Information security – Monitoring or scanning of software or data including attack... – Intrusion detection
Reexamination Certificate
2011-06-28
2011-06-28
Cervetti, David Garcia (Department: 2436)
Information security
Monitoring or scanning of software or data including attack...
Intrusion detection
C713S164000, C713S188000, C726S025000
Reexamination Certificate
active
07971255
ABSTRACT:
A system for detecting and halting execution of malicious code includes a kernel-based system call interposition mechanism and a libc function interception mechanism. The kernel-based system call interposition mechanism detects a system call request from an application, determines a memory region from which the system call request emanates, and halts execution of the code responsible for the call request if the memory region from which the system call request emanates is a data memory region. The libc function interception mechanism maintains an alternative wrapper function for each of the relevant standard libc routines, intercepts a call from an application to one or more libc routines and redirects the call into the corresponding alternative wrapper function.
REFERENCES:
patent: 6529985 (2003-03-01), Deianov et al.
patent: 6618736 (2003-09-01), Menage
patent: 6732211 (2004-05-01), Goyal et al.
patent: 6832302 (2004-12-01), Fetzer et al.
patent: 6868495 (2005-03-01), Glover
patent: 7010698 (2006-03-01), Sheymov
patent: 7039718 (2006-05-01), Vertes
patent: 7039919 (2006-05-01), Hunt
patent: 7162735 (2007-01-01), Safa
patent: 7191469 (2007-03-01), Erlingsson
patent: 7225428 (2007-05-01), Fetzer et al.
patent: 7228423 (2007-06-01), Asai et al.
patent: 7228563 (2007-06-01), Szor
patent: 7266658 (2007-09-01), Harrington et al.
patent: 7287281 (2007-10-01), Szor
patent: 7313824 (2007-12-01), Bala et al.
patent: 7343421 (2008-03-01), Goyal
patent: 7380039 (2008-05-01), Miloushev et al.
patent: 7392543 (2008-06-01), Szor
patent: 7415712 (2008-08-01), Hunt
patent: 7434210 (2008-10-01), Tucker
patent: 7437759 (2008-10-01), Szor
patent: 7493630 (2009-02-01), Hunt
patent: 7552203 (2009-06-01), Giles et al.
patent: 7594111 (2009-09-01), Kiriansky et al.
patent: 7603704 (2009-10-01), Bruening et al.
patent: 7739401 (2010-06-01), Goyal
patent: 7849311 (2010-12-01), Donlin et al.
patent: 2002/0062389 (2002-05-01), Vertes
patent: 2002/0072830 (2002-06-01), Hunt
patent: 2002/0116635 (2002-08-01), Sheymov
patent: 2003/0005168 (2003-01-01), Leerssen et al.
patent: 2003/0074424 (2003-04-01), Giles et al.
patent: 2003/0212766 (2003-11-01), Giles et al.
patent: 2003/0233385 (2003-12-01), Srinivasa et al.
patent: 2004/0064718 (2004-04-01), Harrington et al.
patent: 2004/0123122 (2004-06-01), Asai et al.
patent: 2004/0153709 (2004-08-01), Burton-Krahn
patent: 2004/0158729 (2004-08-01), Szor
patent: 2004/0177244 (2004-09-01), Murphy et al.
patent: 2004/0177245 (2004-09-01), Murphy
patent: 2004/0268361 (2004-12-01), Schaefer
patent: 2005/0005101 (2005-01-01), Yenduri
patent: 2005/0091310 (2005-04-01), Salomon
patent: 2005/0108562 (2005-05-01), Khazan et al.
patent: 2005/0273600 (2005-12-01), Seeman
patent: 2005/0273858 (2005-12-01), Zadok et al.
patent: 2006/0143350 (2006-06-01), Miloushev et al.
patent: 2006/0212945 (2006-09-01), Donlin et al.
patent: 2007/0055711 (2007-03-01), Polyakov et al.
patent: 2007/0204261 (2007-08-01), Fetzer et al.
patent: 2008/0155702 (2008-06-01), Bala et al.
patent: 2008/0162730 (2008-07-01), Goyal
patent: 2009/0049193 (2009-02-01), Goyal
Hofmeyr et al., Intrusion Detection using Sequences of System Calls, Aug. 18, 1998, ACM.
Ko et al., Detecting and Countering System Intrusions Using Software Wrappers, Aug. 2000, USENIX.
Kc et al., e-NeXSh: Achieving an Effectively Non-Executable Stack and Heap via System-Call Policing, 2005, ACM.
Acharya, A. et al., “Mapbox: Using Parameterized Behavior Classes to Confine Applications,” Proceedings of the 9th USENIX Security Symposium, 1-17, Aug. 2000.
