| HAO WATU MULT TIMOR EN KLA OO MUCH
`
`US010055576B2
`
`( 12 ) United States Patent
`(12) United States Patent
`(12) United States Patent
`Milner et al .
`
`Milner et al. Milner et al.
`
`( 10 ) Patent No . : US 10 , 055 , 576 B2
`(10) Patent No.: US 10,055,576 B2
`(10) Patent No.: US 10,055,576 B2
`( 45 ) Date of Patent :
`* Aug . 21 , 2018
`
`(45) Date of Patent: (45) Date of Patent:
`
`*Aug. 21, 2018 *Aug. 21, 2018
`
`( 54 ) DETECTION OF MALICIOUS SOFTWARE
`
`(54) DETECTION OF MALICIOUS SOFTWARE (54) DETECTION OF MALICIOUS SOFTWARE
`PACKAGES
`
`PACKAGES PACKAGES
`( 71 ) Applicant : Red Hat , Inc . , Raleigh , NC ( US )
`
`(71) Applicant: Red Hat, Inc., Raleigh, NC (US) (71) Applicant: Red Hat, Inc., Raleigh, NC (US)
`( 72 )
`Inventors : Steve Bradford Milner , Tallahassee ,
`
`(72) (72)
`
`Inventors: Steve Bradford Milner, Tallahassee, Inventors: Steve Bradford Milner, Tallahassee,
`FL ( US ) ; James Robert Bowes ,
`
`FL (US); James Robert Bowes, FL (US); James Robert Bowes,
`Remote , OR ( US )
`Remote, OR (US)
`Remote, OR (US)
`( 73 ) Assignee : Red Hat , Inc . , Raleigh , NC ( US )
`
`(73) Assignee: Red Hat, Inc., Raleigh, NC (US) (73) Assignee: Red Hat, Inc., Raleigh, NC (US)
`Subject to any disclaimer , the term of this
`( * ) Notice :
`
`(* ) Notice: (* ) Notice:
`
`Subject to any disclaimer, the term of this Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`patent is extended or adjusted under 35
`patent is extended or adjusted under 35
`U . S . C . 154 ( b ) by 0 days .
`
`U.S.C. 154(b) by 0 days. U.S.C. 154(b) by 0 days.
`This patent is subject to a terminal dis
`
`This patent is subject to a terminal dis-This patent is subject to a terminal dis-
`claimer .
`
`claimer. claimer.
`( 21 ) Appl . No . : 15 / 729 , 304
`(21) Appl. No.: 15/729,304
`(21) Appl. No.: 15/729,304
`( 22 ) Filed :
`Oct . 10 , 2017
`
`(22) Filed: (22) Filed:
`
`Oct. 10, 2017 Oct. 10, 2017
`Prior Publication Data
`( 65 )
`
`(65) (65)
`
`Prior Publication Data Prior Publication Data
`US 2018 / 0032720 A1 Feb . 1 , 2018
`
`US 2018/0032720 Al US 2018/0032720 Al
`
`Feb. 1, 2018 Feb. 1, 2018
`
`Related U . S . Application Data
`Related U.S. Application Data
`Related U.S. Application Data
`( 63 ) Continuation of application No . 12 / 898 , 876 , filed on
`
`(63) Continuation of application No. 12/898,876, filed on (63) Continuation of application No. 12/898,876, filed on
`Oct . 6 , 2010 , now Pat . No . 9 , 792 , 429 .
`
`Oct. 6, 2010, now Pat. No. 9,792,429. Oct. 6, 2010, now Pat. No. 9,792,429.
`( 51 ) Int . Ci .
`
`(51) Int. Cl. (51) Int. Cl.
`G06F 21 / 00
`
`G06F 21/00 G06F 21/00
`G06F 21 / 51
`G06F 21/51
`G06F 21/51
`G06F 21 / 56
`
`G06F 21/56 G06F 21/56
`U . S . CI .
`( 52 )
`
`(52) U.S. Cl. (52) U.S. Cl.
`CPC . . . . . . . . . . . GO6F 21 / 51 ( 2013 . 01 ) ; G06F 21 / 564
`
`CPC CPC
`
` G06F 21/51 (2013.01); G06F 21/564 G06F 21/51 (2013.01); G06F 21/564
`( 2013 . 01 )
`
`(2013.01) (2013.01)
`( 58 ) Field of Classification Search
`
`(58) Field of Classification Search (58) Field of Classification Search
`CPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . GO6F 21 / 51 ; G06F 21 / 564
`
`CPC CPC
`
`G06F 21/51; G06F 21/564 G06F 21/51; G06F 21/564
`See application file for complete search history .
`
`See application file for complete search history. See application file for complete search history.
`
`( 2013 . 01 )
`
`(2013.01) (2013.01)
`( 2013 . 01 )
`(2013.01)
`(2013.01)
`( 2013 . 01 )
`
`(2013.01) (2013.01)
`
`( 56 )
`
`(56) (56)
`
`References Cited
`
`References Cited References Cited
`U . S . PATENT DOCUMENTS
`
`U.S. PATENT DOCUMENTS U.S. PATENT DOCUMENTS
`6 , 324 , 647 B1 * 11 / 2001 Bowman - Amuah H04L 63 / 0227
`
`6,324,647 Bl* 11/2001 Bowman-Amuah H04L 63/0227 6,324,647 Bl* 11/2001 Bowman-Amuah H04L 63/0227
`709 / 223
`
`709/223 709/223
`6 , 438 , 749 B18 / 2002 Chamberlain
`8/2002 Chamberlain
`6,438,749 B1
`8/2002 Chamberlain
`6,438,749 B1
`7 , 240 , 336 B1
`7 / 2007 Baker
`
`7,240,336 B1 7,240,336 B1
`
`7/2007 Baker 7/2007 Baker
`7 , 512 , 939 B2
`3 / 2009 Brookner
`
`7,512,939 B2 7,512,939 B2
`
`3/2009 Brookner 3/2009 Brookner
`( Continued )
`
`(Continued) (Continued)
`
`OTHER PUBLICATIONS
`OTHER PUBLICATIONS OTHER PUBLICATIONS
`
`Seth Ketby Vidal , “ Systems and Methods for Initiating Software
`
`Seth Ketby Vidal, "Systems and Methods for Initiating Software Seth Ketby Vidal, "Systems and Methods for Initiating Software
`Repairs in Conjuction With Software Pac Kage Updates ” , U . S .
`
`Repairs in Conjuction With Software Pac Kage Updates", U.S. Repairs in Conjuction With Software Pac Kage Updates", U.S.
`Appl . No . 12 / 714 , 200 , filed Feb . 26 , 2010 .
`
