WO2001037095A1 - Method and system for intercepting an application program interface - Google Patents
Method and system for intercepting an application program interface Download PDFInfo
- Publication number
- WO2001037095A1 WO2001037095A1 PCT/US2000/031032 US0031032W WO0137095A1 WO 2001037095 A1 WO2001037095 A1 WO 2001037095A1 US 0031032 W US0031032 W US 0031032W WO 0137095 A1 WO0137095 A1 WO 0137095A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- address
- call
- intercepted
- library
- routine
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 174
- 230000008569 process Effects 0.000 claims abstract description 110
- 230000006870 function Effects 0.000 description 42
- 239000000872 buffer Substances 0.000 description 18
- 238000010586 diagram Methods 0.000 description 13
- 238000010200 validation analysis Methods 0.000 description 10
- 238000004590 computer program Methods 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000004913 activation Effects 0.000 description 3
- PWPJGUXAGUPAHP-UHFFFAOYSA-N lufenuron Chemical compound C1=C(Cl)C(OC(F)(F)C(C(F)(F)F)F)=CC(Cl)=C1NC(=O)NC(=O)C1=C(F)C=CC=C1F PWPJGUXAGUPAHP-UHFFFAOYSA-N 0.000 description 3
- 230000008439 repair process Effects 0.000 description 3
- 238000003491 array Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1416—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
- G06F12/1425—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block
- G06F12/1441—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block for a range
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/448—Execution paradigms, e.g. implementations of programming paradigms
- G06F9/4482—Procedural
- G06F9/4484—Executing subprograms
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2209/00—Indexing scheme relating to G06F9/00
- G06F2209/54—Indexing scheme relating to G06F9/54
- G06F2209/542—Intercept
Definitions
- the present invention relates generally to a method for
- the present invention relates to a computer system. More specifically, the present invention relates to a
- Procedures or functions are computer programs. A procedure
- a stack is a contiguous block of memory containing data. Its
- CPU Central Processing Unit
- the stack consists of logical stack frames or Procedure
- the stack frame itself contains
- the return address is the instruction pointer of the
- One such objective is inserting an
- attack code in the form of an executable binary code native to the
- Another such objective is to change the return
- Another strategy is to detect buffer
- said operating system including a kernel space and a process
- process space including a user application running in
- process space said user application operative to intercept system calls
- said method comprising the step of examining said intercepted system
- the present invention a method of secure function execution within a
- said operating system including a kernel space and a process
- process space including a user application running in
- said user application operative to intercept library calls
- said method comprising the step of examining said intercepted library
- said operating system including a kernel space and a process
- process space including a user application running in
- said user application operative to intercept library calls
- said method comprising the step of examining said intercepted library
- said operating system including a kernel space and a process
- process space including a user application running in
- said operating system including a kernel space and a process
- process space including a user application running in
- said process memory device further comprises the step of determining
- Fig. 1 is a block diagram of the Secure Function Execution
- system environment generally referenced to as system 100;
- Fig. 2 is a high-level flow diagram of the Secure Function
- Fig. 3 is a high-level flow diagram of the operation of the
- Fig. 4 is a high-level diagram of Secure Function Execution
- Fig. 5 is a high-level flow diagram of the operation of the /37095
- Fig. 6 is a high-level flow diagram of the operation of the
- Fig. 7 is a high-level flow diagram of the Calling Address
- the present invention is related to Israel Patent Application
- system 100 of Fig. 1 may comprise of four
- Secure Function Execution Server 116 is the operational center of the Secure Function Execution
- Secure Function Execution Server 116 incorporates the
- API Interception Module 134 140, 146 and the like are
- Interception Module 134, 140, 146 and the like consist of
- API routine 132, 138, 144 and the like are passive
- API routines 132, 138, 144 and the like are
- FIG. 2 there is provided a high-level flow
- Server 116 initializes the
- step 152 run-time operation in step 152 by constantly monitoring system calls
- SFE Server is also constantly constantly
- step 156 SFE Server responds appropriately to the
- First SFE Server 116 loads System Call Interception
- step 186 For the list of active processes 118, 120, 122 and the like (step 186).
