| 发明名称 | Optimizing performance of integrity monitoring | ||
| 摘要 | A system, method and computer program product for verifying integrity of a running application program on a computing device. The method comprises: determining entry points into an application programs processing space that impact proper execution impact program integrity; mapping data elements reachable from the determined entry points into a memory space of a host system where the application to verify is running; run-time monitoring, in the memory space, potential modification of the data elements in a manner potentially breaching program integrity; and initiating a response to the potential modification. The run-time monitoring detects when a data transaction, e.g., a write event, reaches a malicious agent's entry point, a corresponding memory hook is triggered and control is passed to a security agent running outside the monitored system. This agent requests the values of the data elements, and determines if invariants that have been previously computed hold true or not under the set of retrieved data values. | ||
| 申请公布号 | US8949797(B2) | 申请公布日期 | 2015.02.03 |
| 申请号 | US201012761952 | 申请日期 | 2010.04.16 |
| 申请人 | International Business Machines Corporation | 发明人 | Aaraj Najwa;Christodorescu Mihai;Pendarakis Dimitrios;Sailer Reiner;Schales Douglas L. |
| 分类号 | G06F9/44;G06F9/45;G06F21/56;G06F21/55 | 主分类号 | G06F9/44 |
| 代理机构 | Scully, Scott, Murphy & Presser, P.C. | 代理人 | Scully, Scott, Murphy & Presser, P.C. ;Young, Esq. Preston J. |
| 主权项 | 1. A computer-implemented method for verifying integrity of a running application program on a computing device, said method comprising: determining entry points into an application programs processing space that potentially impact data elements of said running application; mapping the data elements reachable from said determined entry points into a memory space of a host system where the application program to verify is running; monitoring, during run-time, said memory space to verify that any modification to a data element does not breach a program state; analyzing the data elements for determining a presence of overlap in security guarantees, the presence of the overlap in the security guarantees indicating data dependency between the data elements; selecting one or more data elements having no data dependency between each other in said security guarantees; monitoring, for said security guarantees, the selected data elements having no data dependency between each other: and initiating a response to one or more of said modification to one or more of the monitored selected data elements when said one or more modification breaches said program state. | ||
| 地址 | Armonk NY US | ||