(12) United States Patent D0dd et al.

(12) United States Patent D0dd et al. US006907531B1 (10) Patent N0.: (45) Date of Patent: US 6,907,531 B1 Jun. 14, 2005 (54) METHOD AND SYSTEM FOR IDENTIFYING, FIXING, AND UPDATING SECURITY VULNERABILITIES (75) Inventors: Timothy D. Dodd, Tucker, GA (US); Scott MeWett, HolloWays Beach (AU); Curtis E. Ide, Roswell, GA (US); Kevin A. Overcash, Atlanta, GA (US); David A. Dennerline, Atlanta, GA (US); Bobby J. Williams, Atlanta, GA (US); Martin D. Sells, Canton, GA (Us) (73) Assignee: Internet Security Systems, Inc., Atlanta, GA (US) ( * ) Notice: Subject to any disclaimer, the term of this patent is extended or adjusted under 35 U.S.C. 154(b) by 932 days. (21) Appl. No.: 09/608,282 (22) Filed: Jun. 30, 2000 (51) Int. Cl?..... G06F 11/30; G06F 12/14; G06F 15/16; H04L 1/00; H04L 9/00 (52) U.S. c1...... 713/201; 713/165; 709/224 (58) Field of Search....... 713/200, 201, 713/165, 502; 709/223, 224, 232 (56) References Cited U.S. PATENT DOCUMENTS 4,819,234 A 4/1989 Huber 5,278,901 A 1/1994 Sllleh et al. 5,345,595 A 9/1994 Johnson et al. 5,414,833 A 5/1995 Hershey et al. 5,475,839 A 12/1995 Watson et al. 5,586,260 A 12/1996 Hu 5,590,331 A 12/1996 Lewis et al. 5,606,668 A 2/1997 Shwed 5,623,601 A 4/1997 Vu 5,630,061 A 5/1997 Richter et al. 5,761,504 A 6/1998 Corrigan et al. 5,764,887 A 6/1998 KellS et al. 5,764,890 A 6/1998 Glasser et al. 5,787,177 A 7/1998 Leppek 5,796,942 A 8/1998 Esbensen 5,798,706 A 8/1998 Kraemer et al. 5,815,574 A 9/1998 Fortinsky 5,828,833 A 10/1998 Belville et al. 5,832,208 A 11/1998 Chen et al. 5,832,211 A 11/1998 Blakley, 1116161. 5,835,726 A 11/1998 Shwed et al. 5,838,903 A 11/1998 Blakely, 1116161. 5,857,191 A 1/1999 Blackwell, Jr. et al. 5,864,665 A 1/1999 Tran 5,875,296 A 2/1999 Sllleial. 5,881,236 A 3/1999 Dickey 5,884,033 A 3/1999 Duvall et al. 5,950,012 A 9/1999 Shiell et al. 5,964,839 A 10/1999 Johnson et al. 5,983,270 A 11/1999 Abraham et al. 5,983,348 A 11/1999 11 (Continued) FOREIGN PATENT DOCUMENTS W0 WO 00/54458 9/2000 W0 WO 01/84285 11/2001 W0 WO 02/06928 1/2002 W0 W0 02/056152 7/2002 Primary Examiner AndreW CaldWell Assistant Examiner Tamara Teslovich (74) Attorney, Agent, or Firm King & Spalding LLP (57) ABSTRACT A method and system identi?es,?xes, and updates security vulnerabilities in a host computer or host computers. The present invention can communicate between a scanner With plug-in capability, an operating system, and an express update package. The architectural set-up can allow exploits Within the scan ner and exploits in the express update package to function With no knowledge of each other. The user also needs no knowledge of Whether the exploits are Within the scanner or the express update package. Mutual authentication proce dures can enable the scanner to load only legitimate express update packages, and can provide that express update pack ages can only be loaded into legitimate scanners. 48 Claims, 18 Drawing Sheets,.... I SYSTEM MEMORY 14 CBITRN. PRODE$ING UNIT (CPU)