- Server 116 creates a list of valid address ranges for each active
- DLL Dynamic Link Library
- Dynamic Link Library is a set of callable subroutines
- SFE Server will insert API Interception Module 134,
- FIG. 4 is a high-level flow diagram of
- step 160 determines in step 160
- Server determines whether said system call is valid by comparing said
- the SFE Server 116 may terminate the illegal call
- SFE Server 116 may notify a user
- SFE Server 116 may perform another or other series of
- decision in step 162 is negative SFE Server optionally performs any
- step 166 If and when it
- FIG. 5 is a high-level flow diagram of the
- SFE Server 116 determines in step 172 if the
- SFE Server determines whether
- said library call is valid by comparing said library call originating
- detected SFE Server 116 optionally terminates the illegal library
- SFE Server 116 notifies a user
- Server 116 performs any other user predetermined or instructed action
- step 174 If the decision in step 174 is affirmative than SFE Server 116
- process 118 is now operative to intercept calls made to said library calls
- step 172 decision in step 172 is negative SFE Server 116 determines if the
- the Calling Address Validation Routine module may operate in
- Pre-Entry routine may be activated when an API 132 or the
- Calling Address Validation Routine module is executing a set of
- Caller Routine also includes caller Application
- the stack frame is a dynamic area of the process
- stack segment is a dynamic area of memory belonging to a process.
- step 192 the caller Routine calling address is calculated (step 192) and
- step 194 it is determined whether
- Fig. 7 is a high-level flow
- Routine return address is significantly faster and more accurate.
- Such determination is accomplished by comparing said caller
- Pre-Entry routine or the like notifies SFE Server 116 or the like about
- step 210 and step 212 the result of the examination.
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU15986/01A AU1598601A (en) | 1999-11-14 | 2000-11-10 | Method and system for intercepting an application program interface |
JP2001539121A JP2003515219A (en) | 1999-11-14 | 2000-11-10 | Method and system for inhibiting application program interface |
EP00978530A EP1236114A1 (en) | 1999-11-14 | 2000-11-10 | Method and system for intercepting an application program interface |
Applications Claiming Priority (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
IL132916 | 1999-11-14 | ||
IL13291699A IL132916A (en) | 1999-11-14 | 1999-11-14 | Method and system for intercepting an application program interface |
US09/561,395 US6823460B1 (en) | 1999-11-14 | 2000-04-28 | Method and system for intercepting an application program interface |
US09/561,395 | 2000-04-28 | ||
CA002386100A CA2386100A1 (en) | 1999-11-14 | 2002-05-13 | Method and system for intercepting application program interface |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2001037095A1 true WO2001037095A1 (en) | 2001-05-25 |
Family
ID=72714002
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2000/031032 WO2001037095A1 (en) | 1999-11-14 | 2000-11-10 | Method and system for intercepting an application program interface |
Country Status (5)
Country | Link |
---|---|
EP (1) | EP1236114A1 (en) |
JP (1) | JP2003515219A (en) |
AU (2) | AU1598601A (en) |
CA (1) | CA2386100A1 (en) |
WO (1) | WO2001037095A1 (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1361496A2 (en) * | 2002-05-06 | 2003-11-12 | Symantec Corporation | Alteration of executable code module load locations |
WO2004075060A1 (en) * | 2003-02-21 | 2004-09-02 | Tabei, Hikaru | Computer virus detection device |
WO2006047148A1 (en) * | 2004-10-25 | 2006-05-04 | Matsushita Electric Industrial Co. Ltd. | Security architecture and mechanism to access and use security components in an operating system |
CN100346611C (en) * | 2005-06-30 | 2007-10-31 | 西安交通大学 | Invading detection method based on stack pattern in Linux environment |
WO2008056944A1 (en) * | 2006-11-07 | 2008-05-15 | Softcamp Co., Ltd. | Confirmation method of api by the information at call-stack |
