrastructure. The method
`may include displaying one or more classification based con
`fidence metrics and active listening and/or open network
`ports (e.g., well known and ephemeral) assigned on a plural
`ity of instrumented target platforms.
`The presently disclosed technology also may be embodied
`as a method, apparatus and/or system for establishing access
`control policies based on a user authentication method, a user
`role, a dynamically discovered and attested application run
`ning on an instrumented target platform via Subscription
`based application statements from an attestation service. The
`method may also include decoupling of the business logic
`(role based access controls, authentication requirements, and/
`or line of business applications, among others) from the net
`work topology based physical constraints in the network fab
`ric (e.g. IP addresses, MAC addresses, VLAN identifiers,
`and/or subnet addresses, among others) and may include
`context-aware logical attributes (user identity and/or applica
`tion identity among others) in policy grammar. The method
`may further include establishing access control rules that may
`leverage classification based dynamic confidence metrics,
`which may be included in an application statement used for
`authorization decisions.
`
`BRIEF DESCRIPTION OF THE DRAWING
`FIGURES
`
`The invention is best understood from the following
`detailed description when read in connection with the accom
`panying drawings. According to common practice, various
`features/elements of the drawings may not be drawn to scale.
`Common numerical references represent like features/ele
`ments. The following figures are included in the drawings:
`FIG. 1 is a schematic diagram illustrating an exemplary
`system/architecture in accordance with various exemplary
`embodiments;
`FIG. 2 is a schematic diagram illustrating a method of
`monitoring and attesting applications in a cloud computing
`environment in accordance with various exemplary embodi
`ments;
`FIG. 3 is a schematic diagram illustrating another method
`of monitoring and attesting applications in the cloud comput
`ing environment in accordance with various exemplary
`embodiments;
`
`US 8,327,441 B2
`
`10
`
`15
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`60
`
`65
`
`IPR2023-01464
`CrowdStrike EX1001 Page 15
`
`

`

`US 8,327,441 B2
`
`5
`FIG. 4 is a schematic diagram illustrating a further method
`of monitoring and attesting applications in a cloud computing
`environment in accordance with various exemplary embodi
`ments;
`FIG. 5 is a schematic diagram illustrating a method of 5
`monitoring and attesting a Simple Authentication and Secu
`rity Layer (SASL) enabled client and server application in
`accordance with various exemplary embodiments;
`FIG. 6 is a schematic diagram illustrating an exemplary
`security administration console including an integrity dash
`board in accordance with various exemplary embodiments;
`FIG. 7 is a schematic diagram illustrating another exem
`plary policy administration console including an authoriza
`tion dashboard in accordance with various exemplary
`embodiments;
`FIG. 8 is a flowchart illustrating a method in accordance
`with various exemplary embodiments of the presently dis
`closed technology;
`FIG. 9 is a flowchart illustrating a method in accordance
`with various exemplary embodiments of the presently dis
`closed technology;
`FIG. 10 is a flowchart illustrating a method in accordance
`with various exemplary embodiments of the presently dis
`closed technology;
`FIG. 11 is a flowchart illustrating a method in accordance
`with various exemplary embodiments of the presently dis
`closed technology;
`FIG. 12 is a flowchart illustrating a method in accordance
`with various exemplary embodiments of the presently dis
`closed technology; and
`FIG. 13 is a flowchart illustrating a method in accordance
`with various exemplary embodiments of the presently dis
`closed technology.
`FIG. 14 is a diagram of an example computer system in
`which embodiments can be implemented.
`
`10
`
`15
`
`25
`
`30
`
`35
`
`6
`In certain exemplary embodiments, applications may be
`secured by signing-on or authenticating applications onto the
`network using an attestation process (e.g., via a single factor
`or multi-factor attestation). In a multi-factor process, appli
`cations may be qualified based on at least two factors. A first
`factor may identify one or more attributes of the application
`(e.g., run time instance of the application) Such as (1) a hash
`of the application, as an application fingerprint, (2) other
`applications/processes called by the application, (3) ports
`used by the application, (4) computing, storage, and network
`resource usage by the application, and/or (5) the platform
`executing the application, among others. Such information
`may be available locally (e.g., at the computing platform
`running the application) in the current execution context. A
`second factor may identify what is known about the applica
`tion based on the attributes of the application from security
`intelligence external to the operating environment (e.g., a
`third party (e.g., trusted third party) separate from the com
`puting platform running the application).
`Applications that are hosted in self-managed and in-house
`enterprise data centers may be gradually migrating to out
`Sourced service provider managed virtual data centers in pri
`vate/public clouds. There may be a loss of visibility and direct
`control from this migration. Various exemplary embodiments
`include instrumentation to monitor the applications in pro
`cess to increase visibility and enable attestation of applica
`tions executing in the outsourced service provider managed
`virtual data centers. As web and multi-tier applications pro
`liferate in the cloud, secure connectivity, based on certificates
`issued by third party certificate authorities may be inadequate
`for security and compliance because a significant number of
`web-based threats originate from trusted web sites.
`Generally, access control mechanisms are based on static
`context and physical constraints rather than logical attributes
`and dynamic local execution context and/or a holistic security
`context (e.g., based on both local execution context as well as
`security intelligence). Physical and logical access controls
`based on user-to-application bindings, as an operative ele
`ment of business logic, and logical attributes in a virtualized
`and fluid network may be used in a cloud computing environ
`ment (for the utility based infrastructure, platform and/or
`software as a service model) to scale and/or be viable for
`multi-tenancy or shared resources with deterministic confi
`dentiality between or among tenants.
`The access control mechanism may include an instru
`mente