АГЕНТ БЕЗОПАСНОСТИ, ФУНКЦИОНИРУЮЩИЙ НА УРОВНЕ ВСТРОЕННОГО ПРОГРАММНОГО ОБЕСПЕЧЕНИЯ, С ПОДДЕРЖКОЙ БЕЗОПАСНОСТИ УРОВНЯ ОПЕРАЦИОННОЙ СИСТЕМЫ

Настоящее изобретение относится к системам и способам обеспечения безопасности и, более конкретно, к системам и способам обеспечения безопасности, работающим независимо от операционной системы, но выполненным с поддержкой приложения безопасности, работающего на уровне операционной системы. Технический результат настоящего изобретения заключается в повышении уровня безопасности компьютерной системы путем обеспечения безопасности компьютерной системы на этапе до запуска операционной системы. Способ обеспечения безопасности компьютерной системы на этапе до запуска операционной системы включает: а) осуществление запуска UEFI из постоянного запоминающего устройства перед запуском операционной системы; б) запуск из UEFI агента безопасности, работающего независимо от операционной системы; в) осуществление посредством агента безопасности сканирования и последующего удаления или помещения на карантин вредоносного программного обеспечения; где сканирование на наличие вредоносного программного обеспечения ...

Система и способ обнаружения вредоносного приложения путем перехвата доступа к отображаемой пользователю информации

Изобретение относится к области защиты данных приложений, а именно к системам и способам обнаружения вредоносного приложения путем перехвата доступа к отображаемой пользователю информации. Технический результат настоящего изобретения заключается в повышении безопасности вычислительного устройства пользователя, которое достигается путем обнаружения вредоносного приложения, из которого был запущен процесс, осуществляющий доступ к отображаемой пользователю вычислительного устройства информации. Раскрыт способ обнаружения вредоносного приложения на вычислительном устройстве пользователя, согласно которому: а. перехватывают при помощи средства перехвата доступ процесса к отображаемой пользователю информации для определения по меньшей мере: информации о процессе, осуществляющем доступ к информации, отображаемой пользователю, при этом упомянутая информация включает по меньшей мере идентификатор процесса (PID); области на дисплее вычислительного устройства, на которой отображается пользователю ...

Система и способ блокирования доступа к защищаемым приложениям

Изобретение относится к области защиты данных приложений, а именно к системам и способам блокирования доступа к отображаемой пользователю информации. Техническим результатом является повышение безопасности вычислительного устройства пользователя, которое достигается путем блокирования доступа процесса, к отображаемой пользователю информации. Раскрыт способ блокирования доступа к отображаемой пользователю информации, согласно которому: а. вычисляют при помощи средства мониторинга активности коэффициенты конфиденциальности элементов графического интерфейса процессов, запущенных на вычислительном устройстве; б. перехватывают при помощи средства перехвата доступ процесса к отображаемой пользователю информации для определения по меньшей мере: информации о процессе, осуществляющем доступ к информации, отображаемой пользователю, при этом упомянутая информация включает по меньшей мере идентификатор процесса (PID); области на дисплее вычислительного устройства, на которой отображается пользователю ...

Система и способ выполнения запросов процессов операционной системы к файловой системе

Изобретение предназначено для выполнения запросов процессов к файловой системе. Технический результат – оптимизация работы файловой системы с запросами процессов. Система выполнения запросов процессов операционной системы к файловой системе, где запросы представляют собой вызовы API-функции, при этом система выполнения запросов содержит средство перехвата запросов, средство кэширования, базу данных запросов, средство управления доступом. 2 н. и 4 з.п. ф-лы, 3 ил.

СПОСОБ ОБЕСПЕЧЕНИЯ БЕЗОПАСНОГО ВЫПОЛНЕНИЯ ФАЙЛА СЦЕНАРИЯ

Изобретение относится к информационной безопасности. Технический результат заключается в повышении безопасности компьютерной системы при выполнении файлов сценария интерпретаторами. Способ выполнения файлов сценария в системах обеспечения безопасности, работающих в режиме «запрет по умолчанию», в котором создают контейнер безопасности, используя который, приложение безопасности ограничивает действия интерпретатора согласно определенным политикам ограничения действий интерпретатора; адаптируют приложением безопасности контейнер безопасности под среду выполнения файлов сценария, изменяя политики ограничения действий интерпретатора; проверяют доверенность файла сценария; запускают выполнение файла сценария интерпретатором по результатам положительной проверки на доверенность, при этом выполнение ограничивается контейнером безопасности; перехватывают по меньшей мере одно действие интерпретатора при выполнении файла сценария; анализируют соответствие перехваченного действия интерпретатора по ...

ПРЕДСТАВЛЕНИЕ КОНТЕКСТА ОПЕРАЦИОННОЙ СИСТЕМЫ В ДОВЕРЕННОМ ПЛАТФОРМЕННОМ МОДУЛЕ

ИСПОЛЬЗОВАНИЕ ТЕХНОЛОГИИ СЛЕЖЕНИЯ ЗА МОЩНОСТЬЮ ДЛЯ КОНТРОЛЯ ЦЕЛОСТНОСТИ И ПОВЫШЕНИЯ БЕЗОПАСНОСТИ КОМПЬЮТЕРНЫХ СИСТЕМ

... 1. Способ выполнения в реальном времени оценки целостности исполнения подпрограммы в компьютерной обрабатывающей платформе, содержащий этапы, на которых:контролируют исполнение подпрограммы путем трассировки энергопотребления процессора посредством взятия выборок во время исполнения подпрограммы;используют методику характеризации платформы, дополнительно содержащую этапы, на которыхобнаруживают участки трасс, которые проявляют наибольшую зависимость от переходов между состояниями в процессоре;используют упомянутые участки для выбора признаков, несущих наибольшую информацию;получают из характеризации выбранных признаков подпрограммы, содержащихся на упомянутых участках, набор доверенных образов мощности для подпрограммы;устанавливают порог для конкретной частоты ложных тревог, основываясь на вероятностном распределении расстояния от сигнатуры, составленной из упомянутых доверенных образов;сравнивают библиотеку упомянутых доверенных образов с признаками, извлеченными из трасс, полученных ...

Verfahren zur Ausvührung eines Programms über einen Mikroprozessor auf einem Sicherheitsmodul

Die Erfindung betrifft ein Verfahren zur Ausführung eines Programms über einen Mikroprozessor auf einem Sicherheitsmodul, insbesondere einer Chipkarte, wobei im Programmablauf eine Anzahl von Funktionen (f) aufgerufen wird. Zunächst wird der Stand eines globalen Zählers (GC), der im Programm übergreifend für alle Funktionen (f) gültig ist, mit einem vorgegeben Wert (SV) initialisiert. Für eine jeweilige Funktion (f) zumindest eines Teils der Funktionen (f) wird dann in einem Abschnitt des Programms zeitlich vor dem Aufruf der jeweiligen Funktion (f) der Stand des globalen Zählers (GC) mittels einer ersten Operation verändert, welche durch eine zweite komplementäre Operation rückgängig gemacht werden kann. Anschließend wird innerhalb des Aufrufs der jeweiligen Funktion (f) der Stand des globalen Zählers (GC) mittels der zweiten Operation verändert. Schließlich wird an zumindest einem Prüfzeitpunkt (CP), zu dem bei korrektem Programmablauf der Stand des globalen Zählers (GC) genauso oft mittels ...

Verfahren und Vorrichtung zum Nachweis einer Raubkopie

Die Erfindung betrifft ein Verfahren zum Nachweis einer Raubkopie, bei der eine erste Software eine Kopie von zumindest einem Teil einer zweiten Software umfasst, werden folgende Schritte ausgeführt, bei dem die erste Software ausgeführt wird, wobei bei einem während eines Prozedurwechsels stattfindenden Schreib- und/oder Lesevorgang einer Parametergruppe einer Prozedurinstanz auf einen und/oder von einem Stapelspeicher zumindest ein für diesen Schreib- und/oder Lesevorgang charakteristischen Parameter in einer für ein Auftreten der Schreib- und/oder Lesevorgänge zeitlichen Reihenfolge in einem ersten Dokument aufgenommen wird, die zweite Software ausgeführt wird, wobei bei einem während eines Prozedurwechsels stattfindenen Schreib- und/oder Lesevorgang einer Parametergruppe einer Prozedurinstanz auf einen bzw. von einem Stapelspeicher zumindest ein für diesen Schreib- und/oder Lesevorgang charakteristischer Parameter in einer für ein Auftreten der Schreib- und/oder Lesevorgänge zeitlichen ...

Subroutine execution monitoring method, stores subroutine return address in program stack then compares with address given by subroutine return command to determine if error has occurred

When a subroutine is called (34) a return address (38) is stored in the program stack (30). When a subroutine return command (40) is executed the address in the return command and the address in the stack are compared to determine if they have a predetermined relationship to each other. If not, an error handling routine is called. Independent claims are also included for the following ; (1) processor; (2) chip card with processor.

Protecting a user from compromised web resources

A method of protecting a user from a compromised web resource such as a web-based email, chat forums, online payment sites, banking sites, web stores, social networking and media sites. The method may comprise monitoring a user's requests for trusted web resources to determine one or more web resources to be checked where trusted web resources are those accessed commonly or which a user considers to be safe and can be determined to be trusted based on frequency of user requests, whether it has been requested recently and whether personal data has been uploaded to it. The method may comprise querying a network database based on the determined one or more web resources to obtain historical data relating to whether any of the one or more web resources has been compromised at any time during a preceding time period where compromised may include attacked, hacked, breached, exposed to viruses, phishing scams or spamming. The method may comprise providing a predetermined response to protect the ...

MICROCOMPUTER AND CARD HAVING THE SAME

Software build control tool

A computer system 8 comprising input means 16, processing means 10, output means 18 and file storage means 20 including a plurality of files at least one of which is such that processing of that file causes a second file to be opened, is arranged so that a list of files opened is provided when the at least one file is accessed, the list including the at least one file and the second file. The second file may be opened when the first file is opened, during processing of the first file, or as a result of processing the first file. ...

Security system for a hard disk

A security system for a computer hard disk comprises a software or firmware write protect of the logical block address (LBAo) and the logical block address to which the first entry in the partition table directs BIOS during the boot cycle. The purpose of this invention is to prevent a purchaser from configuring or overwriting the operating system provided on a hard disk.

Detecting malware by monitoring executed processes

The invention provides for the detection of malware by monitoring executed processes using a dedicated monitoring device 13, the monitoring being performed without the support of an operating system 15 of hardware 11. The monitoring device 13 comprises a retrieval module 131 configured to retrieve entry point information 112 of a process 150 from a CPU 111 before the process is executed, the process comprising at least one instruction (150a,b,c), and an analysis module 133 configured to retrieve an address 110 corresponding to the process from the CPU according to the entry point information, the address corresponding to a memory block where the at least one instruction is stored. Once execution of the process commences, the monitoring device records the instructions in a memory 113 of the hardware. During or after execution, a determination module 137 of the monitoring device retrieves the executed instructions from the memory and compares them with a malicious process behaviour model ...

Operating system data management

A method of computer operating system data management comprising the steps of: (a) associating data management information with data input to a process (300); and (b) regulating operating system operations involving the data according to the data management information is provided (310). A computing platform (1) for operating system data management is also provided. Furthermore, a computer program including instructions configured to enable operating system data management, an operating system, and an operating system data management method and apparatus arranged to identify data having data management information associated therewith when that data is read into a memory space are provided.

Mobile device and monitoring method adaptable to mobile device

A mobile device includes a memory and a processor. The memory is configured to store a plurality of commands and the processor is configured to receive the commands and execute the following steps. Receiving a function call s310 and datum S320 of a mobile application and then determining if the received function call is a call to a predetermined/preset application programming interface S330. It is also determined if the received datum is labeled datum S340. The received function call is processed with a predetermined monitoring procedure S350 when the received function call is the call to the predetermined application programming interface and the received datum is the labeled datum. The procedure may, if the function call is one that calls the predetermined application programming interface to write a file, determine if the file is needed to be written into a new file and determining if the file is encrypted by the application and if it is not registering and encrypting the file.

PROCEDURE FOR THE MONITORING OF THE PROGRAM SEQUENCE

PROCEDURE FOR THE PROTECTION OF THE INTEGRITY OF PROGRAMS

Automated code lockdown to reduce attack surface for software

A method comprising: determining a set of instructions that provide specific functionality of a computer application; and avoiding, on a computer, exploitation of any security vulnerability present in the set of instructions, by: reorganizing memory addresses for the set of instructions on the computer, the reorganizing randomizes the memory addresses, while preserving relationships among the memory addresses, and rewriting the set of instructions to the reorganized memory addresses on the computer. Inoperative Instructions Application Online Lockdown 585Memo Mode M590 Instruction Addresses Instrumentation Engine Golden Tables 570 Database 565 Instruction Updated Addresses Offline Lockdown Mode ...

METHOD AND DEVICE FOR MAKING SECURE EXECUTION OF A COMPUTER PROGRAMME

A METHOD OF PROTECTING THE INTEGRITY OF A COMPUTER PROGRAM

METHOD TO SECURE THE EXECUTION OF A PROGRAM AGAINST ATTACKS BY RADIATION OR OTHER

Automated code lockdown to reduce attack surface for software

In an example embodiment, a system determines a set of instructions from the available instructions for a computer application. The determined set of instructions provides specific functionality of the computer application. The system may determine the set of instructions by performing functional testing and negative testing on the specific functionality. The system may reorganize and randomize the set of instructions in memory and write the reorganized set of instructions to a smaller memory space. For each available instruction not in the set of instructions, the system changes the respective instruction to inoperative to prevent execution of the respective instruction. The system may change the respective instruction to inoperative by overwriting the instruction with a NOP instruction. The system then captures a memory address of the computer application being accessed at runtime. The system may declare a security attack if the captured memory address matches a memory address for an ...

Computer security using dual functional security contexts

A COMPUTER-IMPLEMENTED METHOD AND SYSTEM FOR EMBEDDING AND AUTHENTICATING ANCILLARY INFORMATION IN DIGITALLY SIGNED CONTENT

A computer-implemented system and method for embedding and authenticating ancillary information in digitally signed content are disclosed. The method and system include loading digital content containing a digitally signed executable into memory for execution, while checking for the integrity of a digital signature and the contents of the executable; and erasing any non--authenticated regions of the digital content by zeroing out or value-filling memory locations corresponding to the non-authenticated regions.

TIME VARYING ADDRESS SPACE LAYOUT RANDOMIZATION

Embodiments include computing devices, apparatus, and methods implemented by the apparatus for time varying address space layout randomization. The apparatus may launch first plurality of versions of a system service and assign a random virtual address space layout to each of the first plurality of versions of the system service. The apparatus may receive a first request to execute the system service from a first application. The apparatus may randomly select a first version of the system service from the first plurality of versions of the system service, and execute the system service using data of the first version of the system service.

SYSTEM AND METHOD FOR PROTECTING A DEVICE AGAINST ATTACKS ON PROCESSING FLOW USING A CODE POINTER COMPLEMENT

A system, method and computer-readable storage medium with instructions for operating a processor of an electronic device to protect against unauthorized manipulation of the code pointer by maintaining and updating a code pointer complement against which the code pointer may be verified. Other systems and methods are disclosed.

METHOD FOR ADDRESS SPACE LAYOUT RANDOMIZATION IN EXECUTE-IN-PLACE CODE

A method for dynamically (i.e., upon boot) rewriting, in a failure resistant manner, of part of, or the entirety of, the flash memory for a device allows for a changing of location for logical blocks of execute-in-place code. Conveniently, the rewriting results in a randomization, of varying degree, of the address space layout upon each boot up cycle.

Process protection method and device and electronic equipment

Execution device

The invention refers to a software distribution control method and system

Linux system external command execution method and device

Process interception method of application program, terminal and storage medium

Unix white-list control method based on hook technology

Dynamic measuring method of buffer overflow on the basis of logic isolation

The invention discloses a dynamic measuring method of buffer overflow on the basis of logic isolation, comprising the steps of logic isolation of buffer data and buffer dynamic measurement on the basis of the logic isolation in an operation process so as to detect the buffer overflow. Different data types are stored in continuous linear physical spaces without modifying the current structure of acomputer system. The dynamic measuring method comprises the following steps: by inserting an isolation mark, storing the buffer data in the low address direction of the isolation mark, and storing pointer data in the high address direction of the isolation mark to form a state space subset ranging from the low address to the high address of a memory, wherein a buffer comprises a plurality of continuous state space subsets; and based on the logic isolation, checking the completeness of the isolation mark by the dynamic measuring method to judge whether the buffer overflow occurs in or not. Thedynamic ...

A embedded system security starting method

Glibc heap-based heap information extraction method

The invention relates to a heap information extraction method based on a Glibc heap. The method comprises the steps of firstly establishing a dump file for a computer physical memory; then obtaining an operating system version and configuration file information by using a Rekall evidence obtaining framework; under the support of an operating system version and configuration file information, a scanning technology built in the memory evidence obtaining framework is used for scanning a kernel space and positioning the kernel space to a task structural body; if the task structural body is positioned, traversing the VMA structure, obtaining the position of the glibc library in the memory, and extracting the position of the main-area in the glibc library; and positioning a related data structure of the glibc heap according to field offset in the vtype description information of the memory object, and extracting related information of the heap. According to the heap information extraction method ...

Data processing method and system and electronic equipment

The invention provides a data processing method, which is applied to a security service system side, and comprises the following steps: in response to a first instruction, running an interrupt exception handling program to determine a to-be-called target security service function according to to-be-processed parameters in a data register, the to-be-processed parameters being parameters in a running task of a real-time operating system; running the target security service function to process the to-be-processed parameters; and writing result information into the data register according to an operation processing result of the target security service function, so that the real-time operating system reads the result information from the data register. In the embodiment of the invention, the processing of the parameters in the task operated by the RTOS is carried out in the secure memory region, so that the processing process of the parameters in the task operated by the RTOS can be effectively ...

Plug-in protection method and device, equipment and storage medium

The invention discloses a plug-in protection method and device, equipment and a storage medium, and belongs to the technical field of computers. The method comprises the steps that when it is detected that a plug-in is loaded in a current window, a process identifier of a current process running in the current window is obtained; judging whether the current process running in the current window is a protected process or not according to the process identifier; if the current process is the protected process, the plug-in in the current window is prevented from being loaded, the protected process in the current window is protected by preventing the plug-in from being loaded, safety protection can be carried out on a browser in time without the aid of a preset black list and a preset white list, and user experience is improved.