`Appl. No. 12/714,200, filed Feb. 26, 2010. Appl. No. 12/714,200, filed Feb. 26, 2010.
`( Continued )
`
`(Continued) (Continued)
`Primary Examiner – Mahfuzur Rahman
`
`Primary Examiner — Mahfuzur Rahman Primary Examiner — Mahfuzur Rahman
`Assistant Examiner - Narciso Victoria
`
`Assistant Examiner — Narciso Victoria Assistant Examiner — Narciso Victoria
`( 74 ) Attorney , Agent , or Firm — Lowenstein Sandler LLP
`
`(74) Attorney, Agent, or Firm — Lowenstein Sandler LLP (74) Attorney, Agent, or Firm — Lowenstein Sandler LLP
`ABSTRACT
`( 57 )
`ABSTRACT
`(57)
`ABSTRACT
`(57)
`Systems and methods for a security tool that verifies the
`
`Systems and methods for a security tool that verifies the Systems and methods for a security tool that verifies the
`security of a software package . An example method may
`
`security of a software package. An example method may security of a software package. An example method may
`involve identifying a plurality of components contained in a
`
`involve identifying a plurality of components contained in a involve identifying a plurality of components contained in a
`software package comprising one of a JAR file , an Android
`
`software package comprising one of a JAR file, an Android software package comprising one of a JAR file, an Android
`application package , a docker image , a container file , or a
`
`application package, a docker image, a container file, or a application package, a docker image, a container file, or a
`virtual machine image ; comparing the components con
`virtual machine image; comparing the components con-
`virtual machine image; comparing the components con-
`tained in the software package to a list of known compo
`
`tained in the software package to a list of known compo-tained in the software package to a list of known compo-
`nents ; classifying the software package as insecure when at
`
`nents; classifying the software package as insecure when at nents; classifying the software package as insecure when at
`least one of the components matches an insecure compo
`least one of the components matches an insecure compo-
`least one of the components matches an insecure compo-
`nent , or as secure when each of the compared components
`
`nent, or as secure when each of the compared components nent, or as secure when each of the compared components
`matches a corresponding secure component on the list of
`
`matches a corresponding secure component on the list of matches a corresponding secure component on the list of
`known components ; preventing addition of the software
`
`known components; preventing addition of the software known components; preventing addition of the software
`package to a software repository when the software package
`
`package to a software repository when the software package package to a software repository when the software package
`is classified as insecure ; and when insecure , providing an
`is classified as insecure; and when insecure, providing an
`is classified as insecure; and when insecure, providing an
`interface to enable a user to request the components of the
`
`interface to enable a user to request the components of the interface to enable a user to request the components of the
`software package be added as a secure component on the list
`
`software package be added as a secure component on the list software package be added as a secure component on the list
`of known components .
`
`of known components. of known components.
`20 Claims , 7 Drawing Sheets
`20 Claims, 7 Drawing Sheets
`20 Claims, 7 Drawing Sheets
`
`100
`
`SOFTWARE REPOSITORY
`
`SOFTWARE REPOSITORY SOFTWARE REPOSITORY
`104
`
`194 194
`SOFTWARE
`PACKAGE
`
`PACKAPACKA
`124 .
`
`1Z4 1Z4
`
`SOFTWARE
`
`SOFTWARE SOFTWARE
`PACKAGES
`
`PACKAGES PACKAGES
`108
`
`1QB. 1QB.
`
`SECURITY TOOL
`
`SECURITY 'POOL SECURITY 'POOL
`
`118 118
`118
`BLACK
`
`BLACK BLACK
`LIST
`
`LIST LIST
`
`122 122
`
`WHITE
`
`WHITE WHITE
`LIST
`
`LIST LIST
`
`121 121
`
`MIRRORS Q5 110
`
`NETWORK
`RK RK
`
`106
`
`SOFTWARE
`
`SOFTWARE SOFTWARE
`REPOSITORY
`
`REPOSITORY REPOSITORY
`
`MIRRORS MIRRORS
`
`1111 1111
`
`COMPUTING SYSTEM
`
`COMPUTING SYSTEM COMPUTING SYSTEM
`102
`
`192. 192.
`
`PACKAGE
`PACKAGE PACKAGE
`
`MANAGER
`112
`
`112 112
`
`MANAGER
`
`MANAGER MANAGER
`TOOLS
`
`TOOLS TOOLS
`
`VA VA
`114
`
`WIZ, Inc. EXHIBIT - 1076
`WIZ, Inc. v. Orca Security LTD.
`
`WIZ, Inc. EXHIBIT - 1076
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`US 10 , 055 , 576 B2
`US 10,055,576 B2
`Page 2
`Page 2
`
`( 56 )
`(56)
`
`References Cited
`References Cited
`U . S . PATENT DOCUMENTS
`U.S. PATENT DOCUMENTS
`11 / 2009 Egan et al .
`7 , 624 , 393 B2
`7,624,393 B2
