| 发明名称 | Systems and methods for monitoring programs | ||
| 摘要 | A computer-implemented method for monitoring programs may include (1) placing a program within an enclave that includes a protected address space that code outside of the protected address space is restricted from accessing, (2) hooking an application programming interface call within the program in the enclave to monitor the behavior of the program, (3) inserting an enclave entry instruction into code outside of the protected address space that the program accesses through the hooking of the application programming interface call, and (4) monitoring the behavior of the program by executing the program within the enclave in an attempt to force the program to use the hooked application programming interface call in order to access data outside the enclave. Various other methods, systems, and computer-readable media are also disclosed. | ||
| 申请公布号 | US9552481(B1) | 申请公布日期 | 2017.01.24 |
| 申请号 | US201414585233 | 申请日期 | 2014.12.30 |
| 申请人 | Symantec Corporation | 发明人 | Guo Fanglu |
| 分类号 | G06F21/56;G06F21/53;G06F21/54 | 主分类号 | G06F21/56 |
| 代理机构 | Fisherbroyles LLP | 代理人 | Fisherbroyles LLP |
| 主权项 | 1. A computer-implemented method for monitoring programs, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising: placing a program within an enclave to perform a security analysis of the program to ascertain whether the program engages in malicious functionality, the enclave comprising a protected address space that code outside of the protected address space is restricted from accessing except through a special central processing unit enclave entry instruction; hooking an application programming interface call within the program in the enclave to monitor the behavior of the program; inserting the enclave entry instruction into code outside of the protected address space that the program accesses through the hooking of the application programming interface call; and monitoring the behavior of the program by executing the program within the enclave in an attempt to force the program to use the hooked application programming interface call in order to access data outside the enclave, wherein: executing the program comprises attempting, by the program, to bypass at least one instruction at an entry point of the application programming interface call; and bypassing the instruction at the entry point of the application programming interface call further causes the program to bypass an enclave exit instruction and trigger an exception that enables revision of the program to perform further hooking and monitoring as part of the security analysis of the program to ascertain whether the program engages in malicious functionality. | ||
| 地址 | Mountain View CA US | ||