PROCEEDED OF SECURITY OF the TREATMENT Of SENSITIVE INFORMATION IN MONOLITHIC UNMODULE OF SAFETY, AND MODULATES SAFETY ASSOCIATES

PROCESS AND SURVEILLANCE DEVICE OF the COURSE Of a PROGRAM, DEVICE PROGRAMS ALLOWING the MONITORING OF ITS PROGRAM

DEVICE AND METHOD FOR MONITORING AND RESOURCE ALLOCATION OF COMPUTING INFRASTRUCTURES

La présente invention concerne un dispositif et un procédé de surveillance et d'allocation de ressources des infrastructures informatiques pour une chaine applicative, en fonction d'une estimation de la consommation de ressources des utilisateurs qui sont répartis entre différents profils eux même déterminés en fonction des actions métiers réalisés par les utilisateurs et leur maitrise de la chaine applicative.

MICROPROCESSOR PROTECTS FROM A OVERFLOW FROM PILE

L'invention concerne un microprocesseur comprenant une unité centrale (CPU), au moins une pile d'exécution (STCK), un pointeur de pile (SP), un bus d'adresse (B1) et un bus de données (B2). Le microprocesseur comprend également un moniteur hardware (MT) configuré pour fournir des codes témoins (C1, C2), insérer les codes témoins dans la pile ou laisser l'unité centrale les insérer, puis générer un signal d'erreur (ER) en réponse à une tentative de modification d'un code témoin présent dans la pile.

DYNAMIC PROCESS Of AUTHENTIFICATION OF PROGRAMS BY an OBJECT PORTABLEELECTRONIQUE

La présente invention décrit un procédé permettant d'authentifier dynamiquement le contenu d'un programme exécutable, c'est-à-dire la suite des instructions que celui-ci définit. Plus précisément, l'authentification d'un programme est réalisée de manière répétée au cours de l'exécution même dudit programme. Le procédé de sécurisation d'un objet portable électronique exécutant un programme P fourni par un autre objet électronique non sûr, utilise, entre autre, un protocole à clé secrète.

부정조작방지 장치 접근 방법 및 그 방법을 채용한 단말 장치

... 본 발명은 부정조작방지 장치 접근 방법 및 그 방법을 채용한 단말 장치에 관한 것으로, 본 발명의 일 실시예에 따르면, 애플리케이션 실행 시, 상기 애플리케이션의 실행에 관계된 파일을을 이용하여 제1 검증 해시값을 생성하는 단계, 부정조작방지(tamper-proof) 장치에 저장된 상기 애플리케이션의 무결성 값과 상기 제1 검증 해시값이 일치하는지 여부를 판단하는 단계, 상기 무결성 값과 상기 제1 검증 해시값이 일치하는 경우, 상기 애플리케이션과 상기 부정조작방지 장치 간 세션을 연결하는 단계, 상기 부정조작방지 장치에 상기 애플리케이션이 실행될 때마다 랜덤(random)하게 생성되는 값을 상기 애플리케이션의 핸들값으로 등록하는 단계 및 상기 애플리케이션으로부터 상기 핸들값이 결합된 명령이 있는 경우, 상기 부정조작방지 장치에 저장된 상기 핸들값에 대응하는 키 값을 이용해 암/복호화를 수행하는 단계를 포함하는 것을 특징으로 한다. 본 발명에 따르면, 사용자가 비밀번호를 입력하지 않고도 부정조작방지 장치의 키 값을 이용하여 정보의 암/복호화를 수행할 수 있다.

METHOD AND SYSTEM FOR PROTECTING COMPUTERIZED SYSTEMS FROM MALICIOUS CODE

The invention relates to a method for providing a computerized system which is protected from malicious programs coming from an external source, the method comprises the steps of (a) secretly, and in a manner unknown to authors of external programs, modifying one or more essential elements at the protected system in a manner which causes all running programs to fail, unless they are subjected to a compatible modification which enables them to run properly; and (b) modifying each program at the computerized system which is known to be benign in order to comply with said modification of one or more essential elements, thereby to enable it to be executed properly.

PROACTIVE SECURITY SYSTEM BASED ON CODE POLYMORPHISM

A method, and processor for securing a host platform of a computing device are presented. The method includes generating, by a security processor, a first graph based on at least a portion of executable code, wherein the executable code is executed by a main processor of the host platform; generating a metadata file based on the generated first graph; polymorphing the executable code based on the generated metadata file; generating a second graph based on the polymorphed code; creating slices of the polymorphed code; executing at least one slices of the created slices by the security processor, wherein the security processor is apart from the main processor; polymorphing the at least one of executed slice; and pairing the least polymorphed slice with the polymorphed code.

PROCESSING OF REQUESTS TO CONTROL INFORMATION STORED AT MULTIPLE SERVERS

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for transmitting/processing requests to control information stored at multiple content platforms/servers. In one aspect, a client device can send a request to verify the device's trustworthiness to a device trustworthiness server. The client device can receive, from the device trustworthiness server, data indicating that the client device is trustworthy, in response to which, the client device can send, to a relay server, a request to control user data stored at a plurality of servers. The client device can receive, via the relay server, a response from each of the plurality of servers. Based on the responses, the client device can determine that at least a subset of the plurality of servers that included the user data has performed the action specified in the request to control the user data.

Privilege violation detecting program

A privilege violation detecting program stored on a computer-readable medium causes a computer to detect a privilege violation of an test target program by receiving an authority request API from an authority request API trace log storing unit; reading out, from an object access rule storing unit, an assumed access API assumed to be output in response to the received authority request API; determining an actual access API returned in response to the received authority request API from the actual access API trace log storing unit; and storing, into a least privilege violation data storing unit, data of the received authority request API when the actual access API returned in response received authority request API does not match the read out assumed access API.

FINE-GRAINED ADDRESS SPACE LAYOUT RANDOMIZATION

A data processing system can use a method of fine-grained address space layout randomization to mitigate the system's vulnerability to return oriented programming security exploits. The randomization can occur at the sub-segment level by randomizing clumps of virtual memory pages. The randomized virtual memory can be presented to processes executing on the system. The mapping between memory spaces can be obfuscated using several obfuscation techniques to prevent the reverse engineering of the shuffled virtual memory mapping.

DYNAMIC RE-DISTRIBUTION OF DETECTION CONTENT AND ALGORITHMS FOR EXPLOIT DETECTION

Methods, apparatus, systems, and articles of manufacture are disclosed for dynamic re-distribution of detection content and algorithms for exploit detection. An example apparatus includes at least one processor, and memory including instructions that, when executed, cause the at least one processor to deploy respective ones of a plurality of standard detection algorithms and content (SDACs) to respective ones of a first endpoint and a second endpoint, deploy a first set of enhanced detection algorithms and content (EDACs) to the first endpoint, deploy a second set of the EDACs to the second endpoint, the second set of EDACs different from the first set of EDACs, and in response to obtaining a notification indicative of an exploit attack from the first endpoint, distribute the first set of EDACs to the second endpoint to facilitate detection of the exploit attack at the second endpoint.

Browser preview

In general, embodiments of the invention relate to systems, methods, and computer program products for previewing, in a safe environment, a given web page that is or may be conducting dangerous or fraudulent activity, including malware distribution and phishing activity. More particularly, embodiments of the invention relate to previewing a given web page in a safe environment by obtaining and breaking down the source code behind the given web page and constructing a preview of the web page without any potentially harmful images, scripts, executables, and/or the like.

Electronic control unit

An electronic control unit includes: a memory saving a program that has a call/return to/from a function represented as a control flow together with the function itself and a check instruction inserted in a program code of the program for checking whether the program code is executable based on the control flow. The electronic control unit may also include an input unit receiving an input of use frequency information indicative of a use frequency of the function; a measurement unit measuring a load of the electronic control unit; an execution object determiner determining the check instruction to be executed based on the use frequency information and the load; and an arithmetic unit executing the check instruction determined by the execution object determiner at a time of execution of the program.

System and method to secure a computer system by selective control of write access to a data storage medium

A system and method of securing a computer system by controlling write access to a storage medium by monitoring an application; detecting an attempt by the application to write data to said storage medium; interrogating a rules database in response to said detection; and permitting or denying write access to the storage medium by the application in dependence on said interrogation.

Method of detecting stack overflows and processor for implementing such a method

A method of detecting stack overflows includes the following steps: storing in at least one dedicated register at least one data item chosen from: a data item (SPHaut) indicating a maximum permitted value for a stack pointer, and a data item (SPBas) indicating a minimum permitted value for said stack pointer; effecting a comparison between a current value (SP) or past value (SPMin, SPMax) of said stack pointer and said data item or each of said data items; and generating a stack overflow exception if said comparison indicates that said current or past value of said stack pointer is greater than said maximum permitted value or less than said minimum permitted value. A processor for implementing such a method is also provided.

Methods and systems for controlling permission requests for applications on a computing device

Examples described may relate to methods and systems for controlling permission requests for applications running on a computing device to access resources provided by the computing device. A computing device may maintain in memory for a given application responses to permission requests. The computing device may receive responses to a first permission request that includes two selectable options to either allow or deny access to a particular resource. The computing device may determine whether a number of the responses to the first request that indicate to deny access exceeds a predefined threshold. If the number exceeds the threshold, the computing device may provide, at a run-time of the application subsequent to presentation of the first request, and based on the application attempting to access the resource, a modified permission request that includes, in addition to the two selectable options, a selectable option to prevent requesting permission to access the resource.

System and method for process hollowing detection

A method and system for remediating a process hollowing intrusion on a user device comprising detecting a process starting on the user device, preparing the process to monitor Application Programming Interface (API) calls between the process and an operating system of the user device, determining whether the process is associated with a process hollowing intrusion based on information associated with the process and/or the API calls, and executing security policies against the process associated with the process hollowing intrusion. In examples, it is determined whether the child process is associated with a process hollowing intrusion in response to determining whether one or more API calls associated with known process hollowing intrusions modify executable memory of and/or modify an entry point address of the child process.

SYSTEM AND METHOD FOR SUSPENDING A COMPUTING DEVICE SUSPECTED OF BEING INFECTED BY A MALICIOUS CODE USING A KILL SWITCH BUTTON

A system for suspending a computing device suspected of being infected by a malicious code is configured to receive a signal to initiate a suspension procedure of the computing device. The system captures states of instructions that are being executed by a processor of the computing device, where the instructions comprise the malicious code. The system prioritizes the operation of a kill switch button over the instructions being executed by the processor. The system sends notification signals to servers managing a user account associated with a user currently logged in at the computing device, indicating that the computing device is suspected of having been infected by the malicious code. In response to sending the notification signals to the servers, the user account is suspended. The system terminates network connections of the computing device such that the computing device is disconnected from other devices.

Techniques for preventing memory timing attacks

Techniques and apparatuses for detecting and preventing memory attacks are described. In one embodiment, for example, an apparatus may include at least one memory comprising a shared memory and a system memory, logic, at least a portion of the logic comprised in hardware coupled to the at least one shared memory, the logic to implement a memory monitor to determine a memory attack by an attacker application against a victim application using the shared memory, and prevent the memory attack, the memory monitor to determine that victim data is being reloaded into the shared memory from the system memory, store the victim data in a monitor memory, flush shared memory data stored in the shared memory, and write the victim data to the shared memory. Other embodiments are described and claimed.

EXCEPTION HANDLING IN A DATA PROCESSING APPARATUS HAVING A SECURE DOMAIN AND A LESS SECURE DOMAIN

APPARATUS, SYSTEM AND METHOD TO DEFINE MEMORY INFORMATION LEAK ZONES IN A COMPUTING SYSTEM

An apparatus of a computing system, a computer-readable medium, a method and a system. The apparatus comprises processing circuitry including a core, and a communication controller coupled to the core to communicate with a memory of the computing system, wherein the memory is to define a leak zone corresponding to a plurality of memory addresses including data therein, the leak zone having an identifier; and the processing circuitry is to: decode instructions including a starting leak barrier, an ending leak barrier, and a sequence of code between the starting and ending leak barriers, the sequence of code including the identifier for the leak zone, the identifier to indicate the sequence of code is to be executed only on the data within the leak zone; and execute the sequence of code only on the data within the leak zone based on the leak barriers and on the identifier ...

INTEGRITY ASSURANCE AND REBOOTLESS UPDATING DURING RUNTIME

Techniques are described herein for, without rebooting a computing device, unloading at least a component of a kernel-mode component of the computing device and loading an updated version of the component of the kernel-mode component. The techniques may be performed by an integrity manager associated with the kernel-mode component. The integrity manager may also determine integrity of the kernel-mode component by causing the kernel-mode component to perform an action associated with a known reaction, determining whether the known reaction occurred, and in response, performing a remediation action or notifying a remote security service. Further, the integrity manager may determine whether any computing device lists include representations of components or connections associated with the kernel-mode component. The integrity manager may then remove the representations from the lists or remove the representations from responses to requests for contents of the computing device lists.

METHOD FOR CONTROLLING SEPARATED RUNNING OF LINKED PROGRAM BLOCKS AND CONTROL DEVICE

SYSTEM AND METHOD FOR PROCESS HOLLOWING DETECTION

MEMORY INTEGRITY

STACK TRACES USING SHADOW STACK

СПОСОБ ЗАЩИТЫ ХОДА ВЫПОЛНЕНИЯ ПРОГРАММЫ

Изобретение относится к способу защиты хода выполнения программы от несанкционированного вмешательства при вызове подпрограмм. Техническим результатом является обеспечение эффективной защиты модульных программ, прежде всего при вызове подпрограмм. В способах вызванная программа перед, соответственно во время ее выполнения проверяет данные, переданные ей от вызывающей программы непосредственно или опосредованно. 2 н. и 3 з.п. ф-лы, 3 ил.

СПОСОБ И УСТРОЙСТВО ДЛЯ МОНИТОРИНГА ФАЙЛА В СИСТЕМНОМ РАЗДЕЛЕ

Изобретение относится к области мониторинга программ и устройств для поддержания целостности операционных систем, а именно к мониторингу файлов в системном разделе операционной системы мобильного терминала. Техническим результатом является обеспечение возможности выполнения надлежащего обновления операционной системы при снижении вероятности возникновения ошибок в ходе соответствующей процедуры. Для этого в мобильном терминале запускают функцию мониторинга, создают следящий поток для функции мониторинга для обнаружения входного события в отношении системного раздела, причем входное событие представляет собой действие с файлом в системном разделе, записывают входное событие в файл журнала регистрации при обнаружении в следящем потоке указанного входного события в отношении целевого системного раздела и выполняют обновление версии операционной системы мобильного терминала на основе файла журнала регистрации. 3 н. и 12 з.п. ф-лы, 8 ил.

СПОСОБ И УСТРОЙСТВО ДЛЯ МОНИТОРИНГА ФАЙЛА В СИСТЕМНОМ РАЗДЕЛЕ

Datenverarbeitungsvorrichtung

Die Erfindung betrifft eine Datenverarbeitungsvorrichtung mit einer Ausführungseinheit (1) und einer einen Programmzähler (4) aufweisenden Ablaufsteuerung (2). Eine erfindungsgemäße Datenverarbeitungsvorrichtung ist mit einem Programmzähler-Sensor (20) ausgestattet, der Mittel aufweist, die ebenfalls die Adresse eines als nächstes auszuführenden Befehls ermitteln, und besitzt einen Vergleicher, der die ermittelte Adresse mit dem Inhalt des Programmzählers vergleicht und bei einer Abweichung ein Alarmsignal (25) auslöst.

Verwenden einer heuristisch erzeugten Richtlinie zum dynamischen Auswählen von String-Analysealgorithmen für Client-Abfragen

Ein Verfahren zum dynamischen Auswählen von String-Analysealgorithmen kann mit dem Trainieren des Steuerungsprogramms zur dynamischen String-Analyse eines String-Analysemoduls beginnen, um eine Teilmenge von String-Abfragen wirkungsvoll zu bearbeiten, die kontextabhängige Metadaten aufweisen, die von einer Client-Anwendung in einer Befehlsumgebung empfangen werden. Die Wirksamkeit des Trainingsmoduls kann auf einer Rückmeldung von der Client-Anwendung beruhen. Bei Beendigung des Trainierens kann eine Auswahlrichtlinie des String-Analysealgorithmus synthetisiert werden. Die Auswahlrichtlinie des String-Analysealgorithmus kann einen Kontext einer String-Abfrage in der Teilmenge mit der Nutzung eines String-Analysealgorithmus korrelieren. In der Betriebsumgebung kann das Steuerungsprogramm zur dynamischen String-Analyse String-Abfragen, die kontextabhängige Metadaten aufweisen, die von der Client-Anwendung empfangen werden, gemäß der Auswahlrichtlinie des String-Analysealgorithmus dynamisch ...

A method of enabling a multitasking computing device to conserve resources

Detecting malware code injection by determining whether return address on stack thread points to suspicious memory area

Suspicious executable memory areas assigned to a process are identified (box 1). Typically, a first list is collected of memory areas containing modules loaded to the process (box 1.1, fig. 2). A second list is collected of executable memory areas for the process that are not in the first list (box 1.2, fig. 2) and memory areas in this second list are suspicious. For each thread in the process (boxes 2-4), a stack associated with the thread is inspected to identify (box 2) a potential return address. It is determined (box 3) whether or not the potential return address is located within a suspicious memory area. If the address is so located, it is determined (box 4) whether or not the instruction at the address preceding the potential return address is a function call. If the instruction is a function call then, it is determined (box 4 Yes) that the potential return address is a true return address and the thread and its associated code are identified as suspicious.

Detecting suspicious code injected into a process if function call return address points to suspicious memory area

Suspicious memory areas assigned to a process being run on a computer system are identified 1. Preferably these suspicious areas are identified by collecting a first list of memory areas containing modules loaded to the process and a second list of all memory areas that are executable but not in the first list, the second list corresponding to suspicious memory areas. For each thread in the process a block of memory is identified where code for the thread is located 2. It is determined whether said memory block is located within said suspicious memory areas 3. If so, a stack associated with the thread is inspected to determine whether or not the stack contains a function call leading to an executable memory area having a return address pointing to said memory block 4. If it is determined that the stack contains such a function call it is determined that the thread is running suspicious code that has been injected into the process. Threads found to be running suspicious code may be terminated ...