US7624449B1 (en) | 2004-01-22 | 2009-11-24 | Symantec Corporation | Countering polymorphic malicious computer code through code optimization |
US7739740B1 (en) | 2005-09-22 | 2010-06-15 | Symantec Corporation | Detecting polymorphic threats |
EP2840497A4 (en) * | 2012-04-19 | 2015-11-11 | Uni Politècnica De Catalunya | Method, system and an executable piece of code for the virtualisation of a hardware resource associated with a computer system |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPWO2005029328A1 (en) * | 2003-09-18 | 2007-11-15 | 有限会社 電机本舗 | Operating system and recording medium recording the same |
US8079039B2 (en) * | 2007-03-09 | 2011-12-13 | Microsoft Corporation | Isolating, managing and communicating with user interface elements |
CN102799493A (en) * | 2012-06-21 | 2012-11-28 | 北京伸得纬科技有限公司 | Method for intercepting target progress with self-protection |
KR101244731B1 (en) * | 2012-09-11 | 2013-03-18 | 주식회사 안랩 | Apparatus and method for detecting malicious shell code by using debug event |
CN103970559B (en) * | 2013-02-05 | 2017-09-29 | 北京壹人壹本信息科技有限公司 | A kind of equipment loading method and device based on android system |
JP7036106B2 (en) | 2017-02-22 | 2022-03-15 | 日本電気株式会社 | Information processing equipment, information processing system, monitoring method, and program |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5577209A (en) * | 1991-07-11 | 1996-11-19 | Itt Corporation | Apparatus and method for providing multi-level security for communication among computers and terminals on a network |
US5826014A (en) * | 1996-02-06 | 1998-10-20 | Network Engineering Software | Firewall system for protecting network elements connected to a public network |
US5832228A (en) * | 1996-07-30 | 1998-11-03 | Itt Industries, Inc. | System and method for providing multi-level security in computer devices utilized with non-secure networks |
US6067620A (en) * | 1996-07-30 | 2000-05-23 | Holden; James M. | Stand alone security device for computer networks |
US6088804A (en) * | 1998-01-12 | 2000-07-11 | Motorola, Inc. | Adaptive system and method for responding to computer network security attacks |
US6185689B1 (en) * | 1998-06-24 | 2001-02-06 | Richard S. Carson & Assoc., Inc. | Method for network self security assessment |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5974549A (en) * | 1997-03-27 | 1999-10-26 | Soliton Ltd. | Security monitor |
-
2000
- 2000-11-10 JP JP2001539121A patent/JP2003515219A/en not_active Withdrawn
- 2000-11-10 EP EP00978530A patent/EP1236114A1/en not_active Withdrawn
- 2000-11-10 AU AU15986/01A patent/AU1598601A/en not_active Abandoned
- 2000-11-10 WO PCT/US2000/031032 patent/WO2001037095A1/en not_active Application Discontinuation
-
2002
- 2002-05-13 CA CA002386100A patent/CA2386100A1/en not_active Abandoned
- 2002-06-20 AU AU48883/02A patent/AU768758B2/en not_active Expired
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5577209A (en) * | 1991-07-11 | 1996-11-19 | Itt Corporation | Apparatus and method for providing multi-level security for communication among computers and terminals on a network |
US5940591A (en) * | 1991-07-11 | 1999-08-17 | Itt Corporation | Apparatus and method for providing network security |
US5826014A (en) * | 1996-02-06 | 1998-10-20 | Network Engineering Software | Firewall system for protecting network elements connected to a public network |
US6061798A (en) * | 1996-02-06 | 2000-05-09 | Network Engineering Software, Inc. | Firewall system for protecting network elements connected to a public network |
US5832228A (en) * | 1996-07-30 | 1998-11-03 | Itt Industries, Inc. | System and method for providing multi-level security in computer devices utilized with non-secure networks |
US6067620A (en) * | 1996-07-30 | 2000-05-23 | Holden; James M. | Stand alone security device for computer networks |
US6088804A (en) * | 1998-01-12 | 2000-07-11 | Motorola, Inc. | Adaptive system and method for responding to computer network security attacks |
US6185689B1 (en) * | 1998-06-24 | 2001-02-06 | Richard S. Carson & Assoc., Inc. | Method for network self security assessment |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1361496A2 (en) * | 2002-05-06 | 2003-11-12 | Symantec Corporation | Alteration of executable code module load locations |