US 6,907,531 B1 Page 2 5,987,606 5,987,611 6,014,645 6,016,553 6,026,442 6,041,347 6,061,795 6,085,224 6,088,803 6,098,173 US. PATENT DOCUMENTS 1 1/1999 1 1/ 1999 1/ 2000 1/ 2000 2/2000 3/2000 5/2000 7/2000 7/ 2000 8/2000 Cirasole et a1. Freund Cunningham Schneider et a1. Lewis et al. Harsham et a1. Dircks et a1. Wagner Tso et a1. Elgressy et a1. 6,119,234 A 6,266,774 6,275,938 6,282,546 6,301,668 6,324,647 6,324,656 6,405,318 6,415,321 6,519,647 B1 B1 B1 * cited by examiner **** 9/2000 7/2001 8/2001 8/2001 10/2001 1 1/2001 1 1/2001 6/2002 7/2002 2/2003 AZiZ et a1. Sampath et al. Bond et a1. Gleichauf et a1...... 707/102 Gleichauf et a1...... 713/201 Bowman-Amuah..... 713/201 Gleichauf et a1...... 714/37 Rowland Gleichauf et a1...... 709/224 Howard et a1...... 709/229

U.S. Patent Jun. 14,2005 Sheet 2 of 18 US 6,907,531 B1 FIG. 2 SCANNER WITH PLUG IN CAPABMTYQ SESSION OBJECT Z59 SESSION MANAGER g ) SESSION OBJECT OBJECT 24s MASTER 1 MASTER MASTER MASTER EXPLOI'T RESOURCE EXPLOIT RESOURCE 1mm LIST Z? LIST LIST HOST SCANNING THREAD as meme m HUG-1N ENGWEZH * é THREAD MmAéER 2E HOST SCANNING THREAD ENGINE PLUG-IN ENGINE a} IARGET TARGET oaject m OBJECT I _---l- a RESOURCE EXPLOIT 7 MANAGER MANAGER Q E f x l \ / X \ _-_ I Y / EXPRESS UPDATE PACKAGE is RESOU CE nus-m maul-e 221 EXPLOIT PLUG IN ODULE 9Q REGISTRY E, El Eng \ EM r\\ E \ DATABASE Q) RESOUREEBOBJECTS \ PLUG IN RESOURCES H 289 5 j LUG-IN EXPLOITS g DAT FILE HELP FILE 29_3 92 IT EXPLO LOG FILES 2i; OBJECTS g

* U.S. Patent Jun. 14,2005 Sheet 3 0f 18 _ a1.3: Eff-um. -.. -. _ E winging gnaw; 3M 1...; v mcn 0mm

U.S. Patent Jun. 14,2005 Sheet 6 of 18 US 6,907,531 B1 1.. in 12.2-32. Emu» 8 8 Emu: 5353 8 E»z now.1803 3cm 8 E a $7321: on. 20

U.S. Patent Jun. 14,2005 Sheet 7 of 18 US 6,907,531 B1

U.S. Patent Jun. 14, 2005 Sheet 8 0f 18 US 6,907,531 B1 FIG. 8 SCANNER INITIALIZES UI REGISTERS SESSION OBJECT WITH SESSION MANAGER ENGINE REPEATS STEPS I 835-840 FOR REMAINING HOSTS IN SESSION I ' I UI GETS LICENSE, OLICY AND HOST INFORMATION POLICY MANAGER CREATES SCANPOLICY OBJECT 812 k I I Y POLICY EDITOR ALLOWS EDITING OF POLICY THREAD MANAGER STARTS HOST-SCANNING THREADS FOR SCAN SESSION HOST-SCANNING THREAD ASKS SESSION MANAGER FOR HOSTI LICENSE, AND POLICY INFO END USER INITIATES SCAN UI CREATES SESSION OBJECT AND SESSION OBJECT USES SCANPOLICY OBJECT TO CREATE MASTER EXPLOIT LIST AND MASTER RESOURCE LIST MI ENGINE RUNS EXPLOITS FOR HOST