Microcomputer and card having the same

Protecting memory by requiring all accessing programs to be modified

PROBLEM TO BE SOLVED: To stop data stored in the programmable storage device from illegally being erased or rewritten by making alterations only when an entry into a data processing program step is regularly made or when the possibility of the regular entry is detected. SOLUTION: An automobile controller 10 includes an electrically erasable programmable memory device 14 in the form of a flash EPROM, which is programmed through an external programming device 20. In this case, it is inspected whether or not there is a regular entry into a step of a data processing program for erasing and/or rewriting data in the flash EPROM. Namely, whether a wrong or incorrect result is evidently generated or to be generated or its possibility is inspected. Then necessary alterations are made properly before the corresponding data processing program step is executed or before access to necessary data is gained.

Processor switching between secure and non-secure modes

Improvements in and relating to computer operating system data management

Operating system data management

A method of computer operating system data management comprising the steps of: (a) associating data management information with data input to a process (300); and (b) regulating operating system operations involving the data according to the data management information is provided (310). A computing platform (1) for operating system data management is also provided. Furthermore, a computer program including instructions configured to enable operating system data management, an operating system, and an operating system data management method and apparatus arranged to identify data having data management information associated therewith when that data is read into a memory space are provided.

Return-target restrictive return from procedure instructions, processors, methods, and systems

Method of operating control apparatus with programmable storage means

Handling trace data

SECURED COMPUTER ARCHITECTURE

VERFAHREN ZUR GEWÄHRLEISTUNG EINER SICHEREN KOMMUNIKATION ZWISCHEN EINEM TERMINAL UND DIENSTE-ANBIETERN IN EINEM NETZWERK

TIFF 00000009.TIF 298 213 ...

PROCEDURE FOR THE GUARANTEE OF SAFE COMMUNICATION BETWEEN A TERMINAL AND SERVICE TENDERERS IN A NETWORK AS WELL AS TERMINALS FOR THE EXECUTION OF SUCH A PROCEDURE

PROCESSOR SWITCHING BETWEEN SECURE AND NON-SECURE MODES

SYSTEM AND METHOD FOR PROTECTING A DEVICE AGAINST ATTACKS ON PROCESSING FLOW USING A CODE POINTER COMPLEMENT

A system, method and computer-readable storage medium with instructions for operating a processor of an electronic device to protect against unauthorized manipulation of the code pointer by maintaining and updating a code pointer complement against which the code pointer may be verified. Other systems and methods are disclosed.

SYSTEM AND METHOD FOR REVERSE COMMAND SHELL DETECTION

A system and method for detecting reverse command shell intrusions at a process-level on a user device is disclosed. In one embodiment, the system detects each process starting on an operating system of the user device, such as a mobile phone or laptop computer, and monitors Application Programming Interface (API) calls between each process and the operating system. The system then determines whether each process is associated with a reverse command shell intrusion based on information associated with each process and/or the API calls, and executes security policies against the processes associated with the reverse command shell intrusion to remediate the processes. In another embodiment, the system determines whether processes starting on a user device are associated with a reverse command shell intrusion by monitoring and analyzing information associated with the parent process of each process and/or API calls between each parent process and the operating system.

SYSTEMS AND METHODS FOR CONTROLLING ACCESS TO A COMPUTER DEVICE

A method and system for controlling access to a computer device. The method and system involves operating a computer device to control access to the computer device by a host system. The method comprises determining if the host system is authorized to have access to the computer device; operating the computer device to start a session if and only if the host system is authorized to have access to the computer device; during the session, providing the host system with access to the computer device; operating the computer device to monitor the host system during the session to determine if a session termination event has occurred; and, terminating the session when the session termination event has occurred, wherein terminating the session blocks access to the computer device by the host system.

SECURE COMPUTER ARCHITECTURE

A secure computer architecture is disclosed which has a central processing unit means (10), zero or more memory means (30), at least one input means (14, 16, 18, 20, 22, 24, 26), at least one output means (14, 16, 18, 20, 22, 24, 26, 50) and bus means (52, 54) to communicate signals between the means which are all untrusted elements, a trusted access monitor device (28), a trusted gateway device (44) located between each of said memory means (30), a further trusted gateway device (32, 34, 36, 38, 40, 42, 46) located between each of said at least one input means and said bus means, and a further trusted gateway device (32, 34, 36, 38, 40, 42, 48) located between each of said at least one output means and said bus means, where the access monitor device controls either the one-way or two-way direction of said signals through a respective gateway device. In one aspect of the invention each memory location is each of said zero or more memory means (30), and each at least one input means and ...

Method and device for interception of office clip board

Dynamic identification and maintenance method for processor chip safety dependency

SAFETY PROTECTION METHOD AND SAFETY PROTECTION DEVICE

The present invention reveals a safety protection method and a safety protection device. The safety protection method which is performed with a controller includes steps of providing an index table, calling one of the APIs (API), filtering the called API based on a predetermined condition, and blocking the API if the API confirms the predetermined condition.

Method for resisting Cache-side channel attack by using padding cache

Operation executing method in Linux system

The invention discloses an operation executing method in a Linux system. The method includes sending an operation execution request for a program file to the Linux system; the Linux system achieving a first hook function of a Linux security module (LSM) through calling, and comparing the content of the program file with the content in a white list; and determining whether to execute operation on the program file according to a comparison result. According to the method for program file execution described in the embodiment, each executable program can be monitored effectively through a kernel mode; the white list is simple and reliable, and misjudgement caused by feature determining of antivirus software is avoided; and the method is suitable for a server environment; and overall impact on programs is small, determining is only performed when the programs are loaded for the first time, and performance loss caused by frequent detection can be avoided.

Dynamic measuring method of buffer overflow on the basis of logic isolation

The invention discloses a dynamic measuring method of buffer overflow on the basis of logic isolation, comprising the steps of logic isolation of buffer data and buffer dynamic measurement on the basis of the logic isolation in an operation process so as to detect the buffer overflow. Different data types are stored in continuous linear physical spaces without modifying the current structure of a computer system. The dynamic measuring method comprises the following steps: by inserting an isolation mark, storing the buffer data in the low address direction of the isolation mark, and storing pointer data in the high address direction of the isolation mark to form a state space subset ranging from the low address to the high address of a memory, wherein a buffer comprises a plurality of continuous state space subsets; and based on the logic isolation, checking the completeness of the isolation mark by the dynamic measuring method to judge whether the buffer overflow occurs in or not. The dynamic ...

Protected loading of a module

Program exit method and related equipment

Control flow integrity protection method and system based on intermediate language analysis

Application control constraint enforcement

Systems and methods for performing application control constraint enforcement are provided. According to one embodiment, file system or operating system activity of a computer system is intercepted relating to a code module. A cryptographic hash value of the code module is checked against a local whitelist database containing cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code. The local whitelist database also contains execution constraint information. When the cryptographic hash value matches one of the cryptographic hash values of approved code modules, authority of the computer system or an end user of the computer system to execute the code module is further validated if the execution constraint information so indicates by performing a constraint check regarding the code module. If the authority is affirmed by the constraint check, then allowing the code module to be executed.

Data processing apparatus

A data processing apparatus is provided, which detects falsification of software to data and rewriting of the data. The data processing apparatus according to an embodiment of the present invention comprises a security unit which has an encryption circuit for decrypting an encrypted signal including secrecy data. The security unit includes a compression circuit which compresses an access signal used in accessing the security unit and outputs the compression result, and a comparison circuit which compares the compression result outputted from the compression circuit with a previously-calculated expectation value of the compression result of the access signal.

Detecting Malicious Use of Computer Resources by Tasks Running on a Computer System

A method, apparatus, and computer program product for identifying malware is disclosed. The method identifies processes in a running process list on a host computer system. The method identifies ports assigned to the processes in the running process list on the host computer system. The method determines whether any one of ports that is currently in use in the host computer system is not assigned to any of the processes in the running process list. The method then makes a record that a hidden, running process is present as a characteristic of an attack in response to a determination that one of the ports is currently in use but is not assigned to any of the processes in the running process list in the host computer system.

Cross-site scripting prevention in dynamic content

Embodiment relate to systems, methods, and computer storage media for suppressing cross-site scripting in a content delivery system. A request is received for content that includes a scripted item or scripted items. The scripted item is identified within the content. An identifier is associated with the scripted element when the scripted element is an intended scripted element to be associated with the content. The identifier may be a hash value based from a hash function and the scripted item. Prior to communicating the content to a user, the scripted item is identified again to determine if an identifier is associated with the scripted item. If an identifier is associated with the scripted item, the identifier is evaluated to determine if the identifier is appropriate. When the identifier is determined to not be appropriate, the scripted item is prevented from being communicated to a user.

Secure in-line payments for rich internet applications

Methods and systems are provided for making secure financial transactions, such as purchase payments, using rich Internet applications (RIA) running an RIA runtime (also referred to as a platform or framework) on the user's smart phone or other mobile device. Embodiments differ from the usual way of re-directing a user from a third-party application and authenticating the user by providing secure in-line payments from a rich Internet application running on an RIA runtime. A system includes: a mobile device executing a rich Internet application running on an RIA runtime; a payment library communicating with the RIA runtime and a service provider, for which the payment library communicates with the service provider to authenticate the rich Internet application; and in response to authentication by the service provider, facilitates secure financial transactions via the rich Internet application.

Computer system and control method thereof

A computer system includes a number of input devices, a storage unit storing a plurality of modules, and a processing unit to execute the plurality of modules. The plurality of modules includes instructions executable by the processing unit to switch the operation mode of the computer system from a normal mode to a children mode when a mode switching command has been received. In the normal mode, the processing unit executes the number of the modules to determine which of applications of the computer system is subject to disablement and which of all the input devices is subject to disablement in the children mode, and regard any operation command on any application subject to disablement as an invalid operation command and any user operation on any input device subject to disablement as an invalid user operation when in the children mode. A related method is also provided.

Computer system and method for scanning computer virus

According to the present invention, a timeout caused by executing a virus scan is avoided. A computer system has a first computer, a second computer coupled to the first computer, and a storage system coupled to the first computer and the second computer. The first computer receives a request to write data, writes the requested data in the storage system, and sends a virus scan request of the written data to the second computer. The second computer receives the virus scan request from the first computer, reads the written data out of the storage system, and partially executes a virus scan of the read data. After the partial virus scan of the read data is finished, the first computer sends a response to the received write request. After the first computer sends the response, the second computer executes the remainder of the virus scan of the read data.

Document encryption and decryption

A document encryption and decryption system and method for selectively encrypting and decrypting files and attachments, electronic mail, text messages, and any other items to protect or secure its contents by helping to prevent unauthorized individuals from viewing data in human-perceivable or readable form. The encryption and decryption system includes remote authentication to verify user credentials stored on a remote database hosted by a web server. The encryption system further includes remote deletion to automatically delete at least encrypted items stored on the user's computer, handheld or portable device, smartphone, tablet, and any other computer of any kind when enabled and logged onto a network. The encryption and decryption system includes selectively decrypting items by retrieving a decryption key and decrypting the item, and/or typing a decryption key if the item cannot be decrypted with the key, and/or sending an invitation to a recipient using the web server.

Method and apparatus for providing end-to-end security for distributed computations

An approach is provided for providing end-to-end security in multi-level distributed computations. A distributed computation security platform determines one or more signatures associated with one or more computation closures of at least one functional flow. The distributed computation security platform also processes and/or facilitates a processing of the one or more signatures to generate at least one supersignature. The distributed computation security platform further determines to associate the at least one supersignature with the at least one functional flow.

Limiting execution of software programs

Techniques are disclosed for limiting execution of software programs. For example, a method comprises the following steps. A first set of program code is extracted from a second set of program code. The extracted first set of program code is parsed to generate a parsed structure. The parsed structure generated from the first set of program code is examined for one or more expressions predetermined to be unsafe for execution. The one or more expressions predetermined to be unsafe for execution that are contained in the first set of program code are detected. In one example, the first set of program code may be a script generated with the JavaScript™ scripting language and the second set of program code may be a business process.

System and method for below-operating system regulation and control of self-modifying code

A system for securing an electronic device may include a memory, a processor; one or more operating systems residing in the memory for execution by the processor; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the memory. The security agent may be further configured to: (i) trap attempted accesses to the memory, wherein each of such attempted accesses may, individually or in the aggregate, indicate the presence of self-modifying malware; (ii) in response to trapping each attempted access to the memory, record information associated with the attempted access in a history; and (iii) in response to a triggering attempted access associated with a particular memory location, analyze information in the history associated with the particular memory location to determine if suspicious behavior has occurred with respect to the particular memory location.

Communications system having security apparatus, security apparatus and method herefor

The present invention relates to a communications system having at least one communications means by means of which the communications system can be connected to at least one further processing unit and/or to a further communications system, having at least one first memory means, having at least one second memory means and having at least one security apparatus, wherein identical information is stored on the first and second memory means and wherein damage to the communications system can be determined with reference to a comparison of this information by means of the security apparatus. The present invention furthermore relates to a security apparatus and to a method of determining damage to a communications system.

Method and system for protecting against the execution of unauthorized software

In accordance with an embodiment of the present invention, a client device is protected against the execution of unauthorized software. The client includes a code authentication process that verifies the integrity of executable code, by generating and comparing a first hash value of the executable code with a known hash value of the original code. Furthermore, during boot-up, the client initializes a CPU exception vector table with one or more vector table entries. One or more, or all, of the vector table entries direct the CPU to execute the code authentication process prior to executing an event handler when an exception event occurs. Consequently, the code authentication process is virtually guaranteed to execute, thereby protecting against the execution of unauthorized code.

Emulating Mixed-Code Programs Using a Virtual Machine Instance

The subject disclosure is directed towards a technology for efficiently emulating program code that is protected by one or more various code virtualization techniques to detect the presence of malware. An emulation engine emulates a program containing a mix of native code, custom (e.g., virtualized obfuscated) code, and at least one emulator and/or interpreter that understands the custom code, by building a custom emulation component that is built by detecting and analyzing the internal emulator or interpreter. The custom emulation component may access a translation table built from the analysis, and also may simplify a plurality of instructions in the program into a lesser number of instructions in an intermediate language used for emulation.

System and method for application program operation on a wireless device

Embodiments described herein address mobile devices with non-secure operating systems that do not provide a sufficient security framework. More particularly, the embodiments described herein provide a set of applications to the device for providing security features to the non-secure operating system.

Secure execution of unsecured apps on a device

An app is secured on a mobile device by being deconstructed or unbundled into multiple modules, where a module is a segment of app code that performs a particular function. It is then determined which modules from the multiple modules perform some type of security function, for example, a function dealing with confidential or security-related data. These modules, forming a group of modules, are loaded into a trusted execution environment. The app is then re-bundled so that it has the first plurality of modules and the second plurality of modules. The app executes in a manner where the high security functions execute so that break points cannot be inserted into the app code. The re-bundling is done automatically in an app security wrapping process. Security constraints are added to the app.

Remote-Assisted Malware Detection

Remote assistance is provided to a mobile device across a network to enable malware detection. The mobile device transmits potentially infected memory pages to a remote server across a network. The remote server performs analysis, and provides feedback to the mobile device. Based on the received feedback, the mobile device halts a process, or retrieves and transmits additional memory pages to the remote server for more analysis. This process is repeated until a compromised region of memory is identified and/or isolated for further repair to be performed. The feedback from the remote server reduces the processing and storage burden on the mobile device, resulting in a more reliable detection that uses fewer resources. Embodiments including hypervisors and virtual machines are disclosed.

System and method for instruction sets with run-time consistency check

A system and method includes modules for determining whether an instruction is a target of a non-sequential fetch operation with an expected numerical property value, and avoiding execution of the instruction if it is the target of the non-sequential fetch operation and does not have the expected numerical property. Other embodiments include encoding an instruction with a functionality that is a target of a non-sequential fetch operation with an expected numerical property value. Instructions with the same functionality that are not targets of non-sequential fetch operations can be encoded with a different numerical property value. More specific embodiments can include a numerical property of parity, determining whether the instruction is valid, and throwing an exception, setting status bits, sending an interrupt to a control processor, and a combination thereof to avoid execution.

METHOD AND SYSTEM FOR EXECUTION MONITOR-BASED TRUSTED COMPUTING

A system and method to ensure trustworthiness of a remote service provided by a service provider. The method includes monitoring runtime dependencies invoked during execution of a service transaction associated with the remote service, the service transaction being requested by a service requester. The method further includes determining whether a deviation exists between the runtime dependencies and a trusted list of dependencies associated with the remote service. The method also includes blocking execution of the service transaction based on determining that the deviation between the runtime dependencies and the trusted list of dependencies exists. 1. A method of ensuring trustworthiness of a service transaction associated with a remote service provided by a service provider , the method comprising:accessing, using a processor, a trusted list of runtime dependencies associated with the remote service in response to a request by a service requester for the service transaction;monitoring, using the processor, runtime dependencies invoked during execution of the service transaction;determining, using the processor, whether a deviation exists between the runtime dependencies and the trusted list of runtime dependencies; andblocking execution of the service transaction, using the processor, based on determining that the deviation between the runtime dependencies and the trusted list of dependencies exists.2. The method of claim 1 , further comprising attesting trustworthiness of an operating system kernel and a monitor associated with the operating system kernel in a trusted boot process in response to loading the remote service by the service provider claim 1 , the monitor using the processor to perform the monitoring claim 1 , determining and blocking.3. The method of claim 2 , further comprising:attesting trustworthiness of the trusted list of dependencies associated with the remote service; andstoring an attestation result in a platform configuration register of ...

Outbound Connection Detection and Blocking at a Client Computer

A method of detecting and blocking a malicious SSL connection at a client computer. The method includes identifying, at a network firewall level, an outbound SSL connection being set up at the client computer; detecting an SSL certificate associated with the SSL connection; sending a request to a central server for reputation information on the SSL certificate; at the central server, determining reputation information in dependence upon the SSL certificate; providing said reputation information from the central server to the client computer; and using the reputation information at the client computer to determine whether or not to block the connection.

