This invention pertains generally to computer security, and more specifically to enforcing application management on a computer without requiring direct interaction with the operating system.
Computer security software, such as policy enforcement and configuration management solutions, typically requires deployment of an agent within the operating system of the computer being protected. However, the act of agent deployment itself assumes the existence of a level of control and management over the computers to be protected which often does not exist. It is the very computers for which such control is not available that are most in need of protection.
Active management technology (AMT), such as Intel's vPro AMT, is a hardware based technology that provides a runtime environment separate and independent from that of the main general purpose operating system. AMT typically uses a secondary processor on the motherboard of a computer to enable “out of band” interaction with the main operating system. In addition to running independently of the general purpose operating system, the AMT environment can be communicated with independently. It would be desirable to leverage the AMT environment to address the computer security shortcomings discussed above.
Application authorization management is provided without installation of an agent at an operating system level. A component runs outside of the operating system, in an AMT environment. AMT is utilized to examine the operating system for applications. Identified applications are checked against a whitelist or a blacklist. Responsive to determining that an identified application is not authorized, AMT is used to redirect input/output requests targeting the application to an alternative image, which can, for example, warn the user that the application is not authorized.
The features and advantages described in this summary and in the following detailed description are not all-inclusive, and particularly, many additional features and advantages will be apparent to one of ordinary skill in the relevant art in view of the drawings, specification, and claims hereof. Moreover, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter, resort to the claims being necessary to determine such inventive subject matter.
The Figures depict embodiments of the present invention for purposes of illustration only. One skilled in the art will readily recognize from the following discussion that alternative embodiments of the structures and methods illustrated herein may be employed without departing from the principles of the invention described herein.
As illustrated in
Responsive to determining that an application 109 is not legitimate, the security component 101 uses the virtualization of block input/output (IO) feature of AMT 103 to manage the application 109. More specifically, when the security component 101 identifies a suspect application 109, it uses the AMT block virtualization to remap the blocks containing the application file 109 (or in some embodiments its file table (e.g., MFT) entry), such that the security component 101 provides an alternative “image” 115 of the file 109 to the operating system 107, through the AMT 103. In other words, I/O requests for the file table entry record or its related sectors are redirected to alternative sectors, on which the alternative image 115 is stored. In some embodiments, the alternative image 115 is stored on the same physical disk as the original file 109 (which remains unmoved and unmodified). In other embodiments, the alternative image 115 is stored remotely (not illustrated). The redirected alternative image 115 can comprise, for example, no operation (NOP) code, or code that provides a notification to the user that the application 109 is not approved for execution on the computer 105. It is to be understood that in different operating environments, file table entries are in different internal formats based on the file system instantiation (e.g., FAT and NTFS (MFT) under Windows, for Linux iNodes, etc.). All such file system formats are within the scope of different embodiments of the present invention.
It is to be understood that an alternative image 115 is typically specific to a given set of operating systems (e.g., Windows, Linux, etc.). For example, Linux code to notify the user that the application 109 is not approved would not likely run under Windows, etc. To address this, a group of alternative images 115 can be maintained, one (or more) for each supported platform. Because only so many operating system sets would likely be supported, the number of alternative images 115 used in the various embodiments would be very manageable.
Note that the main operating system 107 does not contain any type of agent, nor is it aware that the underlying translation occurs. Note further that no changes are actually made to the file system. Instead, the security agent 101 simply redirects I/O requests for the application 109 to the alternative image 115.