U.S. Patent Jun. 14,2005 Sheet 9 of 18 US 6,907,531 B1 805 FIG. 9 905 \ EXPLOIT MANAGER AND RESOURCE MANAGER ENUMERATE INSTALLED PLUG~ IN MODULES AND OBJECTS 910 \ RUN LOAD SECURITY FOR EACH PLUG-IN MODULE AND LOAD PLUG-IN MODULES IN SCANNER 915 \ POLICY MANAGER INITIALIZES

U.S. Patent Jun. 14,2005 Sheet 10 of 18 US 6,907,531 B1 9% FIG. 10 START 1005 SCANNER AND PLUG-IN MODULES ARE DIGITALLY 'SIGNED PRIOR TO RELEASE EXPLOIT MANAGER AND SUCCESSFUL EXPLOIT MANAGER AND RESOURCE MANAGER RUN ~ RESOURCE MANAGER DO NOT LOAD SECURITY LOAD PLUG-IN MODULE SUCCESSFUL EXPLOIT MANAGER LOADS EXPLOIT PLUG-IN MODULE AND RESOURCE MANAGER LOADS RESOURCE PLUG-IN MODULE 1020 1021 PLUG-IN MODULE RUNS LOAD SECURITY UNSUCCESSFUL _ PLUG-IN MODULE REMOVES ITSELF FROM SCANNER 1025 v SUCCESSFUL EXPLOIT PLUG-IN MODULE ALLOWS EXPLOIT MANAGER TO ACCESS ITS INTERNAL FUNCTIONS. RESOURCE PLUG-IN MODULE ALLOWS RESOURCE MANAGER TO ACCESS ITS INTERNAL FUNCTIONS. END

U.S. Patent Jun. 14,2005 Sheet 11 of 18 US 6,907,531 B1 915 \ START POLICY MANAGER As Ks EXPLOIT MANAGER AND \ RUN ACTIVATION SECUR ITY RESOURCE MANAGER WHAT ~_ l --> QDPEQEAJSJ'EZQLQBLDE EXPLOITS AND RESOURCES RESOURCE 05; : ARE AVAILABLE 1110 I 3 I EXPLOIT MANAGER AND EXPLOIT MANAGER AND RESOURCE MANAGER GO TO RESOURCE MANAGER GET REGISTRY To FIND OUT WHAT ExPLOIT OBJECTS AND EXPLOITS AND REsouRcEs RESOURCE OBJECTS. POLICY ARE AVAILABLE MANAGER QUERIES EXPLOIT OBJECTS AND RESOURCE OBJECTS FOR EXPLOIT ATTRIauTE AND REsOuRcE CONFIGURATION 111s INFORMATION. \ EXPLOIT MANAGER AND REsouRcE MANAGER CREATE MAPS INDICATING WHICH PLUG-IN MODULES CONTAIN AVAILABLE EXPLOIT OBJECTS AND REsOuRcE OBJECTS END 1120 I POLICY MANAGER ASKS EXPLOIT MANAGER AND RESOURCE MANAGER To GET _ ALL EXPLOIT OBJECTS AND COMMON-SETTING REsOuRcE OBJECTS

U.S. Patent Jun. 14,2005 Sheet 12 of 18 US 6,907,531 B1 1125 \ START \ \ \ i 1205 1206 PLOW/RESOURCE MANAGER UNSUCCESSF U L EXPLOlT/RESOURCE MANAGER FINDS OUT IF EXPLOIT/ DoEs NOT create EXPLOIT/ REsouRcE PLUG-IN MODULE RESOURCE OBJECT KNOWS SHARED secret SUCCESSFUL 1210 12 r ExPLomREsouRcE MANAGER UNSUCCESSFUL EXPLOIT/RESOURCE PLUG-IN DEMONSTRATES its MODULE DOES NOT LET KNOWLEDGE OF SHARED ~ EXPLOlT/RESOURCE MANAGER SECRET TO EXPLOIT/ CREATE THE EXPLOIT/ RESOURCE PLUG-IN MODULE RESOURCE OBJECT SUCCESSFUL 1215 ExpLow/REsouRcE PLUG-IN MODULE ALLOWS ExpLoeT/ REsouRcE MANAGER TO CREATE EXPLOlT/RESOURCE OBJECT END