SOFTWARE SELF-CHECKING SYSTEMS AND METHODS

Software self-checking mechanisms are described for improving software tamper resistance and/or reliability. Redundant tests are performed to detect modifications to a program while it is running. Modifications are recorded or reported. Embodiments of the software self-checking mechanisms can be implemented such that they are relatively stealthy and robust, and so that it they are compatible with copy-specific static watermarking and other tamper-resistance techniques. 1. A method of creating a tamper-resistant software program on a non-transitory computer-readable medium , the method comprising:including a plurality of self-checking code sequences in the source code of the program, each self-checking code sequence being configured to calculate a function of a portion of the program;including in the program one or more code sequences configured to trigger a tamper response mechanism when an improper modification of the program is detected by at least one of the plurality of self-checking code sequences; andwriting the program onto a non-transitory computer readable medium.2. The method of claim 1 , wherein at least some of the plurality of self-checking code sequences are assigned to overlapping portions of the program in a relatively random fashion.3. The method of claim 1 , wherein at least some of the plurality of self-checking code sequences are assigned to overlapping portions of the program such that a graph representing the assignment of said self-checking code sequences to overlapping portions of the program is strongly connected.4. The method claim 1 , wherein at least some of the plurality of self-checking code sequences are assigned to overlapping portions of the program such that the integrity of at least one self-checking code sequence is checked claim 1 , at least in part claim 1 , by at least one other self-checking code sequence.5. The method of claim 1 , wherein the function that at least one self-checking code sequence is operable to calculate ...

Method and System for Ensuring a Sharing Violation Free Environment for a Trusted Software Agent

A method and system is provided by which a trusted software agent can perform in a sharing violation free environment, which reduces complexity and eliminates interference with applications. A method for handling sharing violations in a computer system comprises intercepting a request by an application for access to a file, capturing a sharing violation raised by the operating system, determining whether the sharing violation is due to the trusted agent, and if so holding the request by the application for access to the file until the trusted agent no longer holds the file, and then reprocessing the request by the application for access to the file. The application is not aware that the sharing violation due to the trusted agent occurred, or that the request was pending and reprocessed because at the end of the process the application receives a file handle as if a sharing violation did not occur. 1. A method for handling sharing violations in a computer system comprising:intercepting a request by an application directed to a file in a file system of an operating system for access to the file;capturing a sharing violation issued by the operating system in response to the request;determining whether the sharing violation was due to a trusted agent, wherein the trusted agent is a software agent configured to monitor file operations performed on the computer system;storing one or more file access requests from the application in a queue if the sharing violation was due to the trusted agent; andreprocessing the one or more requests by the application for access to the file after the trusted agent releases the file.2. The method of claim 1 , wherein the act of determining whether the sharing violation was due to the trusted agent comprises determining that a count of the file access requests by the trusted agent triggered by the application is greater than zero.3. The method of claim 2 , further comprising signaling the trusted agent that the sharing violation due to the ...

Interactive analysis of a security specification

Analyzing a security specification. An embodiment can include identifying a downgrader in a computer program under test. Via a processor, testing on the downgrader can be performed in a first level of analysis. Responsive to the downgrader not passing the testing performed in the first level of analysis, a counter example for the downgrader can be automatically synthesized. Further, a test unit can be created for the downgrader using the counter example as an input parameter to the downgrader. The test unit can be executed to perform testing on the downgrader in a second level of analysis. Responsive to the downgrader passing the testing performed in the second level of analysis, a user can be prompted to simplify a model of the downgrader.

Data security in a multi-nodal environment

A data security manager in a multi-nodal environment enforces processing constraints stored as security relationships that control how different pieces of a multi-nodal application (called execution units) are allowed to execute to insure data security. The security manager preferably checks the security relationships for security violations when new execution units start execution, when data moves to or from an execution unit, and when an execution unit requests external services. Where the security manager determines there is a security violation based on the security relationships, the security manager may move, delay or kill an execution unit to maintain data security.

Exception handling in a data processing apparatus having a secure domain and a less secure domain

Processing circuitry can operate in a secure domain and a less secure domain. In response to an initial exception from background processing performed by the processing circuitry, state saving of data from a first subset of registers is performed by exception control circuitry before triggering an exception handling routine, while the exception handling routine has responsibility for performing state saving of data from a second subset of registers. In response to a first exception causing a transition from the secure domain from a less secure domain, where the background processing was in the less secure domain, the exception control circuitry performs additional state saving of data from the second set of registers before triggering the exception handling routine. In response to a tail-chained exception causing a transition from the secure domain to the less secure domain, the exception handling routine is triggered without performing an additional state saving.

DATA PROCESSING APPARATUS AND METHOD FOR PROTECTING SECURE DATA AND PROGRAM CODE FROM NON-SECURE ACCESS WHEN SWITCHING BETWEEN SECURE AND LESS SECURE DOMAINS

A data processing apparatus includes processing circuitry and a data store including a plurality of regions including a secure region and a less secure region. The secure region is configured to store sensitive data accessible by the circuitry when operating in a secure domain and not accessible by the circuitry when operating in a less secure domain. The data store includes a plurality of stacks with a secure stack in the secure region. Stack access circuitry is configured to store predetermined processing state to the secure stack. The processing circuitry further comprises fault checking circuitry configured to identify a first fault condition if the data stored in the predetermined relative location is the first value. This provides protection against attacks from the less secure domain, for example performing a function call return from an exception, or an exception return from a function call. 1. A data processing apparatus , said data processing apparatus comprising:processing circuitry configured to perform data processing operations in response to program code;a data store configured to store data, said data store comprising a plurality of regions including a secure region and a less secure region, the secure region configured to store sensitive data accessible by said processing circuitry when operating in a secure domain and not accessible by said processing circuitry when operating in a less secure domain;said data store comprising a plurality of stacks, including a secure stack in said secure region;the processing circuitry including stack access circuitry configured in response to an event requiring a transition from the secure domain to the less secure domain, to store predetermined processing state to the secure stack;if said event is a first event type, the predetermined processing state stored by the stack access circuitry comprising at least a return address which is stored at a predetermined relative location on the secure stack;if the event is a ...

Computer program product, and information processing apparatus and method

According to an embodiment, a computer program product includes a computer-readable medium including program, when executed by a computer, to have a plurality of modules run by the computer. The computer includes a memory having a shared area, which is an area accessible to only those modules which run cooperatively and storing therein execution module identifiers. Each of the modules includes a first operation configured to store, just prior to a switchover of operations to an other module that runs cooperatively, an identifier of the other module as the execution module identifier in the shared area; and a second operation configured to execute, when the execution module identifier stored in the shared area matches with an identifier of own module immediately after a switchover of operations from the other module, a function inside the own module.

SELECTIVELY EXPOSING BASE CLASS LIBRARIES BASED ON APPLICATION EXECUTION CONTEXT

Allowing access to APIs based on application context. A method includes determining an application context for an application. A layer is determined for a base class library. Layers of the base class library are defined by one or more developer defined attributes associated with an API, where the API is included in the base class library. The base class library is divided into layers based on the developer defined attributes. The one or more attributes define which application contexts can access the API. If the layer matches the application context then access by the application to the API is allowed. 1. In a computing environment , a system for allowing access to APIs based on application context , the system comprising:one or more processors; determining a first application context for a first application;', 'determining a first layer for a single base class library included in a single runtime deployed on a device, the single runtime exposing different subsets of available API surfaces of the single runtime to different applications such that some applications have richer API support when using the single runtime than other applications using the same single runtime, and wherein layers of the base class library are defined by one or more developer defined attributes associated with APIs, the APIs being included in the base class library, wherein the base class library is divided into layers based on the developer defined attributes, the developer defined attributes defining applications to which a given API of the single base class layer is exposed, such that the one or more attributes define which application contexts can access the given API;', 'determining that the first layer matches the first application context and allowing access by the first application to one or more API in the first layer;', 'determining a second application context for a second application that is different than the first application;', 'determining a second layer for the single base ...

PROGRAM ANALYSIS SYSTEM AND METHOD THEREOF

A program analysis system that analyzes a program while adjusting time elapse velocity in program execution environment sets analysis conditions such as time elapse velocity in the execution environment, program execution start time and execution termination time, adjusts the time elapse velocity and the program execution start time according to the determination of an analysis manager, executes the program till the execution termination time, monitors the execution environment, acquires an action record of the program, analyzes the action record, and clarifies the behavior of the program. Further, the program analysis system resets the analysis conditions based upon a result of analysis, re-analyzes, monitors communication between a sample and an external terminal, and varies the time elapse velocity set by the analysis manager to prevent time-out from occurring in communication. 1. A program analysis system that operates a program the operation of which is to be verified in execution environment where time elapse velocity can be arbitrarily adjusted , comprising:a system management device provided with an analysis manager that manages an analysis situation of the program and determines time elapse velocity;at least one sample execution device provided with a sample executor that executes the program in the execution environment based upon the time elapse velocity specified by the analysis manager and an action recorder that acquires the behavior of the program in the execution environment as an action record;at least one action analyzer provided with an action analyzer that analyzes the action record and outputs a characteristic of the program as a result of analysis; andat least one communication monitoring device provided with a communication monitor that adjusts the time elapse velocity so as to prevent time-out from occurring when the program communicates with an external device.2. The program analysis system according to claim 1 , wherein the communication ...

Methods and apparatus for locating an unauthorized virtual machine

Methods and apparatus of locating an unauthorized virtual machine are disclosed. A virtual machine is registered with a management system. When the virtual machine is requested to start, the system determines whether the virtual machine is in an authorized environment. In an authorized environment, the virtual machine is enabled to operate normally. In an unauthorized environment, the virtual machine is disabled. The disabled virtual machine gathers information about the unauthorized environment and transmits the information to the virtual machine owner.

PROTECTION AGAINST SIDE CHANNEL ATTACKS WITH AN INTEGRITY CHECK

The invention relates to a method for protecting a sensitive operation by checking the integrity of at least a subset of the data manipulated by the sensitive operation. Data to be checked are divided into blocks, an intermediate integrity check value being computed for each block, the intermediate integrity check values being computed in random order. The invention also relates to a cryptographic device wherein at least one sensitive operation of the cryptographic device is protected by a method according to the invention. 1. A method for protecting a sensitive operation by checking the integrity of at least a subset of the data manipulated by the sensitive operation , said subset of data being referred to as the data to be checked , wherein checking the integrity comprises computing a final integrity check value from data to be checked , and comparing said integrity check value with a reference value , the method comprising:converting the data to be checked into at least two random parts such that the random parts when XOR-ed result in the data to be checked, and dividing each random part into blocks andsubsequently computing an intermediate integrity check value for each block, wherein the intermediate integrity check values are computed in random, and the intermediate integrity check value of each block is calculated recursively over the previous result a number of times,calculating the final integrity value by combining the intermediate integrity check values, andat the end of the integrity check computation, when all blocks have been processed, comparing the final integrity check value with the reference value in order to verify that the data to be checked have not been tampered with.2. The method according to claim 1 , wherein computing the integrity check value is based on a CRC.4. Method according or claim 1 , wherein the sensitive operation is a cryptographic operation.5. Method according to claim 4 , wherein the data to be checked comprise a cryptographic ...

Output control apparatus, computer-readable medium for storing program for output control apparatus, output control method, and output control system

Provided is an output section that outputs data to outside; a condition storage section that stores an abnormal condition showing at least one of a characteristic of data to be outputted from the output section by means of malicious software and a characteristic of an operational pattern of the output section that results when the malicious software outputs data; and an output control section that prohibits output of data when at least one of a characteristic of data to be outputted from the output section and a characteristic of an operational pattern of the output section satisfies the abnormal condition.

Systems and Methods for Computer-Based Testing

Systems and methods are provided for administering a test using an electronic device. The electronic device is registered to a test-taker, where the registering includes receiving identifying information from the test-taker and associating the electronic device with the test-taker using the identifying information. The test is stored in encrypted form on the electronic device, and the test includes a test question. The test is decrypted prior to test administration. The test is administered to the test-taker via the electronic device, and the administering includes displaying the test question on the electronic device and receiving an answer to the test question on the electronic device. The administered test is removed from the electronic device after transferring the answer to a testing service.

Model-based system, method, and computer program product for detecting at least potentially unwanted activity associated with confidential data

A model-based system, method, and computer program product are provided for detecting at least potentially unwanted activity associated with confidential data. In use, behavior information associated with use of confidential data is identified, based on predetermined parameters. Additionally, a model is created utilizing the behavioral information. Furthermore, at least potentially unwanted activity associated with the confidential data is detected utilizing the model.

INFORMATION SECURITY TECHNIQUES INCLUDING DETECTION, INTERDICTION AND/OR MITIGATION OF MEMORY INJECTION ATTACKS

Methods of detecting malicious code injected into memory of a computer system are disclosed. The memory injection detection methods may include enumerating memory regions of an address space in memory of computer system to create memory region address information. The memory region address information may be compared to loaded module address information to facilitate detection of malicious code memory injection. 1. A method comprising:(a) enumerating, based on a query of an operating executive of a computer system, a plurality of memory regions of an address space in memory of the computer system, thereby creating memory region address information; and [ (A) examining the plurality of loaded modules for loaded module address information; and', '(B) comparing the memory region address information to the loaded module address information; and, '(i) determining whether a first memory region of the plurality of memory regions corresponds to any of a plurality of loaded modules registered with the operating executive, wherein the determining step comprises, '(ii) wherein, when the first memory region does not correspond to any of the plurality of loaded modules, determining whether the first memory region contains library indicative coding; and', '(iii) wherein, when the first memory region contains library indicative coding, generating a memory injection alarm., '(b) scanning memory of the computer system for a memory injection, wherein the scanning step comprises2. The method of claim 1 , wherein claim 1 , when the first memory region corresponds to one of the plurality of loaded modules claim 1 , determining whether that loaded module is mapped from a file system of the computer system.3. The method of claim 2 , wherein the memory injection alarm is a first memory injection alarm claim 2 , and wherein claim 2 , when the loaded module is not mapped from a file system of the computer system claim 2 , determining whether the first memory region contains library ...

Using Power Fingerprinting (PFP) to Monitor the Integrity and Enhance Security of Computer Based Systems

Procedures are described for enhancing target system execution integrity determined by power fingerprinting (PFP): by integrating PFP into the detection phase of comprehensive defense-in-depth security; by deploying a network of PFP enabled nodes executing untrusted devices with predefined inputs forcing a specific state sequence and specific software execution; by embedding module identification information into synchronization signaling; by combining signals from different board elements; by using malware signatures to enhance PFP performance; by automatic characterization and signature extraction; by providing secure signature updates; by protecting against side-channel attacks; performing real-time integrity assessment in embedded platform by monitoring their dynamic power consumption and comparing it against signatures from trusted code, including pre-characterizing power consumption of the platform by concentrating on trace sections carrying the most information about the internal execution status; by using PFP from sequence of bit transitions to detect deviations from authorized execution of software in a digital processor.

System and Method for Detection and Treatment of Malware on Data Storage Devices

Disclosed are systems and methods for detection and repair of malware on data storage devices. The system includes a controller, a communication interface for connecting an external data storage device, and a memory for storing antivirus software. The antivirus software is configured to scan the data contained in the data storage device, perform repair or removal of malicious files or programs found on the data storage device, identify suspicious files or programs on the data storage device and malicious files or programs that cannot be repaired or removed from the data storage device, send information about these files or programs to the antivirus software provider, receive updates for the antivirus software from the antivirus software provider, and rescan the suspicious files or programs and malicious files or programs that cannot be repaired or removed using updated antivirus software.

SYSTEMS, METHODS AND MEDIA FOR MANAGING PROCESS IMAGE HIJACKS

Disclosed is a method of checking the authenticity of an executable process including at least one section. The method includes, when an initial thread of the executable process is created in a suspended state, mapping from storage a copy of the executable process into a spare memory area, where it will not be executed. The method also includes comparing a header of a first section of the executable process with a header of a first section of the copy. The method further includes terminating the executable process when the header of the first section of the executable process and the header of the first section of the copy are not identical. 1. A method of checking for authenticity of an executable process , comprising:when an initial thread of an executable process mapped to a first area of a memory is created in a suspended state, mapping from a disk storage an image of the executable process to a second area of the memory, wherein the image of the executable process is not for execution;comparing a header of a first section of the executable process mapped to the first area of the memory with a header of a first section of the image of the executable process mapped to the second area of the memory; andterminating the executable process when the header of the first section of the executable process is not identical to the header of the first section of the image of the executable process.2. The method of claim 1 , further comprising claim 1 ,when the header of the first section of the executable process is identical to the header of the first section of the image of the executable process, comparing a number of sections included in the executable process with a number of sections included in the image of the executable process; andterminating the executable process when the number of sections included in the executable process is not identical to the number of sections included in the image of the executable process.3. The method of claim 2 , further comprising ...

MANAGING PROCESS IMAGE HIJACKS

In some embodiments, a method includes storing, at a first time, a copy of an executable process at a memory area if an initial thread of the executable process is defined in a suspended state such that the copy of the executable process is not executed at the memory area. The executable process can be maintained at a storage different from the memory area. The method also includes comparing, at a second time after the first time, a header of a section of the executable process with a header of a section of the copy of the executable process. The method further includes determining not to execute the executable process if the header of the section of the executable process is different from the header of the section of the copy of the executable process. 1. A method , comprising:storing, at a first time, a copy of an executable process at a memory area if an initial thread of the executable process is defined in a suspended state such that the copy of the executable process is not executed at the memory area, the executable process being maintained at a storage different from the memory area;comparing, at a second time after the first time, content of a header of a section of the executable process with content of a header of a section of the copy of the executable process; anddetermining not to execute the executable process if the content of the header of the section of the executable process is different from the content of the header of the section of the copy of the executable process.2. The method of claim 1 , further comprising:comparing a number of sections in the executable process with a number of sections in the copy of the executable process if the content of the header of the section of the executable process is substantially identical to the content of the header of the section of the copy of the executable process; anddetermining not to execute the executable process if the number of sections in the executable process is different from the number of ...

System And Method Providing Dependency Networks Throughout Applications For Attack Resistance

A method and system is provided to automatically propagate dependencies from one part of a software application to another previously unrelated part. Propagation of essential code functionality and data to other parts of the program serves to augment common arithmetic functions with Mixed Boolean Arithmetic (MBA) formulae that are bound to pre-existing parts of the program. A software application is first analyzed on a compiler level to determine the program properties which hold in the program. Thereafter, conditions are constructed based on these properties and encoded in formulae that encode the condition in data and operations. Real dependencies throughout the application are therefore created such that if a dependency is broken the program will no longer function correctly.

