Information security – Monitoring or scanning of software or data including attack...
Reexamination Certificate
2004-02-17
2008-10-14
Nguyen, Van H (Department: 2194)
Information security
Monitoring or scanning of software or data including attack...
C726S023000, C726S024000, C726S025000, C713S164000
Reexamination Certificate
active
07437759
ABSTRACT:
A method includes hooking a critical operating system function, stalling a call to the critical operating system function originating from a call module, determining a location of the call module in a kernel address space of a memory, and determining whether the location is in a driver area of the kernel address space. Upon a determination that the call module is not in the driver area, the method further includes taking protective action to protect a host computer system. In this event, it is highly likely that the call module is malicious code that has been injected into the kernel stack/heap through a malicious kernel mode buffer overflow attack. By taking protective action, exploitation, damage or destruction of the host computer system is prevented.
REFERENCES:
patent: 5598531 (1997-01-01), Hill
patent: 5696822 (1997-12-01), Nachenberg
patent: 5802178 (1998-09-01), Holden et al.
patent: 5822517 (1998-10-01), Dotan
patent: 5864683 (1999-01-01), Boebert et al.
patent: 6092136 (2000-07-01), Luedtke
patent: 6199181 (2001-03-01), Rechef et al.
patent: 6301699 (2001-10-01), Hollander et al.
patent: 6357008 (2002-03-01), Nachenberg
patent: 6658571 (2003-12-01), O'Brien et al.
patent: 6718414 (2004-04-01), Doggett
patent: 6820146 (2004-11-01), Cox
patent: 6910142 (2005-06-01), Cross et al.
patent: 7085928 (2006-08-01), Schmid et al.
patent: 7146305 (2006-12-01), van der Made
patent: 7181603 (2007-02-01), Rothrock et al.
patent: 7216367 (2007-05-01), Szor
patent: 7228563 (2007-06-01), Szor
patent: 2002/0083334 (2002-06-01), Rogers et al.
patent: 2003/0014667 (2003-01-01), Kolichtchak
patent: 2004/0255163 (2004-12-01), Swimmer et al.
Choi et al., “A New Stack Buffer Overflow Hacking Defense Technique with Memory Address Confirmation”,ICICS 2001: 4thInternational Conference, Seoul, Korea, Dec. 6-7, 2001, Proceedings, pp. 146-159. Retrieved from the Internet: <URL:http://www.springerlink.com/content/x8tn836pk6wyp8kw/fulltext.pdf>.
Xenitellis, “Security Vulnerabilities in Event-Driven Systems”,Conference on Security in the Information Society: Visions and Perspectives, Cairo, Egypt, May 7-9, 2002, Proceedings, pp. 147-160. Retrieved from the Internet: <URL:http://www.isg.rhul.ac.uk/˜simos/pub/OLD/SecurityVulnerabilitiesInEvent-drivenSystems.pdf>.
Vasudevan et al., “SPiKE: Engineering Malware Analysis Tools using Unobtrusive Binary-Instrumentation”,Conferences in Research and Practice in Information Technology, vol. 48, Australian Computer Society, Inc., Jan. 2006, pp. 1-10. Retrieved from the Internet on Dec. 1, 2006 from <URL:http://crpit.com/confpapers/CRPITV48Vasudevan.pdf>.
Szor, P., U.S. Appl. No. 10/360,341, filed Feb. 6, 2003, entitled “Shell Code Blocking System and Method”.
Szor, P., U.S. Appl. No. 10/371,945, filed Feb. 21, 2003, entitled “Safe Memory Scanning”.
Szor, P., U.S. Appl. No. 10/464,091, filed Jun. 17, 2003, entitled “Send Blocking System and Method”.
Szor, P., U.S. Appl. No. 10/611,472, filed Jun. 30, 2003, entitled “Signature Extraction System and Method”.
Szor, P., U.S. Appl. No. 10/681,623, filed Oct. 7, 2003, entitled “Unmapped Code Blocking System and Method”.
Szor, P., “Attacks on WIN32”, Virus Bulletin Conference, Oct. 1998, Virus Bulletin Ltd, The Pentagon, Abingdon, Oxfordshire, England, pp. 57-84.
Szor, P., “Memory Scanning Under Windows NT”, Virus Bulletin Conference, Sep. 1999, Virus Bulletin Ltd, The Pentagon, Abingdon, Oxfordshire, England, pp. 1-22.