Aleph One, “Smashing the Stack for Fun and Profit,” Phrack, 7(49), 1996.
Alexandrov, A. et al., “Consh: A Confined Execution Environment for Internet Computations,” Dec. 1998.
Balzer, R. et al., “Mediating Connectors: A Non-Bypassable Process Wrapping Technology,” Proceedings of the 19th IEEE International Conference on Distributed Computing Systems, Jun. 1999.
Baratloo, A. et al., “Transparent Run-Time Defense Against Stack Smashing Attacks”, Proceedings of the 2000 USENIX Annual Technology Conference, Jun. 2000.
Barrantes, G. et al.,“Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks,” Proceedings of the ACM Computer and Communications Security (CCS) Conference, Oct. 2003.
Berman, A. et al., “TRON: Process-Specific File Protection for the UNIX Operating System,” Proceedings of the USENIX Technical Conference, Jan. 1995.
Bhatkar, S. et al., “Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits,” Proceedings of the 12th USENIX Security Symposium, 105-120, Aug. 2003.
Bulba and KIL3R, “Bypassing StackGuard and Stack-Shield,” Phrack, 5(56), May 2000.
Chari, S. et al., “BlueBox: A Policy-Driven, Host-Based Intrusion Detection System,” Proceedings of the 9th Network and Distributed System Security Symposium (NDSS), Feb. 2002.
Chen, H. et al., “Model Checking One Million Lines of C Code,” Proceedings of the 11th Network and Distributed System Security Symposium (NDSS), 171-185, Feb. 2004.
Chen, H. et al., “MOPS: an Infrastructure for Examining Security Properties of Software,” Proceedings of the ACM Computer and Communications Security (CCS) Conference, 235-244, Nov. 2002.
Chew, M. et al., “Mitigating Buffer Overflows by Operating System Randomization,” Technical Report Computer Science Technical Report 65, Carnegie Mellon University, Dec. 2002.
Christodorescu, M. et al., “Static Analysis of Executables to Detect Malicious Patterns,” Proceedings of the 12th USENIX Security Symposium, Aug. 2003.
Cowan, C, et al., “FormatGuard: Automatic Protection From printf Format String Vulnerabilities,” Proceedings of the 10th USENIX Security Symposium, 191-199, Aug. 2001.
Cowan, C, et al., “PointGuard: Protecting Pointers From Buffer Overflow Vulnerabilities,” Proceedings of the 12th USENIX Security Symposium, 91-104, Aug. 2003.
Cowan, C, et al., “SubDomain: Parsimonious Security for Server Appliances,” Proceedings of the 14th USENIX System Administration Conference (LISA 2000), Mar. 2000.
Cowan, C, et al., “Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks,” Proceedings of the 7th USENIX Security Symposium, Jan. 1998.
Durden, T., “Bypassing PaX ASLR protection,” Phrack, 11(59), 2002.
Engler, D. et al.,“RacerX: Effective, Static Detection of Race Conditions and Deadlocks,” Proceedings of ACM SOSP, Oct. 2003.
Fayolle, P. et al., “A buffer overflow study: Attacks and defences,” Mar. 2002.
Feng, H. H. et al., “Anomaly detection using call stack information,” Proceedings of the IEEE Symposium on Security and Privacy, May 2003.
Foster, J. et al., “A theory of type qualifiers,” Proceedings of the ACMSIGPLAN Conference on Programming Language Design and Implementation (PLDI), May 1999.
Frantzen, M. et al., “StackGhost: Hardware facilitated stack protection,” Proceedings of the USENIX Security Symposium, 55-56, Aug. 2001.
Fraser, T. et al., “Hardening COTS Software with Generic Software Wrappers,” Proceedings of the IEEE Symposium on Security and Privacy, May 1999.
Ganapathy, V. et al., “Buffer Overrun Detection using Linear Programming and Static Analysis,” Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS), 345-364, Oct. 2003.
Garfinkel, T., “Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools,” Proceedings of the 10th Network and Distributed System Security Symposium (NDSS), 163-176, Feb. 2003.
Garfinkel, T. et al., “Ostia: A Delegating Architecture for Secure System Call Interposition,” Proceedings of the 11th Network and Distributed System Security Symposium (NDSS), 187-201, Feb. 2004.
Garfinkel, T. et al., “A Virtual Machine Introspection Based Arch
Aho Alfred V.
Kc Gaurav S.
Byrne Poh LLP
Cervetti David Garcia
The Trustees of Columbia University in the City of New York
LandOfFree
Detecting and preventing malcode execution does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Detecting and preventing malcode execution, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Detecting and preventing malcode execution will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2730267