`11/2009 Egan et al.
`7 , 657 , 885 B2
`2 / 2010 Anderson
`7,657,885 B2
`2/2010 Anderson
`7 , 836 , 341 B1
`11 / 2010 Krishnan
`7,836,341 B1
`11/2010 Krishnan
`3 / 2003 Simpson
`2003 / 0051235 AL
`2003/0051235 Al
`3/2003 Simpson
`2003 / 0229890 Al
`12 / 2003 Lau et al .
`2003/0229890 Al
`12/2003 Lau et al.
`2005 / 02 10459 Al
`9 / 2005 Henderson et al .
`2005/0210459 Al
`9/2005 Henderson et al.
`2006 / 0190773 AL
`8 / 2006 Rao et al .
`2006/0190773 Al
`8/2006 Rao et al.
`2006 / 0230398 A
`10 / 2006 Yokota
`2006/0230398 Al
`10/2006 Yokota
`2007 / 0038991 A1
`2 / 2007 Schuff et al .
`2007/0038991 Al
`2/2007 Schuff et al.
`2007 / 0157192 A1
`7 / 2007 Hoefler et al .
`2007/0157192 Al
`7/2007 Hoefler et al.
`2007 / 0169075 A
`7 / 2007 Lill et al .
`2007/0169075 Al
`7/2007 Lill et al.
`2007 / 0180490 A1 *
`8 / 2007 Renzi . . . . . . . . . . . . . . . . . G06F 21 / 577
`2007/0180490 Al *
` G06F 21/577
`8/2007 Renzi
`726 / 1
`726/1
`6 / 2008 Anderson et al .
`2008 / 0134165 Al
`6/2008 Anderson et al.
`2008/0134165 Al
`6 / 2008 Uthe
`2008 / 0141240 A1
`6/2008 Uthe
`2008/0141240 Al
`8 / 2008 Wookey
`2008 / 0201705 A1
`8/2008 Wookey
`2008/0201705 Al
`1 / 2009 Williams et al .
`2009 / 0013319 AL
`1/2009 Williams et al.
`2009/0013319 Al
`2 / 2009 Dull et al .
`2009 / 0037897 A1
`2/2009 Dull et al.
`2009/0037897 Al
`2009 / 0083852 A1 *
`3 / 2009 Kuo . . . .
`2009/0083852 Al * 3/2009 Kuo
`2009 / 0300595 Al
`12 / 2009 Moran et al .
`2009/0300595 Al
`12/2009 Moran et al.
`1 / 2010 Bryant et al .
`2010 / 0023933 Al
`2010/0023933 Al
`1/2010 Bryant et al.
`3 / 2010 Demshur et al .
`2010 / 0058308 Al
`2010/0058308 Al
`3/2010 Demshur et al.
`3 / 2010 Wang
`2010 / 0058314 AL
`2010/0058314 Al
`3/2010 Wang
`4 / 2010 Miocarelli et al .
`2010 / 0083243 A1
`2010/0083243 Al
`4/2010 Miocarelli et al.
`5 / 2010 Schulman . . . . . . . . . . . GO6F 11 / 3672
`2010 / 0114939 A1 *
`2010/0114939 Al *
`5/2010 Schulman
`G06F 11/3672
`707 / 769
`707/769
`7 / 2011 Hughes . . . . . . . . . . . . . . . . . G06F 8 / 20
`2011 / 0166969 A1 *
` G06F 8/20
`7/2011 Hughes
`2011/0166969 Al *
`705 / 30
`705/30
`
`. . GO6F 21 / 564
` G06F 21/564
`726 / 22
`726/22
`
`OTHER PUBLICATIONS
`OTHER PUBLICATIONS
`Seth Kelby Vidal , Manager , U . S . “ Systems and Methods for Diag
`Seth Kelby Vidal, Manager, U.S."Systems and Methods for Diag-
`nostic Notification Via Package Update ” ,
`U . S . Appl . No .
`nostic Notification Via Package Update", U.S. Appl. No.
`12 / 714 , 258 , filed Feb . 26 , 2010 .
`12/714,258, filed Feb. 26, 2010.
`Seth Ketby Vidal , “ Systems and Methods for Managing Software
`Seth Ketby Vidal, "Systems and Methods for Managing Software
`Package Updates Using Commubication Pipes ” , U . S . Appl . No .
`Package Updates Using Commubication Pipes", U.S. Appl. No.
`12 / 714 , 208 , filed Feb . 26 , 2010 .
`12/714,208, filed Feb. 26, 2010.
`Seth Ketby Vidal , “ Systems and Methods for Generating and
`Seth Ketby Vidal, "Systems and Methods for Generating and
`Storing Translation Information as Package Manager ” , U . S . Appl .
`Storing Translation Information as Package Manager", U.S. Appl.
`No . 12 / 714 , 171 , filed Feb . 26 , 2010 . 0 .
`No. 12/714,171, filed Feb. 26, 2010.0.
`Seth Kelby Vidal . “ Systems and Methods for Generating Predictive
`Seth Kelby Vidal. "Systems and Methods for Generating Predictive
`Diagnostics Via Package Update Manag Er ” , U . S . Appl . No .
`Diagnostics Via Package Update Manag Er", U.S. Appl. No.
`12 / 714 , 222 , filed Feb . 26 , 2010 .
`12/714,222, filed Feb. 26, 2010.
`James Antill , “ Systems and Methods for Defining and Enforcing
`James Antill, "Systems and Methods for Defining and Enforcing
`Access Poucy for Package Update Proces Ses ” , U . S . Appl . No .
`Access Poucy for Package Update Proces Ses", U.S. Appl. No.
`12 / 873 , 850 , filed Sep . 1 , 2010 .
`12/873,850, filed Sep. 1, 2010.
`
`Seth Kelby Vidal , Systems and Methods for Generating Cached
`Seth Kelby Vidal, Systems and Methods for Generating Cached
`Representations of Encoded Package Profile , U . S . Appl . No .
`Representations of Encoded Package Profile, U.S. Appl. No.
`12 / 788 , 139 , filed May 26 , 2010 .
`12/788,139, filed May 26, 2010.
`Seth Kelby Vidal , Systems and Methods for Generating Cached
`Seth Kelby Vidal, Systems and Methods for Generating Cached
`Representations of Host Package Inventories in Remote Package
`Representations of Host Package Inventories in Remote Package
`Repositories , U . S . Appl . No . 12 / 790 , 699 , filed May 28 , 2010 .
`Repositories, U.S. Appl. No. 12/790,699, filed May 28, 2010.
`Seth Kelby Vidal , “ Systems and Methods for Generating Package