EP1361496A3 (en) * | 2002-05-06 | 2004-04-07 | Symantec Corporation | Alteration of executable code module load locations |
US7155741B2 (en) | 2002-05-06 | 2006-12-26 | Symantec Corporation | Alteration of module load locations |
WO2004075060A1 (en) * | 2003-02-21 | 2004-09-02 | Tabei, Hikaru | Computer virus detection device |
JPWO2004075060A1 (en) * | 2003-02-21 | 2006-06-01 | 田部井 光 | Computer virus judgment method |
US7624449B1 (en) | 2004-01-22 | 2009-11-24 | Symantec Corporation | Countering polymorphic malicious computer code through code optimization |
WO2006047148A1 (en) * | 2004-10-25 | 2006-05-04 | Matsushita Electric Industrial Co. Ltd. | Security architecture and mechanism to access and use security components in an operating system |
CN100346611C (en) * | 2005-06-30 | 2007-10-31 | 西安交通大学 | Invading detection method based on stack pattern in Linux environment |
US7739740B1 (en) | 2005-09-22 | 2010-06-15 | Symantec Corporation | Detecting polymorphic threats |
WO2008056944A1 (en) * | 2006-11-07 | 2008-05-15 | Softcamp Co., Ltd. | Confirmation method of api by the information at call-stack |
EP2840497A4 (en) * | 2012-04-19 | 2015-11-11 | Uni Politècnica De Catalunya | Method, system and an executable piece of code for the virtualisation of a hardware resource associated with a computer system |
Also Published As
Publication number | Publication date |
---|---|
AU4888302A (en) | 2002-12-05 |
AU1598601A (en) | 2001-05-30 |
EP1236114A1 (en) | 2002-09-04 |
AU768758B2 (en) | 2004-01-08 |
CA2386100A1 (en) | 2003-11-13 |
JP2003515219A (en) | 2003-04-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6412071B1 (en) | Method for secure function execution by calling address validation | |
US8661541B2 (en) | Detecting user-mode rootkits | |
US7779062B2 (en) | System for preventing keystroke logging software from accessing or identifying keystrokes | |
CN103886252B (en) | Software Code Malicious Selection Evaluation Executed In Trusted Process Address Space | |
US8307432B1 (en) | Generic shellcode detection | |
US5974549A (en) | Security monitor | |
US7251830B1 (en) | Process-based selection of virus detection actions system, method and computer program product | |
US7934261B1 (en) | On-demand cleanup system | |
US20070050848A1 (en) | Preventing malware from accessing operating system services | |
US7823201B1 (en) | Detection of key logging software | |
AU2006210698B2 (en) | Intrusion detection for computer programs | |
US7665139B1 (en) | Method and apparatus to detect and prevent malicious changes to tokens | |
US20070250927A1 (en) | Application protection | |
US7797702B1 (en) | Preventing execution of remotely injected threads | |
US8539578B1 (en) | Systems and methods for defending a shellcode attack | |
US20070079375A1 (en) | Computer Behavioral Management Using Heuristic Analysis | |
US7251735B2 (en) | Buffer overflow protection and prevention | |
KR20180032566A (en) | Systems and methods for tracking malicious behavior across multiple software entities | |
US9659173B2 (en) | Method for detecting a malware | |
EP1236114A1 (en) | Method and system for intercepting an application program interface | |
EP2038753A1 (en) | Identifying malware in a boot environment | |
CN110119619B (en) | System and method for creating anti-virus records | |
US8910283B1 (en) | Firmware-level security agent supporting operating system-level security in computer system | |
WO2019133637A1 (en) | Detection of exploitative program code | |
EP1236115A1 (en) | Method for secure function execution by calling address validation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AU CA JP |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
ENP | Entry into the national phase |
Ref country code: JP Ref document number: 2001 539121 Kind code of ref document: A Format of ref document f/p: F |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2000978530 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2000978530 Country of ref document: EP |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 2000978530 Country of ref document: EP |