SYSTEM TO PROFILE APPLICATION SOFTWARE

In an example, a system is provided, the system including mobile device having an instance of a operating system installed thereon and a remote device coupled to the mobile device via a network, the remote device having an instrumented instance of the same operating system installed thereon. The remote device may be configured to install an instance of a new application on the remote device responsive to receiving a signal that originates from the mobile device and is indicative of the new application on the mobile device. The remote device may be configured to run the installed instance and determine whether the remote device performed any operations included in a preset list of operations. 1. A system , comprising:a smartphone, tablet, or Personal Digital Assistant (PDA) having an instance of a mobile operating system installed thereon;a remote device coupled to the smartphone, tablet, or PDA via a network, the remote device having an instrumented instance of the same mobile operating system installed thereon;a memory device located on the remote device, the memory device having instructions stored thereon that, in response to execution by a processing device of the remote device, cause the processing device to perform operations comprising:responsive to receiving a signal that originates from the smartphone, tablet, or PDA and is indicative of a new application on the smartphone, tablet, or PDA, installing an instance of the new application on the remote device;running the installed instance; andresponsive to running the installed instance, determining whether the remote device performed any actions included in a preset list of actions.2. The system of claim 1 , wherein operations further comprise:recording a state of the remote device prior to installing the instance of the detected application on the remote device;recording a state of the remote device after running the installed instance; anddetermining whether the remote device performed any actions included ...

INFORMATION PROCESSING DEVICE AND COMPUTER PROGRAM PRODUCT

According to an embodiment, an information processing device includes a kernel configured to execute a system call, and a managing unit configured to determine whether or not to permit execution of the system call. The kernel includes a holding unit and a system call executing unit. The holding unit holds execution of the system call until a result of determination as to whether or not to permit execution of the system call is returned from the managing unit. The system call executing unit executes the system call. 1. An information processing device comprising:a kernel; anda managing unit configured to determine whether or not to execute a system call, wherein a request storage unit configured to store therein system call information containing information including identification information of the system call and content of execution of the system call associated with each other when a request for execution of the system call is made by an application;', 'a request notifying unit configured to notify the managing unit of the identification information of the system call;', 'a second acquiring unit configured to acquire, from the managing unit, information indicating whether or not to permit execution of the system call and holding of the execution of the system call;', 'a holding unit configured to hold execution of the system call until the second acquiring unit acquires the information indicating whether or not to permit the execution; and', 'a system call executing unit configured to execute the system call, and, 'the kernel includes a first acquiring unit configured to acquire the content of execution from the request storage unit on a basis of the identification information of the system call notified by the request notifying unit;', 'an execution determining unit configured to determine whether or not the acquired content of execution can be executed according to a predetermined determination rule; and', 'a determination result notifying unit configured to ...

Local secure service partitions for operating system security

Systems and methods provide multiple partitions hosted on an isolation technology such as a hypervisor where at least one of the partitions, a local secure service partition (LSSP), provides security services to other partitions. The service partitions (LSSPs) host those high assurance services that require strict security isolation, where the service can be shared across partitions and accessed even when the user is not connected to a network. The LSSP also can certify the results of any computation using a key signed by a TPM attestation identity key (AIK), or other key held securely by the hypervisor or a service partition. The LSSPs may be configured to provide trusted audit logs, trusted security scans, trusted cryptographic services, trusted compilation and testing, trusted logon services, and the like.

DYNAMIC ANOMALY, ASSOCIATION AND CLUSTERING DETECTION

Techniques are provided for dynamic anomaly, association and clustering detection. At least one code table is built for each attribute in a set of data containing one or more attributes. One or more clusters associated with one or more of the code tables are established. One or more new data points are received. A determination is made if a given one of the new data points is an anomaly. At least one of the one or more code tables is updated responsive to the determination. When a compression cost of a given one of the new data points is greater than a threshold compression cost for each of the one or more clusters, the given one of the new data points is an anomaly. 1. A method , comprising:building one or more code tables for each attribute in a set of data containing one or more attributes;establishing one or more clusters associated with one or more of the code tables;receiving one or more new data points;determining if a given one of the new data points is an anomaly; andupdating at least one of the one or more code tables responsive to the determination;wherein at least one of the building, establishing, receiving, determining and updating steps are performed by a processor device.2. The method of claim 1 , wherein the building step comprises:counting the number of appearances of each attribute value;estimating the bit length of required to compress each attribute value; andcalculating the usage of each attribute value.3. The method of claim 1 , wherein each code table comprises a code word column claim 1 , a bit length column and a usage column.4. The method of claim 1 , further comprising a step of assigning the given one of the new data points to an existing cluster when the given one of the new data points is determined not to be an anomaly.5. The method of claim 4 , wherein the step of assigning the given one of the new data points to an existing cluster comprises:calculating a compression cost of the given one of the new data points for each of the one ...

METHOD AND DEVICE FOR CONTROLLING INVOCATION OF AN APPLICATION PROGRAMMING INTERFACE

A computer-implemented method for controlling invocation of application programming interface (API) is provided. The method includes categorizing a plurality of APIs according to a plurality of API categories. The API categories are categorized by an API function through which user information is obtained. The method further includes setting a default invoking permission for a respective API category, and detecting, in real time, an attempt by an application to invoke an API in the respective API category. Upon detecting the attempted invocation of the API in the API category by the application, the method further includes controlling the invoking behavior of the API by the application in accordance with the default invoking permission for the API category. 1. A computer-implemented method of controlling invocation of an application programming interface (API) , the method comprising: categorizing a plurality of APIs according to a plurality of API categories, wherein the API categories are categorized by an API function through which user information is obtained;', 'setting a default invoking permission for a respective API category;', 'detecting, in real time, an attempt by an application to invoke an API in the respective API category; and', 'upon detecting the attempted invocation of the API in the API category by the application, controlling the invoking behavior of the API by the application in accordance with the default invoking permission for the API category., 'at a computer having a processor and memory for storing one or more programs2. The method of claim 1 , wherein the invoking permissions comprise an access permission claim 1 , a prohibition permission claim 1 , and a prompt permission; and when the invoking permission of the respective API category is set to the access permission, allowing the application to invoke the API;', 'when the invoking permission of the respective API category is set to the prohibition permission, prohibiting the ...

Electronic devcie and method for monitoring application

An electronic device includes an operating system to determine hardware modules being used when an application of the electronic device is run. The electronic device stores a table recording hardware modules used by the running of each application obtained from a creditable service provider. The electronic device obtains the hardware modules being used by the operating system when an application is running, determines whether all the hardware modules being used are the hardware modules corresponding to the running application in the table if the running application is recorded in the table, and determines that the running application is a malicious application if not all of the hardware modules being used are the hardware modules corresponding to the running application in the table. The electronic device executes a safeguard operation to protect the electronic device when the running application is a malicious application. A related method is also provided.

PROTECTING IAT/EAT HOOKS FROM ROOTKIT ATTACKS USING NEW CPU ASSISTS

The present disclosure provides systems and methods for hardware-enforced protection from malicious software. A device may include at least a security validator module and a security initiator module. A call from a process requesting access to information stored in the device may be redirected to the security initiator module, which may cause the device to change from an unsecured view to a secured view. In the secured view the security validator module may determine whether the call came from malicious software. If the call is determined to be valid, then access to the stored information may be permitted. If the call is determined to be invalid (e.g., from malware), the security software may cause the device to return to the unsecured view without allowing the stored information to be accessed, and may take further measures to identify and/or eliminate process code associated with the process that made the invalid call. 1. A device , comprising:a security validator module configured to determine whether processes executing in the device should be granted access to information stored on the device; anda security initiator module configured to control hardware-enforced security views based on requests to access the stored information received from the executing processes.2. The device of claim 1 , wherein the hardware-enforced security views include at least an unsecured view and a secured view.3. The device of claim 2 , wherein the security initiator module is further configured to cause a processor in the device to switch between the unsecured view and the secured view using a fast view switching assist without having to transition to a special privilege mode in the processor.4. The device of claim 2 , wherein the security validator module and the stored information cannot be altered or executed when the security initiator activates the unsecured view.5. The device of claim 4 , wherein the security initiator module is further configured to cause a hardware-based ...

METHOD AND APPARATUS FOR VIRUS SCANNING

Method and apparatus for virus scanning, and a non-transitory computer-readable medium that stores instructions for performing virus scanning. The method includes detecting a status of a system; and when the status of the system is idle, if current virus scanning has begun, continuing the current virus scanning, and if the current virus scanning has not begun, acquiring a scanning progress of previous virus scanning, beginning the current virus scanning according to the acquired scanning progress, and recording a scanning progress of the current virus scanning. 1. A method for virus scanning , comprising:detecting a status of a system; andwhen the status of the system is idle, if current virus scanning has begun, continuing the current virus scanning, and if the current virus scanning has not begin, acquiring a scanning progress of previous virus scanning, beginning the current virus scanning according to the acquired scanning progress, and recording a scanning progress of the current virus scanning.2. The method according to claim 1 , wherein the step of detecting the status of the system comprises:detecting whether the system is in an input status or a full-screen status, and detecting a current occupancy of system resources;determining, if the system is in the input status or the full-screen status, that the detected status of the system is busy;determining, if the system is not in the input status and the full-screen status, when the detected current occupancy of the system resources is greater than a predetermined occupancy, that the detected status of the system is busy; anddetermining, if the system is not in the input status and the full-screen status, when the current occupancy of the system resources detected within a second predetermined time is less than or equal to the predetermined occupancy, that the detected system status is idle.3. The method according to claim 1 , before the step of detecting the status of the system claim 1 , further comprising: ...

USING A DECLARATION OF SECURITY REQUIREMENTS TO DETERMINE WHETHER TO PERMIT APPLICATION OPERATIONS

Provided are a computer program product, system, and method for using a declaration of security requirements to determine whether to permit application operations. A declaration of security requirements indicates actions the application designates to perform with respect to resources in a computer system, wherein a plurality of the indicated actions are indicated for at least two operation modes of the application. A detection is made of whether the application is requesting to perform a requested action with respect to a requested resource in the computer system. A determination is made of a current operation mode of the application comprising one of the at least two operation modes in response to detecting that the application is requesting the requested action. A determination is made as to whether the declaration of security requirements indicates the requested action with the current operation mode. The requested action with respect to the requested resource is allowed to proceed in response to determining that the declaration of security requirements indicates the requested action with respect to the requested resource as indicated with the current operation mode. 1. A computer program product for monitoring application operations of an application installed on a computer system , the computer program product comprising a computer readable storage medium having computer readable program code embodied therein that executes to perform operations , the operations comprising:receiving a declaration of security requirements indicating actions the application designates to perform with respect to resources in the computer system, wherein a plurality of the indicated actions are indicated for at least two operation modes of the application;detecting that the application is requesting to perform a requested action with respect to a requested resource in the computer system;determining a current operation mode of the application comprising one of at least two operation ...

Protection Against Return Oriented Programming Attacks

In one embodiment, a processor includes at least one execution unit. The processor also includes a Return Oriented Programming (ROP) logic coupled to the at least one execution unit. The ROP logic may validate a return pointer stored on a call stack based on a secret ROP value. The secret ROP value may only be accessible by the operating system. 1. A processor comprising:at least one execution unit; anda Return Oriented Programming (ROP) logic coupled to the at least one execution unit, the ROP logic to validate a return pointer stored on a call stack based on a secret ROP value, wherein the secret ROP value is only accessible to an operating system.2. The processor of claim 1 , wherein the ROP logic is to generate the secret ROP value under control of an operating system.3. The processor of claim 2 , wherein the ROP logic is to generate the secret ROP value using a random number.4. The processor of claim 1 , wherein the ROP logic is to generate a check value based on the secret ROP value.5. The processor of claim 4 , wherein the ROP logic is further to store the check value on the call stack after the return pointer.6. The processor of claim 4 , wherein the ROP logic is to generate the check value by encryption of the secret ROP value with the return pointer.7. The processor of claim 4 , wherein the ROP logic is to generate the check value by encryption of the secret ROP value with a stack pointer.8. The processor of claim 5 , wherein the ROP logic is further to remove the check value and the return pointer from the call stack claim 5 , and to generate a validation check value.9. The processor of claim 8 , wherein the ROP logic is to determine that the return pointer is valid when the validation check value matches the check value removed from the call stack.10. The processor of claim 9 , wherein the ROP logic is further to execute a return to a first routine via the return pointer if the return pointer is valid.11. A processor comprising: pop a return pointer and ...

SYSTEM AND METHOD FOR COUNTERING DETECTION OF EMULATION BY MALWARE

Instructions of an application program are emulated such that they are carried out sequentially in a first virtual execution environment that represents the user-mode data processing of the operating system. A system API call requesting execution of a user-mode system function is detected. In response, the instructions of the user-mode system function called by the API are emulated according to a second emulation mode in which the instructions of the user-mode system function are carried out sequentially in a second virtual execution environment that represents the user-mode data processing of the operating system, including tracking certain processor and memory states affected by the instructions of the user-mode system function. Results of the emulating of the application program instructions according to the first emulation mode are analyzed for any presence of malicious code. 124-. (canceled)25. An automated computer-implemented method for investigating a presence of malicious code in an application program stored on a subject computer system , the subject computer system including a processor , memory , and an operating system , the method comprising:providing a standard emulator module for emulating the application program wherein instructions of the application program are carried out sequentially, and wherein system functions called by instructions of the application are simulated in an abbreviated fashion wherein fictitious results representing completed execution of each called system function are returned in lieu of actual execution of that called system function;providing a second emulator module for emulating called system functions that are user-mode system functions, wherein instructions of the called system functions in response to execution of the application program instructions includes sequential execution of the called system function, including branching operations and function calls taking place within the instructions of the called system ...

Metadata Programmable Tags

A method comprises receiving a current instruction for metadata processing performed in a metadata processing domain that is isolated from a code execution domain including the current instruction. The method further comprises determining, by the metadata processing domain in connection with metadata for the current instruction, whether to allow execution of the current instruction in accordance with a set of one or more policies. The one or more policies may include a set of rules that enforces execution of a complete sequence of instructions in a specified order from a first instruction of the complete sequence to a last instruction of the complete sequence. The metadata processing may be implemented by a metadata processing hierarchy comprising a control module, a masking module, a hash module, a rule cache lookup module, and/or an output tag module.

Systems and Methods of Asynchronous Analysis of Event Notifications for Computer Security Applications

Described systems and methods enable an efficient detection and analysis of software events, especially in hardware virtualization configurations. In some embodiments, certain types of events are analyzed asynchronously, in the sense that the triggering entity is allowed to continue execution while the respective event is added to a queue for later processing. Some embodiments modify the instruction set architecture of the processor by adding a processor instruction dedicated to delivering event notifications. Such notification instructions allow for complex and flexible event detection without some of the disadvantages of conventional methods such as hooking. 1. A host system comprising a hardware processor and a memory , the hardware processor configured to execute a notification handler and a computer security program , the hardware processor further configured to:receive from the memory an event notification instruction forming part of a currently executing process, wherein execution of the process causes an occurrence of a trigger event, wherein the event notification instruction comprises an operator field and an operand field, wherein the operand field comprises an identifier of an event type of the trigger event;in response to receiving the event notification instruction, suspend execution of the process; andin response to suspending execution of the process, switch to executing the notification handler, determine whether an event eligibility condition is satisfied according to the event type of the trigger event,', 'in response, when the event eligibility condition is satisfied, insert an event indicator into an event queue, the event indicator indicative of the trigger event, and', 'in response to inserting the event indicator into the event queue, instruct the hardware processor to resume execution of the process, and, 'wherein the notification handler is configured to in response to the hardware processor resuming execution of the process, remove the ...

REGULATING CONTROL TRANSFERS FOR EXECUTE-ONLY CODE EXECUTION

In one embodiment, an apparatus comprises a processor configured to: detect a first control transfer operation; determine that a destination of the first control transfer operation is within code stored in execute-only memory; generate a fault if the destination of the first control transfer operation is an invalid entry point into the code stored in execute-only memory; detect a second control transfer operation while executing the code stored in execute-only memory; and abort execution of the code stored in execute-only memory if the second control transfer operation is detected at an invalid exit point in the code. 1. At least one machine accessible storage medium having instructions stored thereon , the instructions when executed on a machine , cause the machine to:detect a first control transfer operation;determine that a destination of the first control transfer operation is within code stored in execute-only memory;generate a fault if the destination of the first control transfer operation is an invalid entry point into the code stored in execute-only memory;detect a second control transfer operation while executing the code stored in execute-only memory; andabort execution of the code stored in execute-only memory if the second control transfer operation is detected at an invalid exit point in the code.2. The storage medium of claim 1 , wherein one or more secrets are embedded in the code stored in execute-only memory as constant values in one or more processor instructions.3. The storage medium of claim 2 , wherein the instructions that cause the machine to abort execution of the code stored in execute-only memory if the second control transfer operation is detected at an invalid exit point in the code further cause the machine to clear the one or more secrets from one or more registers.4. The storage medium of claim 1 , wherein a valid entry point into the code is identified based on a location of a particular processor instruction in the code.5. The ...

ENHANCED CONTROL TRANSFER SECURITY

One embodiment provides a system. The system includes a processor comprising at least one processing unit; a memory; and control transfer (CT) logic. The CT logic is to determine whether a next instruction is a control transfer termination (CTT) when a prior instruction is a control transfer instruction (CTI). The CT logic is to determine whether the CTT is an external CTT, if the next instruction is the CTT; determine whether the prior instruction is an external CTI, if the CTT is the external CTT; and notify an external CTT fault, if the prior instruction is not the external CTI. 1. A control transfer security method comprising:determining, by control transfer (CT) logic, whether a next instruction is a control transfer termination (CTT), when a prior instruction is a control transfer instruction (CTI);determining, by the CT logic, whether the CTT is an external CTT, if the next instruction is the CTT;determining, by the CT logic, whether the prior instruction is an external CTI, if the CTT is the external CTT; andnotifying, by the CT logic, an external CTT fault, if the prior instruction is not the external CTI.2. The method of claim 1 , further comprising notifying claim 1 , by the CT logic claim 1 , a general CTT fault claim 1 , if the next instruction is not the CTT.3. The method of claim 1 , wherein the CTI is an internal CTI or an external CTI.4. The method of claim 3 , wherein the internal CTI is selected from the group comprising an internal call instruction (“CALL”) and an internal jump instruction (“JMP”) claim 3 , and the external CTI is selected from the group comprising an external call instruction (“EXCALL”) and an external jump instruction (“EXJMP”).5. The method of claim 1 , wherein the CTT is an internal CTT or an external CTT.6. The method of claim 5 , wherein the internal CTT is an ENDBRANCH and the external CTT is an EXENDBRANCH.7. A control transfer security method comprising:determining, by control transfer (CT) logic, whether a target of a ...