`Seth Kelby Vidal, "Systems and Methods for Generating Package
`Profiles in Software Package Repositories Using Selective Subsets
`Profiles in Software Package Repositories Using Selective Subsets
`of Packages ” , U . S . Appl . No . 12 / 873 , 557 , flied Sep . 1 , 2010 .
`of Packages",U.S. Appl. No. 12/873,557, flied Sep. 1, 2010.
`Se ! h Kelby Vidal , Systems and Methods for Generating an Encoded
`Se!h Kelby Vidal, Systems and Methods for Generating an Encoded
`Package Profile Based on Executing Host Processes , U . S . Appl . No .
`Package Profile Based on Executing Host Processes, U.S. Appl. No.
`12 / 787 , 104 , filed May 26 , 2010 .
`12/787,104, filed May 26, 2010.
`Seth Kelby Vidal , “ Systems and Methods for Restoring Machine
`Seth Kelby Vidal, "Systems and Methods for Restoring Machine
`State History Related to Detected Faults in Package Update Pro
`State History Related to Detected Faults in Package Update Pro-
`cess " , U . S . Appl . No . 12 / 788 , 036 , filed May 26 , 2010 .
`cess", U.S. Appl. No. 12/788,036, filed May 26, 2010.
`Seth Kelby Vidal , “ Systems and Methods for Generating Cuent
`Seth Kelby Vidal, "Systems and Methods for Generating Cuent
`Quaufication to Execute Package Update Manager ” , U . S . Appl . No .
`Quaufication to Execute Package Update Manager", U.S. Appl. No.
`12 / 788 , 458 , flied May 27 , 2010 .
`12/788,458, flied May 27, 2010.
`Seth Kelby Vidal , “ Systems and Methods for Determining When to
`Seth Kelby Vidal, "Systems and Methods for Determining When to
`Update a Package Manager Software ” , U . S . Appl . No . 12 / 790 , 752 ,
`Update a Package Manager Software", U.S. Appl. No. 12/790,752,
`filed May 28 , 2010 .
`filed May 28, 2010.
`Seth Kelby Vidal , “ Systems and Methods for Generating Exportable
`Seth Kelby Vidal, "Systems and Methods for Generating Exportable
`Encoded Identifications of Networked Machines Based on Installed
`Encoded Identifications of Networked Machines Based on Installed
`Package Profiles ” , U . S . Appl . No . 12 / 758 , 416 , flied Apr . 27 , 2010 .
`Package Profiles", U.S. Appl. No. 12/758,416, flied Apr. 27, 2010.
`Seth Kelby Vida ! , " Systems and Methods for Tracking Computing
`Seth Kelby Vida!, "Systems and Methods for Tracking Computing
`Systems Utiuz ! ng Software Repositories ” , U . S . Appl . No .
`Systems Utiuz!ng Software Repositories", U.S. Appl. No.
`12 / 955 , 671 , filed Nov . 29 , 2010 .
`12/955,671, filed Nov. 29, 2010.
`Seth Kelby Vidal , “ Systems and Methods for Automatic Upgrade
`Seth Kelby Vidal, "Systems and Methods for Automatic Upgrade
`and Downgrade in Package Update Operations ” , U . S . Appl . No .
`and Downgrade in Package Update Operations", U.S. Appl. No.
`12 / 892 , 227 , filed Sep . 28 , 2010 .
`12/892,227, filed Sep. 28, 2010.
`Seth Kelby Vidal , “ Systems and Methods for Managing Versions of
`Seth Kelby Vidal, "Systems and Methods for Managing Versions of
`Software Packages ” , U . S . Appl . No . 13 / 037 , 363 , filed Mar . 1 , 2011 .
`Software Packages", U.S. Appl. No. 13/037,363, filed Mar. 1, 2011.
`Seth Kelby Vidal . “ Systems and Methods for Space Efficient
`Seth Kelby Vidal. "Systems and Methods for Space Efficient
`Software Package Management ” , U . S . Appl . No . 12 / 610 , 006 , filed
`Software Package Management", U.S. Appl. No. 12/610,006, filed
`Oct . 30 , 2009 .
`Oct. 30, 2009.
`Spybot Search & Destroy , Overview , http : / / www . safer - network
`Spybot—Search & Destroy, Overview, http://www.safer-network-
`ing . org / enlspybotsd / index . html , 4 pages .
`ing.org/enlspybotsd/index.html, 4 pages.
`LANDesk Patch Manager 9 , LAN Desk Software , Inc . , 4 pages .
`LANDesk Patch Manager 9, LAN Desk Software, Inc., 4 pages.
`Security for File Servers , Kaspersky Lab , http : / / usakaspersky . com
`Security for File Servers, Kaspersky Lab, http://usakaspersky.com/
`products - services / business / security - for - file - servers .
`products-services Ibusiness/security-for-file-servers.
`" About Symantec Scan Engine ” , Symantec , 2008 , 12 pages .
`"About Symantec Scan Engine", Symantec, 2008, 12 pages.
`" SymantecTM
`Scan Engine Software Developer ' s Guide ” ,
`"SymantecTM Scan Engine Software Developer's Guide",
`Symantec , 2008 , 103 pages .
`Symantec, 2008, 103 pages.
`“ SymantecTM Scan Engine Management Pack Integration Guide ” ,
`"SymantecTM Scan Engine Management Pack Integration Guide",
`Symantec , 2008 , 18 pages .
`Symantec, 2008, 18 pages.
`" Symantec 198 Scan Engine Implementation Guide ” , Symantec ,
`"Symantec198 Scan Engine Implementation Guide", Symantec,
`2008 , 247 pages .
`2008, 247 pages.
`* cited by examiner
`* cited by examiner
`
`