U.S. Patent Jun. 14,2005 Sheet 13 of 18 US 6,907,531 B1 810 FIG. 13 I START I 1305 \ UI SPECIFIES LICENSE INFORMATION 1310 \ UI SPECIFIES POLICY INFORMATION 1315 \ I UI SPECIFIES HOST INFORMATION

U.S. Patent Jun. 14,2005 Sheet 14 of 18 US 6,907,531 B1 812 FIG. 14 1410 \ POLICY EDITOR ALLOWS USER TO EXAMINE. MODIFY, AND CONFIGURE EXPLOIT AND RESOURCE POLICY SETTINGS 1415 \ r POLICY EDITOR STORES USER CHOICES IN POLICY FILE

U.S. Patent Jun. 14,2005 Sheet 15 of 18 US 6,907,531 B1 840 \ FIG. 15 START 1505 ENGINE RUNS STANDARD BUILT-IN EXPLOITS 1510 PLUG-IN ENGINE RUNS STANDARD PLUG-IN EXPLOITS 1515 PLUG-IN ENGINE RUNS DOS PLUG-IN EXPLOITS 1520 \ ENGINE RUNS DOS BUILT-IN EXPLOITS END

U.S. Patent Jun. 14,2005 Sheet 16 of 18 US 6,907,531 B1 FIG. 16 1505 or 1520 START 1605 ENGINE RUNS EXPLOIT AT TOP OF LIST 1610 \ ENGINE RECORDS SCAN INFORMATION TO DATABASE AND SCANNER LOG FILE AND SENDS TO UI TO DISPLAY \ I ENGINE REPEATS STEPS 1605 1610 FOR REMAINING EXPLOITS

I U.S. Patent Jun. 14, 2005 Sheet 17 0f 18 US 6,907,531 B1 1730 15100! 1515 F/ I PLUG-IN ENGINE RUNS EXPLOIT SESSION OBJECT USES SCANPOLICY OBJECT TO CREATE MASTER EXPLOIT LIST I AND MASTER RESOURCE LIST EXPLOIT OBJECT ADDS LOG AND SCAN RESULT INFORMATION TO TARGET OBJECT PLUG-IN ENGINE MAKES COPIES OF MASTER EXPLOIT LIST AND MASTER RESOURCE LIST I 1715 l PLUG-IN ENGINE GETS HOST AND RESOURCE INFORMATION FOR FIRST EXPLOIT EXPLOIT OBJECT PASSES TARGET OBJECT BACK TO PLUG-IN ENGINE PLUG-IN ENGINE QUERIES TARGET OBJECT FOR LOG AND SCAN RESULT INFORMATION PLUG-IN ENGINE CREATES TARGET OBJECT 1721 \ y PLUG-IN ENGINE PUTS HOST AND RESOURCE INFORMATION IN TARGET OBJECT 1725 PLUG-IN ENGINE PASSES TARGET OBJECT TO EXPLOIT OBJECT 1750 I PLUG-IN ENGINE RECORDS SCAN RESULT INFORMATION. TO DATABASE AND SCANNER LOG FILE AND SENDS TO UI FOR DISPLAY I 1755 \ l a PLUG-IN ENGINE GETS HOST AND RESOURCE INFORMATION FOR NEXT EXPLOIT AND REPEATS STEPS 1721-1750 END

U.S. Patent Jun. 14,2005 Sheet 18 of 18 US 6,907,531 B1 FIG. 18 START 1805 PLUG-IN ENGINE RUNS EXPLOITS THAT NEITHER PRODUCE NOR CONSUME SHARED RESOURCES 1810 PLUG-IN ENGINE RUNS EXPLOITS THAT ONLY PRODUCE SHARED RESOURCES 1815 i PLUG-IN ENGINE RUNS EXPLOITS THAT PRODUCE AND CONSUME SHARED RESOURCES 1820 PLUG-IN ENGINE RUNS EXPLOITS THAT ONLY CONSUME SHARED RESOURCES END