Method For Updating Process Objects In An Engineering System

A method for updating process objects of an automation project stored in an engineering system, wherein an automation device is designed and/or configured via the engineering system to control a technical process and wherein, furthermore, the technical process to be controlled can be operated and monitored via an operator system in which changes to process objects made during the run-time are not lost but secured and are automatically “updated” or “traced” in the engineering system. 1. A method for updating process objects of an automation project stored in an engineering system , wherein an automation device being at least one of (i) designed and (ii) configured via the engineering system to control a technical process , and the technical process to be controlled being operable and monitored via an operator system , in cases where a change to at least one process object of the process objects is effected during the process control via the operator system , the method comprising:generating an operating alarm via the operator system and storing the alarm in a process image of the operator system, the operating alarm comprising (a) the change and at least one of (i) user object-based values, (ii) action object-based values and (iii) process object-based values to protect against unauthorized changes at the at least one process object of the process objects and (b) an integrity feature to protect the operating alarm against manipulations;supplying the operating alarm to an archive server and storing the supplied operating alarm in the archive server;reading the operating alarm from the archive server via the engineering system;verifying the integrity feature via the engineering system and comparing at least one of (i) the user object-based values, (ii) the action object-based values and (iii) process object-based values with predefined values stored in the engineering system via the engineering system;adopting the change at the at least one process object in the ...

Automated Code Lockdown To Reduce Attack Surface For Software

In an example embodiment, a system determines a set of instructions from the available instructions for a computer application. The determined set of instructions provides specific functionality of the computer application. The system may determine the set of instructions by performing functional testing and negative testing on the specific functionality. The system may reorganize and randomize the set of instructions in memory and write the reorganized set of instructions to a smaller memory space. For each available instruction not in the set of instructions, the system changes the respective instruction to inoperative to prevent execution of the respective instruction. The system may change the respective instruction to inoperative by overwriting the instruction with a NOP instruction. The system then captures a memory address of the computer application being accessed at runtime. The system may declare a security attack if the captured memory address matches a memory address for an inoperative instruction. 1. A method comprising:determining a set of instructions from available instructions for a computer application, wherein the set of instructions provide specific functionality of the computer application;for each available instruction not in the set of instructions, changing the respective instruction to inoperative to prevent execution of the respective instruction;capturing a memory address of the computer application being accessed at runtime; anddeclaring a security attack if the captured memory address matches a memory address for an inoperative instruction.2. The method of claim 1 , wherein determining the set of instructions further comprises:performing functional testing on the specific functionality of the computer application; andcapturing instructions executed during the functional testing.3. The method of claim 2 , further comprising:performing negative testing on the specific functionality, wherein the negative testing triggers exception handling ...

SYSTEM AND METHOD TO MITIGATE MALICIOUS CALLS

Systems and methods are provided in example embodiments for mitigating malicious calls. The system can be configured to receive a function call, determine the location of a memory page that initiated the function call, determine if the memory page is associated with a trusted module, and block the function call if the memory page is not associated with the trusted module. In addition, the system can determine the return address for the function call and block the function call if the return address does not belong to the trusted module. Further, the system can determine a parameter for the function call, determine if the parameter is a known parameter used by the process that called the function, and block the function call if the parameter is not the known parameter used by the process that called the function. 125-. (canceled)26. At least one computer-readable medium comprising one or more instructions that , when executed by a processor , cause the processor to execute a method comprising:hooking a user mode asynchronous procedure call (APC) dispatcher function of a dynamic-link library;inspecting a parameter of the APC dispatcher function, and verifying a page that would be executed as an APC routine;ignoring an execution of the APC; andcalling an application programming interface function with a parameter.27. The at least one computer-readable medium of claim 26 , wherein the ignoring and calling are performed claim 26 , if the page is not part of a dynamic-link library of a predetermined program or part of an executable of the predetermined program claim 26 , or the APC points to code that differs from a file image corresponding to an address in memory.28. The at least one computer-readable medium of claim 26 , wherein the APC dispatcher function is KiUserApcDispatcher.29. The at least one computer-readable medium of claim 26 , wherein the application programming interface function is NtContinue.30. The at least one computer-readable medium of claim 26 , the ...

Dynamic analysis techniques for applications

A sample is analyzed to determine a set of events that should be selected for performing by a dynamic analyzer executing the sample in an instrumented, emulated environment. The set of selected events is performed. A maliciousness verdict is determined for the sample based at least in part on one or more responses taken by the sample in response to the set of selected events being performed by the dynamic analyzer.

SYSTEMS AND METHODS FOR DETECTING MALICIOUS ACTIVITY IN A COMPUTER SYSTEM

Systems and methods for detecting malicious activity in a computer system. One or more graphs can be generated based on information objects about the computer system and relationships between the information objects, where the information objects are vertices in the graphs and the relationships are edges in the graphs. Comparison of generated graphs to existing graphs can determine a likelihood of malicious activity. 1. A system for detecting malicious activity in a computer system , the system comprising:a computing platform including computing hardware of at least one processor and memory operably coupled to the at least one processor; and [ collect a plurality of information objects about the computer system, and', 'determine a plurality of relationships between the plurality of information objects,, 'a gathering tool configured to—'}, build at least a first intermediate graph and a second intermediate graph based on the plurality of information objects and the plurality of relationships, wherein the first and second intermediate graphs are formed with the plurality of information objects as vertices and the plurality of relationships as edges, and', 'build a final graph based on the at least first and second intermediate graphs, wherein the final graph includes at least one vertex from the first intermediate graph and at least one vertex from the second intermediate graph and at least one edge connecting the at least one vertex from the first intermediate graph and at least one vertex from the second intermediate graph,, 'a graph-building tool configured to—'}, 'select, from a graphs database, at least one preexisting graph similar to the final graph based on a degree of similarity threshold, the at least one preexisting graph assigned a malicious activity ratio,', 'a search tool configured to—'}, 'an analysis tool configured to determine malicious activity based on the at least one preexisting graph., 'instructions that, when executed on the computing platform, ...

METHOD AND SYSTEM FOR GENERATING A REQUEST FOR INFORMATION ON A FILE TO PERFORM AN ANTIVIRUS SCAN

Disclosed herein are systems and methods for generating a request for information on a file to perform an antivirus scan. In one aspect, an exemplary method comprises, intercepting the file, synchronously calculating a first hash of a portion of the file, searching in a verdict cache, when the hash is found, determining whether the hash belongs to a list of malicious files, when it belongs to the list of malicious files, synchronously calculating a second hash, searching for the second hash in the verdict cache, and pronouncing a final decision as to harmfulness of the file, when the first hash does not belong to the list of malicious files, granting access to the file, asynchronously generating a request for information about the file, calculating a second hash, searching for the information in a verdict cache, and pronouncing a decision as to harmfulness of the file. 1. A method for generating a request for information on a file , the method comprising:intercepting the file during the launching of the file;synchronously calculating a first hash of a portion of the file;synchronously searching for the first hash in a verdict cache;when the first hash is found in the verdict cache, determining whether the first hash belongs to a list of malicious files;when the first hash belongs to the list of malicious files, synchronously calculating a second hash of the file, synchronously searching for the second hash in the verdict cache and/or a remote server, and pronouncing a final decision as to a harmfulness or safety of the file based on the results of the synchronous search; andwhen the first hash does not belong to the list of malicious files, granting access to the file, asynchronously generating a request for the information about the file including at least an indication as to harmfulness of the file, asynchronously calculating a second hash of the file, asynchronously searching for the information about the file in a verdict cache located on a remote server ...

Control Transfer Termination Instructions Of An Instruction Set Architecture (ISA)

In an embodiment, the present invention includes a processor having an execution logic to execute instructions and a control transfer termination (CTT) logic coupled to the execution logic. This logic is to cause a CTT fault to be raised if a target instruction of a control transfer instruction is not a CTT instruction. Other embodiments are described and claimed. 1a fetch unit to fetch instructions;a decode unit to decode the instructions, the decode unit including a control transfer termination (CTT) logic, responsive to a control transfer instruction, to decode the control transfer instruction into a decoded control transfer instruction, associate second state information with the decoded control transfer instruction to indicate that the CTT logic is in a wait state and provide the decoded control transfer instruction and the second state information to an execution unit, the CTT logic to transition from an idle state to the wait state responsive to the control transfer instruction;the execution unit to execute decoded instructions; anda retirement unit to retire the decoded control transfer instruction, wherein the retirement unit is to raise a fault if a next instruction to be retired after the decoded control transfer instruction is not a CTT instruction.. A processor comprising: This application is a continuation of U.S. patent application Ser. No. 15/635,294, filed Jun. 28, 2017, which is a continuation of U.S. patent application Ser. No. 13/690,221, filed Nov. 30, 2012, now U.S. Pat. No. 9,703,567, issued Jul. 11, 2017, the content of which is hereby incorporated by reference.Return-oriented programming (ROP) is a computer security exploit technique in which an attacker uses software control of a stack to execute an attacker-chosen sequence of machine instructions. These clusters of instructions typically end with a programmer-intended or unintended return (RET) instruction within existing program code. The intended or unintended RET instruction transfers ...

Electronic control unit

An electronic control unit includes: a memory saving a program that has a call/return to/from a function represented as a control flow together with the function itself and a check instruction inserted in a program code of the program for checking whether the program code is executable based on the control flow. The electronic control unit may also include an input unit receiving an input of use frequency information indicative of a use frequency of the function; a measurement unit measuring a load of the electronic control unit; an execution object determiner determining the check instruction to be executed based on the use frequency information and the load; and an arithmetic unit executing the check instruction determined by the execution object determiner at a time of execution of the program.

Discrete Processor Feature Behavior Collection

Examples of the present disclosure describe systems and methods for discrete processor feature behavior collection and analysis. In aspects, a monitoring utility may initialize a set of debugging and/or performance monitoring feature sets for a microprocessor. When the microprocessor receives from software content a set of instructions that involves the loading of a set of modules or code segments, the set of modules or code segments may be evaluated by the monitoring utility. The monitoring utility may generate a process trace of the loaded set of modules or code segments. Based on the process trace output, various execution paths may be reconstructed in real-time. The system and/or API calls made by the microprocessor may then be compared to the process trace output to quickly observe the interaction between the software content and the operating system of the microprocessor. 1. A system comprising:one or more processors; and monitoring software content;', 'detecting interaction between the software content and the system, wherein the interaction relates to loading into memory a set of instructions, and wherein the interaction generates performance data;', 'evaluating the loaded set of instructions to identify a first set of calls;', 'evaluating the performance data to identify a second set of calls;', 'comparing the first set of calls to the second set of calls to identify a third set of calls, wherein the third set of calls represent calls of interest; and', 'evaluating the third set of calls to categorize the software content., 'memory coupled to at least one of the one or more processors, the memory comprising computer executable instructions that, when executed by the at least one processor, performs a method for discrete processor feature behavior collection and analysis, the method comprising2. The system of claim 1 , the method further comprising initializing one or more performance monitoring feature sets to be monitored by the one or more processors ...

MEMORY LAYOUT BASED MONITORING

Techniques for monitoring based on a memory layout of an application are disclosed. A memory layout may be received, obtained, and/or generated from an application executing on a computer. Based on one or more attributes of a plurality of memory regions of the memory layout a memory layout fingerprint is generated. Additionally, memory region fingerprints are generated based on the one or more attributes for respective memory regions. The memory layout fingerprint and the memory region fingerprints are compared to respective previous memory layout fingerprints and the memory region fingerprints in order to determine whether malicious code and/or application drifting has occurred. 1: A computer-implemented method for monitoring based on a memory layout of an application , the method comprising:receiving the memory layout of the application executing on a first computer, the memory layout including a plurality of memory regions of the application executing on the first computer, wherein each memory region includes one or more attributes of the memory region of the application executing on the first computer;generating a memory layout fingerprint for the application executing on the first computer based on one or more attributes of one or more of the memory regions of the plurality of memory regions;determining whether the memory layout fingerprint for the application matches a previous memory layout fingerprint for the application; andresponsive to determining the memory layout fingerprint for the application does not match the previous memory layout fingerprint, flagging the application for review.2: The method according to claim 1 , further comprising: monitoring the application executing on the at least the first computer by iteratively performing each step.3: The method according to claim 1 , wherein the one or more attributes of the memory region of the application executing on the first computer include one or more of a size of a memory address of the memory ...

Determining the Similarity of Binary Executables

In some implementations, a computing device can determine the similarity of binary executables. For example, the computing device can receive an application, including a binary executable. The computing device can generate function signatures for the functions called within the binary executable. The computing device can generate a locality sensitive hash value for the application based on the function signatures. The computing device can group applications based on the locality sensitive hash value generated for each application. The computing device can compare the function signatures of the binary executables of the applications within a group to determine the similarity of the applications. If two applications have binary executables that are over a threshold percentage of similarity, the two applications can be identified as clones of each other. 1. A method comprising:receiving, by a computing device, an application executable;generating, by the computing device, function signatures for functions called within the application executable;generating, by the computing device, a first value for the application executable based on the function signatures;grouping, by the computing device, the received application executable with one or more other application executables into an application group based on the first value;comparing, by the computing device, the received application executable to the one or more other applications in the application group;determining, by the computing device, that the received application executable and the at least one or other application executable are functionally the same application.2. The method of claim 1 , wherein generating function signatures includes:determining opcodes within the application executable corresponding to a particular function;combining the opcodes to generate a string of opcodes; andgenerating a hash value based on the string of opcodes.3. The method of claim 1 , wherein the first value is a locality ...

METHOD AND APPARATUS FOR SECURING A DYNAMIC BINARY TRANSLATION SYSTEM

A processor and method are described for managing different privilege levels associated with different types of program code, including binary translation program code. For example, one embodiment of a method comprises entering into one of a plurality of privilege modes responsive to detecting the execution of a corresponding one of a plurality of different types of program code including native executable program code, translated executable program code, and binary translation program code. In one embodiment, the binary translation program code includes sub-components each of which are associated with a different privilege level for improved security. 1. A method comprising:entering into one of a plurality of privilege modes responsive to detecting the execution of a corresponding one of a plurality of different types of program code including native executable program code, translated executable program code, and binary translation program code.2. The method as in wherein the binary translation program code includes a plurality of sub-components claim 1 , the method further comprising:entering into a first privilege mode responsive to detecting the execution of a first sub-component of the binary translation code; andentering into a second privilege mode responsive to detecting the execution of a second sub-component of the binary translation code.3. The method as in wherein the sub-components include a translator component claim 2 , a runtime component claim 2 , and a system component.4. The method as in further comprising:entering into the first privilege mode responsive to detecting the execution of the translator sub-component or runtime sub-component; andentering into the second privilege mode responsive to detecting the execution of the system sub-component of the binary translation code.5. The method as in wherein the second privilege mode provides relatively more privileges than the first privilege mode.6. The method as in wherein entering into comprises ...

System and method for detecting malicious links in electronic messages

According to one embodiment, in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, any known URL links are removed from the URL links based on a list of known link signatures. For each of remaining URL links that are unknown, a link analysis is performed on the URL link based on link heuristics to determine whether the URL link is suspicious. For each of the suspicious URL links, a dynamic analysis is performed on a resource of the suspicious URL link. It is classified whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis.

IDENTIFYING WHETHER AN APPLICATION IS MALICIOUS

Identifying whether a first application is malicious. The first application can be presented for installation on a processing system. The first application can be scanned, via a static analysis implemented by a processor, to determine whether a user interface layout of the first application is suspiciously similar to a user interface layout of a second application installed on the processing system. When the user interface layout of the first application is suspiciously similar to the user interface layout of the second application installed on the processing system, an alert can be generated indicating that the first application is malicious. 1. A method of identifying whether a first application is malicious , the method comprising:detecting the first application being presented for installation on a processing system;scanning, via a static analysis implemented by a processor, the first application to determine whether a user interface layout of the first application is suspiciously similar to a user interface layout of a second application installed on the processing system; andresponsive to determining that the user interface layout of the first application is suspiciously similar to the user interface layout of the second application installed on the processing system, generating an alert indicating that the first application is malicious.2. The method of claim 1 , further comprising: during execution of the first application by the processing system, performing a runtime analysis of the first application, the runtime analysis comprising determining whether the user interface layout of the first application is suspiciously similar to the user interface layout of the second application; and', 'responsive to the runtime analysis indicating that the user interface layout of the first application is suspiciously similar to the user interface layout of the second application, generating the alert indicating that the first application is malicious., 'responsive to ...

RASP-BASED IMPLEMENTATION USING A SECURITY MANAGER

In one embodiment, a device loads a security manager into a runtime of an application that is configured to permit or deny permission checks within the application. An agent executed by the device identifies a call to the security manager to perform a particular permission check. The agent determines, based on a policy, determines whether the call represents a runtime application self-protection (RASP) policy violation. The agent raises a RASP security exception, when the agent determines that the call represents a RASP policy violation. 1. A method comprising:loading, by a device, a security manager into a runtime of an application, wherein the security manager is configured to permit or deny permission checks within the application;identifying, by an agent executed by the device, a call to the security manager to perform a particular permission check;determining, by the agent and based on a policy, whether the call represents a runtime application self-protection (RASP) policy violation; andraising, by the agent, a RASP security exception, when the agent determines that to the call represents a RASP policy violation.2. The method as in claim 1 , wherein the RASP policy violation comprises one of: injection claim 1 , broken authentication claim 1 , sensitive data exposure claim 1 , Extensible Markup Language (XML) external entities (XXE) claim 1 , broken access control claim 1 , security misconfiguration claim 1 , cross-site scripting claim 1 , insecure deserialization claim 1 , using components with known vulnerabilities claim 1 , or insufficient logging and monitoring.3. The method as in claim 1 , further comprising:preventing, by the agent, the security manager from crashing the application as a result of a permission check performed by the security manager.4. The method as in claim 3 , wherein preventing the security manager from crashing the application as the result of a permission check performed by the security manager comprises:causing permission checks ...