`

`U . S . Patent
`U.S. Patent
`
`Aug . 21 , 2018
`Aug. 21, 2018
`
`Sheet 1 of 7
`Sheet 1 of 7
`
`US 10 , 055 , 576 B2
`US 10,055,576 B2
`
`wwwwwww
`
`" WWWWWWWW
`
`* * * * * * * * *
`
`* *
`
`SOFTWARE
`SOFTWARE
`REPOSITORY
`REPOSITORY
`MIRRORS
`MIRRORS
`110
`110
`
`SOFTWARE REPOSITORY
`SOFTWARE REPOSITORY
`104
`104
`SOFTWARE
`SOFTWARE
`PACKAGE
`PACKAGE
`124
`124
`
`100
`100_
`
`* *
`
`MAMAHA
`
`SOFTWARE
`SOFTWARE
`PACKAGES
`PACKAGES
`108
`108
`
`WHA
`
`*
`
`* * * *
`
`SECURITY TOOL
`SECURITY TOOL
`118
`118
`BLACK
`BLACK
`LIST
`LIST
`122
`12Z
`
`* * * * * * *
`
`*
`
`WHITE
`WHITE
`LIST
`LIST
`120
`1.20.
`
`WEEEEEEEYYYYYY
`
`YYYYYYYYYYYYYY
`
`NETWORK
`NETWORK
`106
`101 ..
`
`COMPUTING SYSTEM
`COMPUTING SYSTEM
`102
`102
`
`PACKAGE
`PACKAGE
`MANAGER
`MANAGER
`112.
`112
`
`MANAGER
`MANAGER
`TOOLS
`TOOLS
`114
`114_
`
`WA
`
`1-ti
`
`FIG„ 1
`FIG . 1A
`
`

