-
公开(公告)号:US08949797B2
公开(公告)日:2015-02-03
申请号:US12761952
申请日:2010-04-16
CPC分类号: G06F21/566 , G06F21/554 , G06F21/563
摘要: A system, method and computer program product for verifying integrity of a running application program on a computing device. The method comprises: determining entry points into an application programs processing space that impact proper execution impact program integrity; mapping data elements reachable from the determined entry points into a memory space of a host system where the application to verify is running; run-time monitoring, in the memory space, potential modification of the data elements in a manner potentially breaching program integrity; and initiating a response to the potential modification. The run-time monitoring detects when a data transaction, e.g., a write event, reaches a malicious agent's entry point, a corresponding memory hook is triggered and control is passed to a security agent running outside the monitored system. This agent requests the values of the data elements, and determines if invariants that have been previously computed hold true or not under the set of retrieved data values.
摘要翻译: 一种用于验证计算设备上正在运行的应用程序的完整性的系统,方法和计算机程序产品。 该方法包括:将入口点确定为影响适当执行影响程序完整性的应用程序处理空间; 将从所确定的入口点到达的数据元素映射到要验证的应用正在运行的主机系统的存储器空间中; 在存储器空间中的运行时监视,以潜在地破坏程序完整性的方式潜在地修改数据元素; 并启动对潜在修改的响应。 运行时监视检测数据事务(例如写入事件)何时到达恶意代理的入口点,触发对应的存储器钩子,并将控制传递到在被监视系统外部运行的安全代理。 该代理请求数据元素的值,并确定先前计算的不变量是否在检索的数据值集合之前成立。
-
公开(公告)号:US20110258610A1
公开(公告)日:2011-10-20
申请号:US12761952
申请日:2010-04-16
CPC分类号: G06F21/566 , G06F21/554 , G06F21/563
摘要: A system, method and computer program product for verifying integrity of a running application program on a computing device. The method comprises: determining entry points into an application programs processing space that impact proper execution impact program integrity; mapping data elements reachable from the determined entry points into a memory space of a host system where the application to verify is running; run-time monitoring, in the memory space, potential modification of the data elements in a manner potentially breaching program integrity; and initiating a response to the potential modification. The run-time monitoring detects when a data transaction, e.g., a write event, reaches a malicious agent's entry point, a corresponding memory hook is triggered and control is passed to a security agent running outside the monitored system. This agent requests the values of the data elements, and determines if invariants that have been previously computed hold true or not under the set of retrieved data values.
摘要翻译: 一种用于验证计算设备上正在运行的应用程序的完整性的系统,方法和计算机程序产品。 该方法包括:将入口点确定为影响适当执行影响程序完整性的应用程序处理空间; 将从所确定的入口点到达的数据元素映射到要验证的应用正在运行的主机系统的存储器空间中; 在存储器空间中的运行时监视,以潜在地破坏程序完整性的方式潜在地修改数据元素; 并启动对潜在修改的响应。 运行时监视检测数据事务(例如写入事件)何时到达恶意代理的入口点,触发对应的存储器钩子,并将控制传递到在被监视系统外部运行的安全代理。 该代理请求数据元素的值,并确定先前计算的不变量是否在检索的数据值集合下保持为真。
-