Methods And Systems For Controlling Permission Requests For Applications On A Computing Device

Examples described may relate to methods and systems for controlling permission requests for applications running on a computing device to access resources provided by the computing device. A computing device may maintain in memory for a given application responses to permission requests. The computing device may receive responses to a first permission request that includes two selectable options to either allow or deny access to a particular resource. The computing device may determine whether a number of the responses to the first request that indicate to deny access exceeds a predefined threshold. If the number exceeds the threshold, the computing device may provide, at a run-time of the application subsequent to presentation of the first request, and based on the application attempting to access the resource, a modified permission request that includes, in addition to the two selectable options, a selectable option to prevent requesting permission to access the resource.

TECHNIQUES FOR METADATA PROCESSING

Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit may be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, safety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture. 129-. (canceled)30. A method of processing instructions comprising:receiving a current instruction for metadata processing performed in a metadata processing domain that is isolated from a code execution domain including the current instruction, anddetermining, by the metadata processing domain in connection with metadata for the current instruction, whether to allow execution of the current instruction in accordance with a set of one or more policies, wherein the one or more policies include a set of rules that enforce execution of a complete sequence of instructions in a specified order from a first instruction of the complete sequence to a last instruction of the complete sequence.31. The method of claim 30 , further comprising:mapping a first shared physical page into a first virtual address space of a first process; andmapping the first shared physical page into a second virtual address space for a second process, said first shared physical page including a plurality of memory locations, wherein each of the plurality of memory locations is associated with one of a plurality of global metadata tags used in connection with rule processing in the metadata processing domain.32. The method of claim 31 , wherein the plurality of global metadata tags ...

MALWARE DETECTION SYSTEM AND METHOD FOR COMPRESSED DATA ON MOBILE PLATFORMS

A system and method for detecting malware in compressed data. The system and method identifies a set of search strings extracted from compressed executables, each of which is infected with malware from a family of malware. The search strings detect the presence of the family of malware in other compressed executables, fragments of compressed executables, or data streams. 1. A computing device for developing search strings for detecting malware in compressed data , the device comprising:a non-transitory memory having stored thereon a plurality of malware-infected executables infected with a family of malware, wherein each of the plurality of malware-infected executables comprises a respective compressed code portion; and extract a plurality of candidate strings from the compressed code portions of the plurality of malware-infected executables;', 'identify at least one of the plurality of candidate strings that is present in each of the plurality of malware-infected executables as a search string common to the compressed code portions of the plurality of malware-infected executables; and', 'store the search string common to the plurality of malware-infected executables to a mobile device to cause the mobile device to determine whether target applications including compressed code portions are infected with malware based at least in part on the search string., 'a hardware-based processor configured to2. The computing device of claim 1 , wherein the hardware-based processor is configured to extract candidate strings from uncompressed header portions of the plurality of malware-infected executables.3. The computing device of claim 1 , wherein the candidate strings are extracted from non-ASCII portions of the compressed code portions of the plurality of malware-infected executables.4. The computing device of claim 1 , wherein the hardware-based processor is configured to identify a plurality of search strings common to the compressed code portions of the plurality of ...

IDENTIFICATION OF BACKDOORS AND BACKDOOR TRIGGERS

Disclosed are devices, systems, apparatus, methods, products, media, and other implementations, including a method that includes computing for one or more inputs of a circuit associated metrics representative of degree of influence that values of each of the one or more inputs have on at least one output dependent on the one or more inputs, and determining based, at least in part, on the computed metrics associated with the one or more inputs of a more inputs whether the at least one output dependent on the one or more inputs is part of a potentially malicious implementation. 1. A method comprising:computing for one or more inputs of a circuit associated metrics representative of degree of influence that values of each of the one or more inputs have on at least one output dependent on the one or more inputs; anddetermining based, at least in part, on the computed metrics associated with the one or more inputs whether the at least one output dependent on the one or more inputs is part of a potentially malicious implementation.2. The method of claim 1 , wherein determining based claim 1 , at least in part claim 1 , on the computed metrics associated with the one or more inputs whether the at least one output dependent on the one or more inputs is part of a potentially malicious implementation comprises:identifying from the one or more inputs, from which the at least one output is dependent, at least one malicious triggering input configured to trigger malicious behavior of the potentially malicious implementation.3. The method of claim 1 , wherein the potentially malicious implementation comprises a potential electronic backdoor implementation.4. The method of claim 1 , wherein computing for the one or more inputs of the circuit the associated metrics comprises:generating a truth table for the one or more inputs and the at least one output dependent on the one or more inputs, the truth table including at least some combinations of input values for the one or more ...

Protection Against Return Oriented Programming Attacks

In one embodiment, a processor includes at least one execution unit. The processor also includes a Return Oriented Programming (ROP) logic coupled to the at least one execution unit. The ROP logic may validate a return pointer stored on a call stack based on a secret ROP value. The secret ROP value may only be accessible by the operating system. 1. A processor comprising: generate a check value based on a secret value responsive to a first instruction of an instruction set architecture (ISA);', 'push the check value onto a call stack associated with a return pointer;', 'pop the return pointer and the check value off the call stack responsive to a second instruction of the ISA; and', 'determine whether the check value is valid based on a comparison to a validation check value., 'a core including a fetch unit to fetch instructions, a decode unit to decode the fetched instructions, at least one execution unit to execute one or more of the decoded instructions and a first logic comprising at least one hardware circuit coupled to the at least one execution unit, the first logic to2. The processor of claim 1 , wherein the secret value is only accessible to an operating system claim 1 , the secret value to be generated at a beginning of a session and stored in a secure location.3. The processor of claim 2 , wherein the secret value corresponds to a salt value based on a ROP security level.4. The processor of claim 1 , wherein claim 1 , in response to determination that the check value is valid claim 1 , the processor is to resume execution at a location specified by the return pointer claim 1 , and otherwise indicate a possible Return Oriented Programming (ROP) attack.5. The processor of claim 1 , further comprising a control register including at least one bit to indicate whether the first logic is enabled.6. The processor of claim 1 , wherein the first logic is to generate the secret value under control of an operating system claim 1 , responsive to a third instruction ...

DYNAMIC SECURITY MODULE TERMINAL DEVICE AND METHOD OF OPERATING SAME

Disclosed herein are a dynamic security module terminal device for receiving a dynamic security module and transmitting a security management event to a security server, and a method of operating the dynamic security module terminal device. The dynamic security module terminal device includes a communication unit configured to transmit and receive a security management event over a network, and a processor configured to control the communication unit. The processor is configured to create a security session with a security server, and to receive the dynamic security module from the security server so that part or all of code of the dynamic security module performing security management has a predetermined valid period. 1. A dynamic security module terminal device for receiving a dynamic security module and transmitting a security management event to a security server , the dynamic security module terminal device comprising:a communication unit configured to transmit and receive a security management event over a network; anda processor configured to control the communication unit;wherein the processor is configured to:create a security session with a security server; andreceive a dynamic security module from the security server so that part or all of code of the dynamic security module performing security management has a predetermined valid period.2. The dynamic security module terminal device of claim 1 , wherein the processor is further configured to receive a security management examination result value from the security server.3. The dynamic security module terminal device of claim 1 , wherein the dynamic security module is configured to stop running of an application program installed on the terminal device when it is determined that a security problem has occurred in the terminal device as a result of the security management.4. The dynamic security module terminal device of claim 1 , wherein the processor is configured to create the security session by ...

APPARATUS AND METHOD FOR CONTROLLING USE OF BOUNDED POINTERS

An apparatus and method are provided for controlling use of bounded pointers. The apparatus has a plurality of bounded pointer storage elements, each bounded pointer storage element being used to store a bounded pointer and associated permission attributes indicative of allowed uses of the bounded pointer. In accordance with the present technique, the associated permission attributes include a copy permission attribute indicating whether the bounded pointer is allowed to be subjected to a copy operation. Processing circuitry is then responsive to at least one instruction that specifies the copy operation, to generate, from a source bounded pointer and associated permission attributes of a source bounded pointer storage element, a destination bounded pointer and associated permission attributes to be stored in a destination bounded pointer storage element. Furthermore, the processing circuitry marks the source bounded pointer storage element as storing an invalid bounded pointer dependent on whether the copy permission attribute of the source bounded pointer indicates that the source bounded pointer is to be prevented from being subjected to the copy operation. This provides an effective mechanism for inhibiting the subversion of control flow integrity when executing software on the apparatus. 1. An apparatus , comprising:a plurality of bounded pointer storage elements, each bounded pointer storage element to store a bounded pointer and associated permission attributes indicative of allowed uses of the bounded pointer, said associated permission attributes comprising a copy permission attribute indicating whether the bounded pointer is allowed to be subjected to a copy operation; andprocessing circuitry, responsive to at least one instruction that specifies the copy operation, to generate, from a source bounded pointer and associated permission attributes of a source bounded pointer storage element, a destination bounded pointer and associated permission attributes ...

RANSOMWARE DETECTION APPARATUS AND OPERATING METHOD THEREOF

A ransomware detection apparatus and an operation method thereof are provided. The ransomware detection apparatus may include a frequency converter receiving an OP code currently being executed in a CPU and converting a value of the OP code into a frequency domain to generate a first OP code frequency waveform, a memory storing a second OP code frequency waveform, which is a value obtained by converting the OP code corresponding to a ransomware encryption algorithm into a frequency domain, and a ransomware determiner comparing the first OP code frequency waveform with the second OP code frequency waveform to determine whether ransomware operates. 1. A ransomware detection apparatus comprising:a frequency converter receiving an OP code currently being executed in a CPU and converting a value of the OP code into a frequency domain to generate a first OP code frequency waveform,a memory storing a second OP code frequency waveform, which is a value obtained by converting the OP code corresponding to a ransomware encryption algorithm into a frequency domain, anda ransomware determiner comparing the first OP code frequency waveform with the second OP code frequency waveform to determine whether ransomware operates2. The ransomware detection apparatus of claim 1 , further comprising:an OP code decoder receiving a processor tracer packet corresponding to a calculation code from the CPU and decoding the processor trace packet into the calculation code, and then outputting the decoded calculation code to the frequency converter.3. The ransomware detection apparatus of claim 1 , wherein:the ransomware determiner calculates a degree of similarity between the first OP code frequency waveform and the second OP code frequency waveform and determines that ransomware operates when the degree of similarity exceeds a predetermined reference value.4. The ransomware detection apparatus of claim 3 , wherein:the ransomware determiner compares main frequencies between the first OP code ...

STATIC ANOMALY-BASED DETECTION OF MALWARE FILES

A protection application detects and remediates malicious files on a client. The protection application trains models using known samples of static clean files, and the models characterize features of the clean files. A model may be selected based on metadata obtained from a target file. By processing features of the clean files and features of the target file, the model may generate an anomaly score indicating a level of dissimilarity between the target file and the sample. The protection application compares the anomaly score to one or more threshold scores to classify the target file. Additionally, the target file may be provided to a security server to check against a whitelist or blacklist for classification. Responsive to a classification as malicious, the protection application remediates the target file on the client. 1. A method for detecting anomalous files , the method comprising:determining a plurality of subclasses of a plurality of files on a client;determining that a subclass of the plurality of subclasses meets a filtering criteria;selecting a model derived from a training set of clean files belonging to the subclass; generating, by a processor, an anomaly score of the file by applying the file to the selected model, the anomaly score indicating a level of dissimilarity between features of the file and a plurality of features of the training set of clean files;', 'classifying the file as anomalous based on the anomaly score; and', 'remediating the file by the client responsive to the classification of the file., 'for each file of a subset of the plurality of files belonging to the subclass2. The method of claim 1 , further comprising:determining a mean feature vector of the plurality of features of the training set of clean files; andwherein the anomaly score is generated by determining distances between the features of the file and the mean feature vector.3. The method of claim 1 , further comprising:receiving, at the client from a security server, ...

Method for Systematic Collection and Analysis of Forensic Data in a Unified Communications System Deployed in a Cloud Environment

A method for systematic collection and analysis of forensic data in a unified communications system deployed in a cloud environment. Three primary forensic components, namely, evidence collectors, a forensic controller and self-forensic investigators, are utilized in the method to interface with the components of the cloud environment and of the unified communications network. The method invokes a cloud evidence collection process which collects footprint data structures continuously at runtime to enable effective real-time collection of cloud forensic evidence and a cloud evidence analyzing process which generates evidence data that can be consumed by standard forensics tools. 1. A method for systematic collection and analysis of forensic data in a unified communications system deployed in a cloud environment , comprising the steps of:integrating at least one evidence collection mechanism with the unified communications system, wherein said at least one evidence collection mechanism is operative to capture forensic data related to operation of the unified communications system and at least one component in the cloud environment;generating at least one model which captures the normal behavior of the unified communications system;monitoring, by at least one intrusion detection system, the unified communications system for an occurrence of an unauthorized action using captured said forensic data and the at least one model;upon the occurrence of an unauthorized action, transmitting, by said at least one intrusion detection system, an alarm to a forensic controller;upon the transmission of the alarm to said forensic controller, collecting, by said at least one evidence collection mechanism, said forensic data;building, by said forensic controller, at least one footprint data structure from the collected forensic data; andformatting said at least one footprint data structure, wherein the step of formatting enables said at least one footprint data structure to be used by ...

System And Method Of Detecting File System Modifications Via Multi-layer File System State

The technology provides for a threat detection system. In this regard, the system may be configured to output file states of a multi-layer file system. For instance, the system may determine, based on the file states for a file, one or more layers of the multi-layer file system in which one or more objects corresponding to the file can be found. Based on the one or more objects corresponding to the file, the system may detect a potential threat. The system may then take an action in response to the potential threat. 1. A method , comprising:outputting, by one or more processors, file states for a file;determining, by the one or more processors based on the file states for the file, one or more layers of a multi-layer file system in which one or more objects corresponding to the file can be found;detecting, by the one or more processors, a potential threat to the multi-layer file system based on the one or more layers in which the one or more objects corresponding to the file are found; andtaking an action in response to the potential threat.2. The method of claim 1 , further comprising:determining that an object corresponding to the file found in a modifiable image in an upper layer of the multi-layer file system contains modifications to an object corresponding to the file found in a base image in a lower layer of the multi-layer file system,wherein detecting the potential threat is further based on determining that the object corresponding to the file found in the modifiable image contains modifications to the object corresponding to the file found in the base image.3. The method of claim 1 , further comprising:determining that none of the one or more objects corresponding to the file is found in a base image in a lower layer of the multi-layer file system,wherein detecting the potential threat is further based on determining that none of the one or more objects corresponding to the file is found in the base image.4. The method of claim 3 , further comprising: ...

SECURITY MANAGEMENT OF ADVERTISEMENTS AT ONLINE ADVERTISING NETWORKS AND ONLINE ADVERTISING EXCHANGES

At an advertising server: adding tracking code to advertisements served by the advertising server, wherein the tracking code is configured to cause web browsers displaying the served advertisements to transmit their contents to a security server. At the security server: scanning the received advertisements to detect presence of malicious code, and storing results of the scanning in a database. At the advertising server: prior to serving a new advertisement that has won in RTB, querying the database for scan results associated with the new advertisement. When the scan results indicate a malicious advertisement, preventing a serving of the new advertisement. When the scan results indicate a safe advertisement, allowing a serving the new advertisement. When no scan results are available for the new advertisement, adding the tracking code to the new advertisement and serving it, such that its contents are scanned by the security server. 1. A method comprising , at an advertising server that employs RTB (Real-Time Bidding):(i) prior to serving a new advertisement that has won an RTB process, querying a database for scanning results associated with the new advertisement, to determine if the new advertisement: (a) has been scanned in the past, and includes malicious code, (b) has been scanned in the past, and is devoid of malicious code, or (c) has not been scanned in the past;(ii) when the new advertisement has been determined to include malicious code, preventing a serving of the new advertisement;(iii) when the new advertisement has been determined to be devoid of malicious code, allowing a serving the new advertisement; and(iv) when the new advertisement has been determined to not having been scanned in the past, adding tracking code to the new advertisement and serving the new advertisement with the added tracking code, such that contents of the new advertisement are scanned.2. The method according to claim 1 , further comprising claim 1 , prior to (i): 'adding the ...

Method and system for detecting kernel corruption exploits

Methods and systems provide for detecting exploitation of kernel vulnerabilities which typically corrupt memory. The methods and systems are implemented, for example, via a host, which includes a hypervisor, which controls the operating system (OS) user space and the OS kernel space.

System, Apparatus And Method For Using Malware Analysis Results To Drive Adaptive Instrumentation Of Virtual Machines To Improve Exploit Detection

According to one embodiment, a computerized method operates by configuring a virtual machine operating within an electronic device with a first instrumentation for processing of a suspicious object. In response to detecting a type of event during processing of the suspicious object within the virtual machine, the virtual machine is automatically reconfigured with a second instrumentation that is different from the first instrumentation in efforts to achieve reduced configuration time and/or increased effectiveness in exploit detection.

Iot and pos anti-malware strategy

Methods apparatus, systems, and articles of manufacture for IoT and PoS anti-malware are disclosed. An example method includes detecting a combination of function calls. Whether the combination of function calls is a forbidden combination of function calls for the device is detected based on a limited intended functionality of the device. The forbidden combination of function calls includes a first function call and a second function call. The first function call is allowed in isolation from the second function call. The second function call is allowed in isolation from the first function call. In response to determining that the combination of function calls is forbidden for the device, a responsive action is performed.

SYSTEMS AND METHODS FOR PROTECTING DEVICES FROM MALWARE

Disclosed herein are systems and method for protecting an endpoint device from malware. In one aspect, an exemplary method comprises performing, by a light analysis tool of the endpoint, a light static analysis of a sample, terminating the process and notifying the user when the process is malware, performing light dynamic analysis when the process is not malware based on the light static analysis, when the process is clean based on the light dynamic analysis, enabling the process to execute, when the process is malware, terminating the process and notifying the user, and when the process is suspicious pattern, suspending the process, setting a level of trust, sending the sample to a sandbox, terminating the process and notifying the user when the process is a malware based on received final verdict, enabling the process to resume executing when the process is determined as being clean based on the final verdict. 1. A method for protecting an endpoint device from malware , comprising:performing, by a light analysis tool of the endpoint device, a light dynamic analysis of a received sample of a process being monitored;when the process is determined as being a suspicious pattern based on the light dynamic analysis, suspending the process, setting or adjusting a level of trust for the sample, sending the sample to a sandbox with a request for a final verdict, receiving the final verdict, andwhen the process is determined as being a malware based on the received final verdict, terminating the process and notifying a user of the process, andwhen the process is determined as being clean based on the received final verdict, enabling the process to resume executing on the endpoint device in accordance with a policy based on the level of trust.2. The method of claim 1 , further comprising when the process is determined as being clean based on the light dynamic analysis claim 1 , enabling the process to execute on the endpoint device in accordance with the policy.3. The ...