`

`U . S . Patent
`U.S. Patent
`
`Aug . 21 , 2018
`Aug. 21, 2018
`
`Sheet 2 of 7
`Sheet 2 of 7
`
`US 10 , 055 , 576 B2
`US 10,055,576 B2
`
`SOFTWARE REPOSITORY
`SOFTWARE REPOSITORY
`104
`
`100
`1.00_
`
`SOFTWARE
`SOFTWARE
`PACKAGES
`PACKAGES
`108
`108
`
`www
`
`NETWORK
`NETWORK
`106
`
`SOFTWARE
`SOFTWARE
`REPOSITORY
`REPOSITORY
`MIRRORS
`MIRRORS
`110
`110
`
`COMPUTING SYSTEM
`COMPUTING SYSTEM
`102
`102
`
`PACKAGE
`PACKAGE
`MANAGER
`MANAGER
`112
`112
`
`MANAGER
`MANAGER
`TOOLS
`TOOLS
`114 .
`1.14.
`
`116
`
`SECURITY TOOL
`SECURITY TOOL
`118
`WHITE BLACK
`WHITE BLACK
`LIST 11 LIST
`LIST
`LIST
`120
`122
`122
`120.
`
`FIG . 1B
`FIG. 1B
`
`

`

`U . S . Patent
`U.S. Patent
`
`Aug . 21 , 2018
`Aug. 21, 2018
`
`Sheet 3 of 7
`Sheet 3 of 7
`
`US 10 , 055 , 576 B2
`US 10,055,576 B2
`
`
`
`I-
`
`205
`205
`A
`
`NAME VERSION SIZE
`NAME
`VERSION SIZE
`
`200DNOCHMOOOOO
`
`HASH
`HASH
`
`VENDOR
`VENDOR
`
`CVE
`CVE
`REFERENCE
`REFERENCE
`
`Xopo
`
`PKGAJAR
`PKGA.JAR
`
`PKGAI . JAR
`PKGAI.JAR
`
`V . 1
`V.1
`
`V . 2
`V.2
`
`100MB
`100MB
`
`512 , 85d2a . . .
`512,85d2a...
`
`ABCINC
`ABC.INC
`
`10MB
`10MB
`
`512 , 85a1a . . .
`512,85a1a...
`
`AMC , INC
`AMC,INC
`
`ACERT , INC .
`ACERT, INC.
`CVE - 2008 - 1234
`CVE-2008-1234
`ACERT , INC
`ACERT, INC
`CVE - 2008 - 1234
`CVE-2008-1234
`
`• • •
`
`• • •
`
`210
`210 .<
`
`•
`
`*
`
`•
`
`•
`
`•
`
`•
`
`•
`
`•
`
`•
`
`•
`
`•
`
`•
`
`•
`
`•
`
`•
`
`•
`
`*
`
`200
`200
`
`122.
`122
`
`FIG . 2
`FIG. 2
`
`

`

`U . S . Patent
`U.S. Patent
`
`Aug . 21 , 2018
`Aug. 21, 2018
`
`Sheet 4 of 7
`Sheet 4 of 7
`
`US 10 , 055 , 576 B2
`US 10,055,576 B2
`
`(
`
`NETWORK
`---NETWORK
`106
`106
`
`w
`
`.
`
`•
`
`COMPUTING
`COMPUTING
`SYSTEM
`SYSTEM
`300
`
`NETWORK
`NETWORK
`INTERFACE
`INTERFACE
`310
`310
`
`PROCESSOR
`PROCESSOR
`302
`101
`
`MEMORY
`MEMORY
`304 .
`3.04.
`
`STORAGE
`STORAGE
`308
`3_0.8.
`
`ANANAN
`A NARAMAMARAAMA
`
`OS
`OS
`306
`30.E
`
`LAAMAS
`
`S
`
`A HUAWA
`
`SECURITY
`SECURITY
`TOOL
`TOOL
`118
`118
`
`FIG . 3
`FIG. 3
`
`

`

`U . S . Patent
`U.S. Patent
`
`Aug . 21 , 2018
`Aug. 21, 2018
`
`Sheet 5 of 7
`Sheet 5 of 7
`
`US 10 , 055 , 576 B2
`US 10,055,576 B2
`
`404
`404
`
`406
`406
`
`408
`408
`
`410
`410
`
`400
`400,
`
`402
`402
`
`BEGIN
`BEGIN
`
`IDENTIFY A SOFTWARE PACKAGE TO VERIFY AND CERTIFY
`IDENTIFY A SOFTWARE PACKAGE TO VERIFY AND CERTIFY
`
`om cort
`
`c
`
`IDENTIFY THE COMPONENTS OF THE SOFTWARE PACKAGE
`IDENTIFY THE COMPONENTS OF THE SOFTWARE PACKAGE
`
`wwwwwwwwwwwwwwwwwwwwwwwwww
`
`COMPARE THE COMPONENTS OF THE SOFTWARE PACKAGE
`COMPARE THE COMPONENTS OF THE SOFTWARE PACKAGE
`* TWARE
`A E & RE
`WI
`VO
`TO A WHITE LIST
`TO A WHITE LIST
`
`7
`
`ROV *
`
`WWWWWWWWWWWWWWWWWWWW
`
`VERIFY AND CERTIFY THE SOFTWARE PACKAGE BASED ON
`VERIFY AND CERTIFY THE SOFTWARE PACKAGE BASED ON
`THE COMPARISON
`THE COMPAR€SON
`
`*
`
`* * * * * *
`
`* * * * * * *
`
`AWSKI
`
`
`
`SEKARKA KRAKKKKKKRAKARAKESKIKEKAAR
`
`Myynn
`
`r END
`
`END
`
`412
`412
`
`FIG . 4A
`FIG. 4A
`
`

