Security system and method for operating systems

摘要

A device comprising an operating system to run processes and a middleware layer operable to launch applications. An application launched by the middleware layer is run using one or more processes in the operating system. The operating system has a user layer and a kernel wherein the processes run in the user layer and interact with other processes running in the user layer through the kernel, the interaction being in response to calls to the kernel made by the processes. The device has one or more policy files defining policies for interaction of processes with the kernel of the device, and a monitor configured to monitor interaction of a process with the kernel to link or associate defined policies to the process, and to read code defined in the policy file or files linked or associated to the process.

主权项

1. A device comprising an operating system to run processes in a user mode of a lower layer and a middleware layer operable to launch applications of an application layer, wherein an application launched by the middleware layer is run using one or more processes in a user mode of the lower layer in the operating system, the operating system further comprising a kernel operable in a kernel mode of the lower layer, the device further comprising: a hardware processor:
a security system operating in the user mode of the lower layer comprising: monitoring entities operating in the user mode of the lower layer, each monitoring entity being configured to monitor a respective process running in the user mode of the lower layer such that each process has a dedicated monitoring entity, each monitoring entity being linked to one or more application-specific security policies of a security policy database accessible to the device that comprises one or more application-specific security policy files defining application-specific security policies for applications in the application layer and/or types of applications in the application layer; and each monitoring entity being configured to:
detect, directly or indirectly, system call invocations made by its respective process;determine a security action or actions to control the detected system call invocations based on parameters of the detected system call invocations and the application-specific security policy or policies linked to the monitoring entity; andexecute the determined security action to enforce the linked application-specific security policy or policies;and wherein the security system is configured to link application-specific security policies to each monitoring entity by:
monitoring for a predefined event or predefined identification threshold after initial launch of the process being monitored by the monitoring entity, the predefined event or predefined identification threshold signifying a state in which the application the process is executing can be definitively identified; and linking appropriate one or more application-specific security policies of the security policy database to the monitoring entity once the predefined event is detected or predefined identification threshold is reached such that the linking of the appropriate one or more application-specific security policies to the monitoring entity for enforcement is delayed until the application the process is executing can be definitively identified.