Estimating temporal occurrence of a binary state change
US-2024168751-A1 · May 23, 2024 · US
Integrity Assurance and Rebootless Updating During Runtime
US2016170740A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2016170740-A1 |
| Application number | US-201615051461-A |
| Country | US |
| Kind code | A1 |
| Filing date | Feb 23, 2016 |
| Priority date | Mar 20, 2014 |
| Publication date | Jun 16, 2016 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques are described herein for, without rebooting a computing device, unloading at least a component of a kernel-mode component of the computing device and loading an updated version of the component of the kernel-mode component. The techniques may be performed by an integrity manager associated with the kernel-mode component. The integrity manager may also determine integrity of the kernel-mode component by causing the kernel-mode component to perform an action associated with a known reaction, determining whether the known reaction occurred, and in response, performing a remediation action or notifying a remote security service. Further, the integrity manager may determine whether any computing device lists include representations of components or connections associated with the kernel-mode component. The integrity manager may then remove the representations from the lists or remove the representations from responses to requests for contents of the computing device lists.
First claim
Opening claim text (preview).
1 .- 20 . (canceled) 21 . One or more computer storage media having stored thereon a plurality of executable instructions configured to program a computing device to perform operations comprising: determining whether a computing device list includes a representation of a component or a connection associated with a kernel-mode component of the computing device; and in response to the determining, performing one of: removing the representation of the component or the connection from the computing device list, or removing the representation of the component or the connection from a response to a request for contents of the computing device list. 22 . The one or more computer storage media of claim 21 , wherein the computing device list is a list of drivers, a list of network connections, a list of operating system hooks, a list of directories, or a list of registry keys. 23 . The one or more computer storage media of claim 21 , wherein the component is a driver, an operating system hook, a directory, or a registry key. 24 . The one or more computer storage media of claim 21 , wherein the operations further comprise intercepting the response to the request for contents of the computing device list. 25 . The one or more computer storage media of claim 21 , wherein the operations further comprise intercepting a request to open a directory associated with the kernel-mode component and responding that the directory does not exist or is not available. 26 . The one or more computer storage media of claim 21 , wherein the component is a component of the kernel-mode component, and the executable instructions configured to program the computing device to perform the determining, the removing the representation from the computing device list, or the removing the representation from the response are instructions of the kernel-mode component. 27 . The one or more computer storage media of claim 26 , wherein the executable instructions configured to program the computing device to perform the determining, the removing the representation from the computing device list, or the removing the representation from the response are instructions of an integrity manager of the kernel-mode component. 28 . A method implemented by a computing device, the method comprising: determining whether a computing device list includes a representation of a component or a connection associated with a kernel-mode component of the computing device; and in response to the determining, performing one of: removing the representation of the component or the connection from the computing device list, or removing the representation of the component or the connection from a response to a request for contents of the computing device list. 29 . The method of claim 28 , wherein the computing device list is a list of drivers, a list of network connections, a list of operating system hooks, a list of directories, or a list of registry keys. 30 . The method of claim 28 , wherein the component is a driver, an operating system hook, a directory, or a registry key. 31 . The method of claim 28 , further comprising intercepting the response to the request for contents of the computing device list. 32 . The method of claim 28 , further comprising intercepting a request to open a directory associated with the kernel-mode component and responding that the directory does not exist or is not available. 33 . The method of claim 28 , wherein the component is a component of the kernel-mode component, and the determining, the removing the representation from the computing device list, or the removing the representation from the response are performed by the kernel-mode component. 34 . The method of claim 33 , wherein the determining, the removing the representation from the computing device list, or the removing the representation from the response are performed by an integrity manager of the kernel-mode component. 35 . A computing device comprising: a processor; a kernel-mode component configured to be operated by the processor to perform operations including: determining whether a computing device list includes a representation of a component or a connection associated with the kernel-mode component of the computing device; and in response to the determining, performing one of: removing the representation of the component or the connection from the computing device list, or removing the representation of the component or the connection from a response to a request for contents of the computing device list. 36 . The computing device of claim 35 , wherein the computing device list is a list of drivers, a list of network connections, a list of operating system hooks, a list of directories, or a list of registry keys. 37 . The computing device of claim 35 , wherein the component is a driver, an operating system hook, a directory, or a registry key. 38 . The computing device of claim 35 , wherein the operations further include intercepting the response to the request for contents of the computing device list. 39 . The computing device of claim 35 , wherein the operations further include intercepting a request to open a directory associated with the kernel-mode component and responding that the directory does not exist or is not available. 40 . The computing device of claim 35 , wherein the kernel-mode component includes an integrity manager configured to perform the determining, the removing the representation from the computing device list, or the removing the representation from the response.
Assignees
Inventors
Classifications
during program execution, e.g. stack integrity {; Preventing unwanted data erasure; Buffer overflow} · CPC title
involving the movement of software or configuration parameters (network booting or remote initial program loading [RIPL] G06F9/4416) · CPC title
eliminating virus, restoring damaged files · CPC title
- G06F8/656Primary
while running · CPC title
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2016170740A1 cover?
- Techniques are described herein for, without rebooting a computing device, unloading at least a component of a kernel-mode component of the computing device and loading an updated version of the component of the kernel-mode component. The techniques may be performed by an integrity manager associated with the kernel-mode component. The integrity manager may also determine integrity of the kerne…
- Who is the assignee on this patent?
- Crowdstrike Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F8/656. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Thu Jun 16 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).