`

`U . S . Patent
`U.S. Patent
`
`Aug . 21 , 2018
`Aug. 21, 2018
`
`Sheet 6 of 7
`Sheet 6 of 7
`
`US 10 , 055 , 576 B2
`US 10,055,576 B2
`
`420
`420
`
`------
`BEGIN
`C BEGIN
`
`422
`422
`
`CONNA
`
`IDENTIFY A SOFTWARE PACKAGE TO VERIFY AND CERTIFY
`IDENTIFY A SOFTWARE PACKAGE TO VERIFY AND CERTIFY
`WAD
`VV
`
`wwwwwww
`
`IDENTIFY THE COMPONENTS OF THE SOFTWARE PACKAGE
`IDENTIFY THE COMPONENTS OF THE SOFTWARE PACKAGE
`
`OnNWWW
`
`W
`
`WWWWWWWWWW
`
`wwwwwwwwwwwwwwwwwwwwwwwwwwww
`
`COMPARE THE COMPONENTS OF THE SOFTWARE PACKAGE
`COMPARE THE COMPONENTS OF THE SOFTWARE PACKAGE
`TO A BLACK LIST
`TO A BLACK. LIST
`
`VERIFY AND CERTIFY THE SOFTWARE PACKAGE BASED ON
`VERIFY AND CERTIFY THE SOFTWARE PACKAGE BASED ON
`THE COMPARISON
`THE COMPARISON
`
`m
`
`innowwwwwwwww
`
`424
`424
`
`426
`426
`
`428
`428
`
`430
`430
`
`432
`432
`
`(
`
`END
`END
`END
`
`UUUUUUUUUUA
`
`FIG . 4B
`FIG. 4B
`
`

`

`U . S . Patent
`U.S. Patent
`
`Aug . 21 , 2018
`Aug. 21, 2018
`
`Sheet 7 of 7
`Sheet 7 of 7
`
`US 10 , 055 , 576 B2
`US 10,055,576 B2
`
`440
`440.
`
`442
`
`BEGIN
`
`mo
`
`4,
`IDENTIFY A SOFTWARE PACKAGE TO VERIFY AND CERTIFY
`
`444
`
`+
`
`+
`
`+ + +
`
`+ + +
`
`+ +
`
`+ + + + + + + + +
`
`+ + + + +
`
`+ +
`
`+
`
`*
`
`% * XX
`
`I KERET KEYNEETR
`
`IDENTIFY THE COMPONENTS OF THE SOFTWARE PACKAGE
`
`COMPARE THE COMPONENTS OF THE SOFTWARE PACKAGE
`PACKAGE
`TO A WHITE LIST AND A BLACK LIST
`
`wwwwwwwwwwwwww
`
`w wwwwwwwwwwwww
`
`4,
`VERIFY AND CERTIFY THE SOFTWARE PACKAGE BASED ON
`THE COMPARISON
`
`Wwwwwwwww
`
`452
`
`END
`
`448
`
`442
`CEEGIN
`444
`
`
`IDENTIFY A SOFTWARE PACKAGE TO VERIFY AND CERTIFY
`
`446
`
`
`THE COMPONENTS OF THE SOFTWARE PACKAGE
`IDENTIFY
`446
`
`
`COMPARE THE COMPONENTS OF THE SOFTWARE
`TO A WHITE LIST AND A BLACK LIST
`
`
`
`PACKAGE BASED ON VERIFY AND CERTIFY THE SOFTWARE
`THE COMPARISON
`452
`CENO 452
`( END Y.-N-4
`FIG . 4C
`FIG. 4C
`
`448 po
`
`450
`
`