Szor, P., “Attacks on WIN32-Part II”, Virus Bulletin Conference, Sep. 2000, Virus Bulletin Ltd, The Pentagon, Abingdon, Oxfordshire, England, pp. 47-68.
Chien, E. and Szor, P., “Blended Attacks Exploits, Vulnerabilities and Buffer-Overflow Techniques In Computer Viruses”, Virus Bulletin Conference, Sep. 2002, Virus Bulletin Ltd, The Pentagon, Abingdon, Oxfordshire, England, pp. 1-36.
Buysse, J., “Virtual Memory: Windows NT® Implementation”, pp. 1-15 [online]. Retrieved on Apr. 16, 2003. Retrieved from the internet: URL:http://people.msoe.edu/˜barnicks/courses/cs384/papers19992000/buyssej-Term.pdf.
Dabak, P., Borate, M. and Phadke, S., “Hooking Windows NT System Services”, pp. 1-8 [online]. Retrieved on Apr. 16, 2003. Retrieved from the internet: URL:http://www.windowsitlibrary.com/Content/356/06/2.html.
“How Entercept Protects: System Call Interception”, pp. 1-2 [online]. Retrieved on Apr. 16, 2003. Retrieved from the internet: URL:http://www.entercept.com/products/technology/kernekmode.asp. No author provided.
“How Entercept Protects: System Call Interception”, p. 1 [online]. Retrieved Apr. 16, 2003. Retrieved from the internet: URL:http://www.entercept.com/products/technology/interception.asp. No author provided.
Kath, R., “The Virtual-Memory Manager in Windows NT”, pp. 1-11 [online]. Retrieved on Apr. 16, 2003. Retrieved from the internet: URL:http://msdn.microsoft.com/library/en-us/dngenlib/html/msdn—ntvmm.asp?frame=true.
Szor, P. and Kaspersky, E., “The Evolution of 32-Bit Windows Viruses”, Windows & .NET Magazine, pp. 1-4 [online]. Retrieved on Apr. 16, 2003. Retrieved from the internet: URL:http://www.winnetmag.com/Articles/Print.cfm?ArticleID=8773.
Szor, P., “The New 32-bit Medusa”, Virus Bulletin, Dec. 2000, Virus Bulletin Ltd, The Pentagon, Abingdon, Oxfordshire, England, pp. 8-10.
Szor, P., “Shelling Out”, Virus Bulletin, Feb. 1997, Virus Bulletin Ltd, The Pentagon, Abingdon, Oxfordshire, England, pp. 6-7.
McCorkendale, B. and Szor, P., “Code Red Buffer Overflow”, Virus Bulletin, Sep. 2001, Virus Bulletin Ltd, The Pentagon, Abingdon, Oxfordshire, England, pp. 4-5.
Nachenberg, C., “A New Technique for Detecting Polymorphic Computer Viruses”, University of California, Los Angeles, 1995.
“Info: CreateFileMapping( )SEC—* Flags”, pp. 1-2 [online]. Retrieved on Sep. 24, 2003. Retrieved from the internet: URL:http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q108/2/31.asp&NoWebContent=1. No author provided.
“CreateFileMapping”, pp. 1-5 [online]. Retrieved on Sep. 10, 2003. Retrieved from the internet: URL:http://msdn.microsoft.com/library/en-us/fileio/base/createfilemapping.asp?frame=true. No author provided.
Finnegan, “Pop Open a Privileged Set of APIs with Windows NT Kernel Mode Drivers”,Microsoft Systems Journal, Microsoft Corp., Mar. 1998, pp. 1-24 [online]. Retrieved on Jul. 25, 2007 from the Internet: <URL:http://www.microsoft.com/MSJ/0398-driver.aspx>.
Vasudevan et al., “Cobra: Fine-grained Malware Analysis using Stealth Localized-executions”, 2006, pp. 1-15 [online]. Retrieved from the Internet: <URL:http://data.uta.edu/˜ramesh/pubs/IEEE-Cobra.pdf>.
Gunnison McKay & Hodgson, L.L.P.
Hodgson Serge J.
Nguyen Van H
Symantec Corporation
LandOfFree
Kernel mode overflow attack prevention system and method does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Kernel mode overflow attack prevention system and method, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Kernel mode overflow attack prevention system and method will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-4012729