REAL-TIME MONITORING AND POLICY ENFORCEMENT OF ACTIVE APPLICATIONS AND SERVICES

Embodiments of systems and methods for real-time monitoring and policy enforcement of active applications and services are described. In some embodiments, an Information Handling System (IHS) may include a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution by the processor, cause the IHS to: provide a hardware-rooted, Operating System (OS)-agnostic resource monitoring agent; receive, at the resource monitoring agent from a remote resource monitoring service via an out-of-band channel, a resource enforcement policy; determine, by the resource monitoring agent, that an application is using or attempting to use a resource in a manner that conflicts with the resource enforcement policy; and stop or prevent the application from using the resource in response to the determination. 1. An Information Handling System (IHS) , comprising:a processor; and provide a hardware-rooted, Operating System (OS)-agnostic resource monitoring agent;', 'receive, at the resource monitoring agent from a remote resource monitoring service via an out-of-band channel, a resource enforcement policy;', 'determine, by the resource monitoring agent, that an application is using or attempting to use a resource in a manner that conflicts with the resource enforcement policy; and', 'stop or prevent the application from using the resource in response to the determination., 'a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution by the processor, cause the IHS to2. The IHS of claim 1 , wherein the processor comprises an Embedded Controller (EC).3. The IHS of claim 1 , wherein the resource monitoring agent establishes a root-of-trust with a hardware trust module during a boot process.4. The IHS of claim 3 , wherein the hardware trust module comprises a Trusted Platform Module (TPM).5. The IHS of claim 1 , wherein the out-of-band channel comprises a Management Engine (ME) channel ...

ENCRYPTION KEY SEED DETERMINATION

A computer implemented method for determining a plurality of data sources providing seed parameters for generation of an encryption key by a ransomware algorithm, the method including exposing a target computer system to the ransomware algorithm; monitoring application programming interface (API) calls made to an operating system of the target computer system to identify a set of API calls for retrieving data about one or more hardware components of the target computer system, the data about the hardware components being determined to constitute the seed parameters. 1. A computer implemented method for determining a plurality of data sources providing seed parameters for generation of an encryption key by a ransomware algorithm , the method comprising:exposing a target computer system to the ransomware algorithm; andmonitoring application programming interface (API) calls made to an operating system of the target computer system to identify a set of API calls for retrieving data about one or more hardware components of the target computer system, the data about the one or more hardware components being determined to constitute the seed parameters.2. The method of claim 1 , wherein each of the one or more hardware components includes one or more of: a central processing unit; a memory; a storage device; a peripheral device; a basic input/output subsystem; an output device; an input device; or a network device of the target computer system.3. The method of wherein the data about the one or more hardware components includes one or more of: a reference number; an identifier; a version; a date; a time; an address; a serial number; or unique information about the hardware component.4. The method of wherein the monitoring includes using a process monitor to determine operating system API calls are made.5. A computer system comprising: exposing a target computer system to the ransomware algorithm; and', 'monitoring application programming interface (API) calls made to an ...

SYSTEM AND METHOD FOR IDENTIFYING COMPROMISED ELECTRONIC CONTROLLER USING INTENTIONALLY INDUCED ERROR

A system and method for identifying a compromised controller using an intentional error are provided. The method, performed by an electronic device in a controller area network (CAN), for identifying a compromised electronic control unit (ECU) that transmits an attack message on a CAN bus in a periodic transmission cycle. The method includes, in response to detecting the attack message, transitioning a first ECU among a plurality of ECUs connected to the CAN bus to a bus-off state intentionally, and determining whether the first ECU is the compromised ECU based at least in part on a time, which is predicted from recovery parameters related to the first ECU, for when the first ECU resumes transmission of a CAN message and a time when the attack message is redetected on the CAN bus. 1. A method , performed by an electronic device in a controller area network (CAN) , for identifying a compromised electronic control unit (ECU) that transmits an attack message on a CAN bus in a periodic transmission cycle , the method comprising:in response to detecting the attack message, transitioning a first ECU among a plurality of ECUs connected to the CAN bus to a bus-off state intentionally; anddetermining whether the first ECU is the compromised ECU based at least in part on a time, which is predicted from recovery parameters related to the first ECU, for when the first ECU resumes a transmission of a CAN message and a time when the attack message is redetected on the CAN bus.2. The method of claim 1 , wherein the transitioning to the bus-off state comprises:transmitting a diagnosis request message corresponding to the first ECU;monitoring the CAN bus to detect an initiation of transmission of a diagnosis response message by the first ECU; andin response to detecting the initiation of transmission of the diagnosis response message, causing a transmission error in the diagnosis response message by transmitting a plurality of dominant bits to the CAN bus until the first ECU ...

JUST IN TIME MEMORY ANALYSIS FOR MALWARE DETECTION

Methods and apparatus consistent with the present disclosure may use instrumentation code that remains transparent to an application program that the instrumentation code has been injected into. In certain instances, data sets that include executable code may be received via packetized communications or be received via other means, such as, receiving a file from a data store. The present technique allows a processor executing instrumentation code to monitor actions performed by the program code included in a received data set. Malware may be detected by scanning suspect program code with a malware scanner, malware may be detected by identifying suspicious actions performed by a set of program code, or malware may be detected by a combination of such techniques. 1. A method for analyzing computer data , the method comprising:allowing instructions of a set of computer data to be executed by a processor;monitoring actions performed by the execution of the instructions of the set of computer data, the monitoring performed by the processor executing a set of instrumentation code instructions;pausing execution of the instructions of the computer data based on an identification that the monitored actions include writing data to a memory;comparing a signature generated from the data written to the memory to a malware signature; andperforming a corrective action based on an identification that the generated signature matches the malware signature.2. The method of claim 1 , further comprising identifying that the monitored actions correspond to an access pattern of the memory that includes allocating a portion of the memory claim 1 , wherein the data written to the memory is written to the allocated memory portion.3. The method of claim 2 , further comprising identifying that the monitored actions include de-obfuscating the data written to the memory.4. The method of claim 1 , further comprising generating the signature by scanning the data written to the memory with a deep ...

SYSTEMS AND METHODS FOR AUTOMATICALLY GENERATING MALWARE COUNTERMEASURES

Malware can be automatically detected and countermeasures automatically generated. A virtual machine (VM) is run with an operating system configured with a monitoring subsystem. The monitoring subsystem is configured to generate event data based on events occurring on the virtual machine. The monitoring subsystem can run within the operating system kernel. Kernel drivers can register to receive specific events. The events are therefore sent to the drivers, which can send them to a classifier. The classifier can detect malware based on the events. When a sample is run on the VM, the classifier can detect malware in the sample. While running the sample, event data is collected. A countermeasure compiler can generate a countermeasure to the malware, the countermeasure based on the event data. 1. A method comprising:running a virtual machine with an operating system configured with a monitoring subsystem, the monitoring subsystem configured to generate event data based on a plurality of events occurring on the virtual machine;running a classifier configured to detect a malware based on the plurality of events;running a sample on the virtual machine, the classifier detecting the malware in the sample; andrunning a countermeasure compiler that generates a countermeasure to the malware, the countermeasure based on the event data.23. The method of wherein the monitoring subsystem is run within a kernel of the operating system. . The method of wherein detecting the malware triggers generating the countermeasure.4. The method of wherein the countermeasure compiler is configured to generate a resource data section and wherein the countermeasure includes a precompiled template populated with the resource data section.5. The method of claim 1 , the classifier configured to:detect the malware based on the sample modifying a tripwire file monitored by the monitoring subsystem, anddetect the malware based on the sample modifying a system file monitored by the monitoring subsystem.6 ...

High Performance Software Vulnerabilities Detection System and Methods

This invention teaches a system and methods of detecting software vulnerabilities in a computer program by analyzing the compiled code and optionally the source code of the computer program. The invention models compiled software to examine both control flow and data flow properties of the target program. A comprehensive instruction model is used for each instruction of the compiled code, and is complemented by a control flow graph that includes all potential control flow paths of the instruction. A data flow model is used to record the flow of unsafe data during the execution of the program. The system analyzes the data flow model and creates a security finding corresponding to each instruction that calls an unsafe function on unsafe data. The security findings are aggregated in a security report. The system further uses precomputation to improve performance by caching 1-to-many data flow mapping for each basic block in the code. 1. A software vulnerabilities detection system comprising:a) compiled code and optionally source code that resulted in said compiled code;b) an instruction model for each instruction of said compiled code comprising instruction location, debug information, instruction type and operands of each said instruction;c) a control flow graph for each said instruction comprising all potential control flow paths for each said instruction;d) a data flow model comprising recorded flow of unsafe data as observed during the execution of said compiled code, said data flow model utilizing a precomputation of data flow inputs and outputs associated with a basic block of said compiled code and optionally said source code;e) computing means for analyzing said instruction model, said control flow graph and said data flow model to obtain a security finding for each said instruction that calls an unsafe function on said unsafe data; andf) a security report comprising each said security finding, said security report comprising said debug information and said ...

SYSTEMS AND METHODS FOR VERIFYING THE AUTHENTICITY OF AN APPLICATION DURING EXECUTION

In an embodiment, a system includes an electronic device having memory circuitry configured to store an application comprising a plurality of instructions. The system also includes processing circuitry configured to execute the application and an application authenticity check routine, wherein the application authenticity check routine includes instructions executable by the processing circuitry to use idle processing time to verify an authenticity of the application throughout execution of the application. 1. A system , comprising: memory circuitry configured to store an application comprising a plurality of instructions; and', 'processing circuitry configured to execute the application and an application authenticity check routine, wherein the application authenticity check routine includes instructions executable by the processing circuitry to use idle processing time to verify an authenticity of the application throughout execution of the application., 'an electronic device, comprising2. The system of claim 1 , wherein the application authenticity check routine comprises instructions executable by the processing circuitry to determine that the application is authentic when a calculated digest value for the application matches a digest value stored in the application.3. The system of claim 2 , wherein the application authenticity check routine comprises instructions executable by the processing circuitry to alter the application to render the application non-executable by the processing circuitry and to restart the electronic device when the processing circuitry determines that the calculated digest value for the application does not match the digest value stored in the application.4. The system of claim 1 , wherein the processing circuitry comprises a high-security module (HSM) claim 1 , and wherein the HSM is configured to execute the application authenticity check routine to verify the authenticity of the application being executed by other portions of the ...

TRUSTED MONITORING SYSTEM AND METHOD

Methods and apparatus for monitoring remotely located objects with a system including at least one master data collection unit, remote sensor units, and a central data collection server are described. The master unit is configured to monitor any object, mobile or stationary, including monitoring multiple remote sensor units associated with the monitored objects. The master unit may be in a fixed location or attached to a mobile object. The master unit is configured for monitoring objects that enter and leave an area. The master unit may act as a parent controller for one or more child devices including remote sensors or monitors of measurable conditions including environmental conditions, substance identification, product identification, and/or biometric identification. The master unit may discover remote sensor units as they enter or leave the area where the master unit is located. The master unit can be remotely reprogrammed such as with authenticated instructions. 1. A surveillance system comprising:a plurality of sensors configured to provide environmental and spatial data; andan electronic device configured to receive the sampled environmental and spatial data from the sensors, the electronic device further configured to receive monitoring instructions, and to use the received monitoring instructions to process the received environmental and spatial data.2. The system of claim 1 , further comprising a remote device configured to provide the monitoring instructions to the electronic device.3. The system of claim 1 , wherein one or more of the sensors is enclosed within a tamper and eavesdrop-proof enclosure.4. The system of claim 1 , wherein the monitoring instructions are contained in a script message.5. The system of claim 1 , wherein received monitoring instructions are encrypted and the electronic device is further configured to decrypt the encrypted monitoring instructions.6. The system of claim 2 , wherein the electronic device is further configured to ...

Synthetic processing diversity within a homogeneous processing environment

A method of increasing processing diversity on a computer system includes: loading a plurality of instruction streams, each of the plurality of instruction streams being equivalent; executing, in a context, a first stream of the plurality of instruction streams; stopping execution of the first stream at a first location of the first stream; and executing, in the context, a second stream of the plurality of instruction streams at a second location of the second stream, the second location corresponding to the first location of the first stream.

METHODS OF DETECTION OF SOFTWARE EXPLOITATION

A method for detecting software exploitation broadly comprises the steps of gathering information about processes and threads executing on a computing device, monitoring instructions executed by a thread that is currently running, performing the following steps if a function to create a process or a function to load a library is called, examining a thread information block, determining whether an address included in a stack pointer of the thread is in a range of addresses for a stack specified by the thread information block, and determining whether a first plurality of no-operation instructions is followed by shell code that is followed by a second plurality of no-operation instructions. 1. A non-transitory computer-readable storage medium with an executable program stored thereon for detecting software exploitation , wherein the program instructs a processing element to perform the following steps:gathering information about processes and threads executing on a computing device;monitoring instructions executed by a thread that is currently running; and examining a thread information block,', 'determining whether an address included in a stack pointer of the thread is in a range of addresses for a stack specified by the thread information block,', 'examining the contents of a plurality of memory addresses, and', 'determining whether a first plurality of no-operation instructions is followed by shell code that is followed by a second plurality of no-operation instructions., 'performing the following steps if a function to create a process or a function to load a library is called'}2. The computer-readable storage medium of claim 1 , wherein the information includes the starting address of the thread.3. The computer-readable storage medium of claim 1 , wherein the program further comprises the step of recording in an internal log that the address included in the stack pointer is not in the range of stack addresses if the address included in the stack pointer is not ...

SYSTEM AND METHOD FOR BYPASSING A MALWARE INFECTED DRIVER

Aspects of the present disclosure relate to setting up an alternate communication path to a device, resource, file, etc., in order to avoid a potentially infected driver. New drivers may be established as part of the alternate communications path, thereby providing access to a device, resource, etc. using drivers that are known to be clean or, in other words, not infected by a rootkit. In doing so, a rootkit hunter, e.g., antivirus software, antimalware software, etc., may access an infected device, resource, etc. without alerting a rootkit, thereby avoiding activation of the rootkit's defensive mechanisms. In one aspect, an I/O request may be serviced by using the new communications path bypassing any potentially infected drivers while another request may be serviced using a previously established communications path. The responses (e.g., data returned, action performed, etc.) of the requests may then be compared. 1. A method comprising:determining a lowest level driver in a driver chain, wherein the driver chain comprises one or more drivers for communicating with a device;locating a trusted copy of the lowest level driver;establishing an alternate communication path to the device, wherein the alternate communication path includes the trusted copy of the lowest level driver;submitting a first request via the alternate communication path;receiving a first response to the first request via the alternate communication path; andbased upon the first response, determining that the driver chain is infected with a rootkit.2. The method of claim 1 , further comprising submitting a second request via a previously established communication path claim 1 , wherein the previously established communication path comprises the driver chain.3. The method of claim 2 , further comprising receiving a second response to the second request via the previously established communication path.4. The method of claim 3 , wherein determining that that the driver chain is infected with a ...

Secure protection method and processor

A secure protection method executed by a processor is provided. The secure protection method includes the following steps. Perform a security checking before or after executing an instruction according to an instruction security attribute (ISA) of the instruction and a security attribute (SA) of an operational event (OE). Ignore the OE, defer the OE, or raise a security exception when the security checking fails. The OE is generated as a side effect when the processor fetches or executes the instruction, or generated as a monitoring result on the instruction, or generated in response to an external input of the processor.

Notification of Maliciousness Categorization of Application Programs for Mobile Devices

An approach near instantly notifies devices onto which an application program is installed when the application program is identified as malware. An analysis system records application programs installed on devices. When an application program is identified as malware, the analysis system can locate a set of devices onto which the application program is installed. The analysis system notifies these devices near instantly when the particular application program is identified as malware. Users may be prompted to uninstall the application program from the devices. In addition, the devices may include instrumentations that block the application program from performing any malicious behavior. The application program may be identified as malware by malware detection methods that perform static and dynamic analysis of the application program on the analysis system or on mobile devices. 1. A computer-implemented method for protecting mobile devices against malware , comprising:determining, by an analysis system, that an application program is malicious;identifying, by the analysis system, a set of client devices onto which the application program is installed; andnotifying, by the analysis system, the set of client devices that the application program is malicious.2. The computer-implemented method of claim 1 , wherein the step of identifying the set of client devices comprises:identifying, by the analysis system, a set of installation records that include the application program ID of the application program, wherein each installation record includes a device ID of a client device and application program IDs for application programs installed on the client device; anddetermining, by the analysis system, a set of device IDs included in the set of identified installation records.3. The computer-implemented method of claim 1 , wherein an analysis application is installed on at least some of the client devices claim 1 , and the step of notifying the set of client devices ...

SYSTEMS AND METHODS TO GENERATE A TYPE BASED SELF-ASSEMBLING INDIRECT CONTROL FLOW GRAPH

Using various embodiments, methods and systems for computing a self-assembling indirect control flow graph based on one or more function types and function pointer types are described. In one embodiment the indirect control flow graph is computed by finding one or more function types and function pointer types in source code and/or binary code, computing one or more identifier tags for each type, classifying functions and function pointers based on the computed tags. In one embodiment, the classification tags can be used in a tag check based Control Flow Integrity system. In another embodiment, the classification tags can be used to convert indirect function calls into direct function calls. Yet in another embodiment, tag checks can be eliminated in a Control Flow Integrity system. 120-. (canceled)21. A system to generate a Type-Based Self-Assembling Indirect Control Flow Graph (TB-SA-ICFG) of a software program , comprising:a memory device;a processing device, having one or more processors, coupled to the memory device configured to:identify a first vertex of an Indirect Control Flow Graph (ICFG), the first vertex representing an indirect control transfer to a first instruction;determine a first type signature associated with the indirect control transfer;compute a first tag value from the first type signature;identify a second vertex of the ICFG, the second vertex representing a second instruction;determine a second type signature of the second instruction;compute a second tag value from the second type signature; andidentify a valid control transfer from the first vertex to the second vertex when it is determined that the first tag value equals to the second tag value.22. The system of claim 21 , wherein the processing device is further configured to:insert the first tag value into a first memory location, the first memory location associated with the first vertex of the ICFG; andinsert the second tag value into a second memory location, the second memory ...