As will be understood by those familiar with the art, the invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. Likewise, the particular naming and division of the portions, modules, agents, managers, components, functions, procedures, actions, layers, features, attributes, methodologies and other aspects are not mandatory or significant, and the mechanisms that implement the invention or its features may have different names, divisions and/or formats. Furthermore, as will be apparent to one of ordinary skill in the relevant art, the portions, modules, agents, managers, components, functions, procedures, actions, layers, features, attributes, methodologies and other aspects of the invention can be implemented as software, hardware, firmware or any combination of the three. Wherever a component of the present invention is implemented as software, the component can be implemented as a script, as a standalone program, as part of a larger program, as a plurality of separate scripts and/or programs, as a statically or dynamically linked library, as a kernel loadable module, as a device driver, and/or in every and any other way known now or in the future to those of skill in the art of computer programming. Additionally, the present invention is in no way limited to implementation in any specific programming language, or for any specific operating system or environment. Furthermore, it will be readily apparent to those of ordinary skill in the relevant art that where the present invention is implemented in whole or in part in software, the software components thereof can be stored on computer readable media as computer program products. Any form of computer readable medium can be used in this context, such as magnetic or optical storage media. Additionally, software portions of the present invention can be instantiated (for example as object code or executable images) within the memory of any computing device. Accordingly, the disclosure of the present invention is intended to be illustrative, but not limiting, of the scope of the invention, which is set forth in the following claims.
Number | Name | Date | Kind |
---|---|---|---|
6336175 | Shaath et al. | Jan 2002 | B1 |
6886035 | Wolff | Apr 2005 | B2 |
6941470 | Jooste | Sep 2005 | B1 |
7093239 | van der Made | Aug 2006 | B1 |
7480655 | Thomas et al. | Jan 2009 | B2 |
7565685 | Ross et al. | Jul 2009 | B2 |
7571482 | Polyakov et al. | Aug 2009 | B2 |
7574622 | Soran et al. | Aug 2009 | B2 |
7647636 | Polyakov et al. | Jan 2010 | B2 |
7680996 | Komarov et al. | Mar 2010 | B2 |
7693838 | Morgan et al. | Apr 2010 | B2 |
7797748 | Zheng et al. | Sep 2010 | B2 |
7845009 | Grobman | Nov 2010 | B2 |
8042190 | Sahita et al. | Oct 2011 | B2 |
8286238 | Durham et al. | Oct 2012 | B2 |
8701187 | Schluessler et al. | Apr 2014 | B2 |
20020194487 | Grupe | Dec 2002 | A1 |
20040064736 | Obrecht et al. | Apr 2004 | A1 |
20050091655 | Probert et al. | Apr 2005 | A1 |
20070136807 | DeLiberato et al. | Jun 2007 | A1 |
20080005527 | Bang | Jan 2008 | A1 |
20080022124 | Zimmer et al. | Jan 2008 | A1 |
20080127348 | Largman et al. | May 2008 | A1 |
20080148390 | Zimmer et al. | Jun 2008 | A1 |
20080163204 | Morgan et al. | Jul 2008 | A1 |
20080244114 | Schluessler et al. | Oct 2008 | A1 |
20080256599 | Lee et al. | Oct 2008 | A1 |
20090038017 | Durham et al. | Feb 2009 | A1 |
20090106263 | Khalid | Apr 2009 | A1 |
20090165117 | Brutch | Jun 2009 | A1 |
20090222889 | Challener et al. | Sep 2009 | A1 |
20090288167 | Freericks et al. | Nov 2009 | A1 |
20090319782 | Lee | Dec 2009 | A1 |
Number | Date | Country |
---|---|---|
1 914 956 | Apr 2008 | EP |
WO 0177811 | Oct 2001 | WO |
WO 2007058889 | May 2007 | WO |
WO 2007058889 | May 2007 | WO |
Entry |
---|
Extended European Search Report for Application No. 09010823.4-2212 dated Nov. 23, 2009. |
“Intel Active Management Technology System Defense and Agent Presence Overview,” Version 3.0.4, Feb. 2007. |
Intel vPro—Wikipedia, the free encyclopedia; http:en.wikipedia.org/wiki/Intel—vPro; Jul. 15, 2008. |
Intel Active Management Technology—Wikipedia, the free encyclopedia; http:en.wikipedia.org/wiki/Intel—Active—Management—Technology; Jun. 23, 2008. |
English language translation of relevant portions of Japanese Office Action for Japanese counterpart Application No. 2009-192882 dated Jan. 9, 2014, 1 page, translation made by Japanese patent attorney prosecuting Japanese counterpart application. |
English language European Office Action for European counterpart Application No. 09 010 823.4-1870 dated Jul. 31, 2015, 4 pages. |
Number | Date | Country | |
---|---|---|---|
20100058431 A1 | Mar 2010 | US |