`

`US 10 , 055 , 576 B2
`US 10,055,576 B2
`
`5
`5
`
`1
`DETECTION OF MALICIOUS SOFTWARE
`DETECTION OF MALICIOUS SOFTWARE
`PACKAGES
`PACKAGES
`
`2
`FIG . 4C illustrates a flowchart of an exemplary process
`FIG. 4C illustrates a flowchart of an exemplary process
`for verifying and certifying a software package is secure
`for verifying and certifying a software package is secure
`utilizing a white list and a black list , according to various
`utilizing a white list and a black list, according to various
`RELATED APPLICATIONS
`embodiments .
`embodiments.
`RELATED APPLICATIONS
`This application is a continuation of application Ser . No .
`DETAILED DESCRIPTION OF EMBODIMENTS
`DETAILED DESCRIPTION OF EMBODIMENTS
`This application is a continuation of application Ser. No.
`12 / 898 , 876 , filed Oct . 6 , 2010 , now U . S . Pat . No . 9 , 792 , 429 ,
`12/898,876, filed Oct. 6, 2010, now U.S. Pat. No. 9,792,429,
`For simplicity and illustrative purposes , the principles of
`entitled “ Detection of Malicious Software Packages , ” which
`For simplicity and illustrative purposes, the principles of
`entitled "Detection of Malicious Software Packages," which
`the present teachings are described by referring mainly to
`the present teachings are described by referring mainly to
`is incorporated herein by reference herein .
`is incorporated herein by reference herein.
`10 exemplary embodiments thereof . However , one of ordinary
`10 exemplary embodiments thereof. However, one of ordinary
`skill in the art would readily recognize that the same
`TECHNICAL FIELD
`skill in the art would readily recognize that the same
`TECHNICAL FIELD
`principles are equally applicable to , and can be implemented
`principles are equally applicable to, and can be implemented
`in , all types of information and systems , and that any such
`This invention relates generally to computer software
`in, all types of information and systems, and that any such
`This invention relates generally to computer software
`variations do not depart from the true spirit and scope of the
`installation for computing systems .
`variations do not depart from the true spirit and scope of the
`installation for computing systems.
`15 present teachings . Moreover , in the following detailed
`15 present teachings. Moreover, in the following detailed
`description , references are made to the accompanying fig
`DESCRIPTION OF THE RELATED ART
`description, references are made to the accompanying fig-
`DESCRIPTION OF THE RELATED ART
`ures , which illustrate specific embodiments . Electrical ,
`ures, which illustrate specific embodiments. Electrical,
`Today , a person using a computing system has a variety of
`mechanical , logical and structural changes may be made to
`mechanical, logical and structural changes may be made to
`Today, a person using a computing system has a variety of
`the embodiments without departing from the spirit and scope
`avenues for obtaining software and installing the software
`the embodiments without departing from the spirit and scope
`avenues for obtaining software and installing the software
`on the computing system , such as purchasing physical media 20 of the present teachings . The following detailed description
`20 of the present teachings. The following detailed description
`on the computing system, such as purchasing physical media
`and downloading the software over a network . When down -
`is , therefore , not to be taken in a limiting sense and the scope
`is, therefore, not to be taken in a limiting sense and the scope
`and downloading the software over a network. When down-
`loading the software over a network , the person can acquire
`of the present teachings is defined by the appended claims
`of the present teachings is defined by the appended claims
`loading the software over a network, the person can acquire
`and install the software using a software package delivery
`and their equivalents .
`and their equivalents.
`and install the software using a software package delivery
`system . The software package delivery system typically
`Embodiments of the present teachings relate to systems
`Embodiments of the present teachings relate to systems
`system. The software package delivery system typically
`consists of a software repository which stores and maintains 25 and methods for verifying the security of software packages .
`25 and methods for verifying the security of software packages.
`consists of a software repository which stores and maintains
`various software packages . The software packages typically
`According to embodiments , a software repository offering a
`According to embodiments, a software repository offering a
`various software packages. The software packages typically
`consist of software stored in an archive format that includes
`software package or a computing system downloading a
`software package or a computing system downloading a
`consist of software stored in an archive format that includes
`software package can utilize a security tool to verify the
`data for installing the software .
`software package can utilize a security tool to verify the
`data for installing the software.
`The software repository , typically , stores software pack -
`security of the software package . The security tool can be
`security of the software package. The security tool can be
`The software repository, typically, stores software pack-
`ages from different types of developers , such as software 30 configured to check and to verify the security of software
`30 configured to check and to verify the security of software
`ages from different types of developers, such as software
`development companies or individual developers . Because
`packages utilizing a black list of components . To check the
`packages utilizing a black list of components. To check the
`development companies or individual developers. Because
`the software packages originate from different developers ,
`security , the security tool can be configured to compare the
`security, the security tool can be configured to compare the
`the software packages originate from different developers,
`there currently exist no process by which software packages
`components of the software package to the black list . The
`components of the software package to the black list. The
`there currently exist no process by which software packages
`are certified as trusted and secure . Additionally , because of
`components of the software package can include the archival
`components of the software package can include the archival
`are certified as trusted and secure. Additionally, because of
`the flexibility of software packages , individuals can repack - 35 files ( e . g . jarlegg files ) contained in the software package .
`35 files (e.g. jar/egg files) contained in the software package.
`the flexibility of software packages, individuals can repack-
`age a software package to include additional components .
`The security tool can be configured to compare the base
`The security tool can be configured to compare the base
`age a software package to include additional components.
`Because an individual can introduce new components into
`archival file ( package ) and / or any archival sub - files ( sub
`archival file (package) and/or any archival sub-files (sub-
`Because an individual can introduce new components into
`the software package without the benefit of trusted verifi -
`packages ) contained in the base archival file to the black list .
`packages) contained in the base archival file to the black list.
`the software package without the benefit of trusted verifi-
`cation , the individual could possibly add exploitable code ,
`A black list can include a list of archival files that are known
`A black list can include a list of archival files that are known
`cation, the individual could possibly add exploitable code,
`bugs , malicious code , or files to the software package . 40 to be insecure , such as known insecure packages / subpack
`40 to be insecure, such as known insecure packages/subpack-
`bugs, malicious code, or files to the software package.
`Accordingly , the software repositories and the users of the
`ages referenced in a Common Vulnerabilities and Exposures
`ages referenced in a Common Vulnerabilities and Exposures
`Accordingly, the software repositories and the users of the
`repositories lack the ability to identify a known exploitable ,
`( CVE ) list . The black list can include a hash of the archival
`(CVE) list. The black list can include a hash of the archival
`repositories lack the ability to identify a known exploitable,
`malicious software package or trust that a software package
`files and details of the archival files that are insecure , such
`files and details of the archival files that are insecure, such
`malicious software