Abstract: A method, software system, and computer-readable medium are provided for determining whether a malware that implements stealth techniques is resident on a computer. In one exemplary embodiment, a method is provided that obtains a first set of data that describes the processes that are reported as being active on the computer in a non-interrupt environment. Then, the method causes program execution to be interrupted at runtime so that an analysis of the active processes on the computer may be performed. After program execution is interrupted, a second set data that describes the processes that are reported as being active on the computer in a interrupt environment is obtained. By performing a comparison between the first and second sets of data, a determination may be made regarding whether the collected data contains inconsistencies that are characteristic of malware.

Abstract: Object rundown protection that scales with the number of processors in a shared-memory computer system is disclosed. Prior to object rundown, a cache-aware reference count data structure is used to prevent cache-pinging that would otherwise result from data sharing across processors in a multiprocessor computer system. In this data structure, a counter of positive references and negative dereferences, aligned on a particular cache line, is maintained for each processor. When an object is to be destroyed, a rundown wait process is begun, during which new references on the object are prohibited, and the total number of outstanding references is added to an on-stack global counter. Destruction is delayed until the global reference count is reduced to zero. In an implementation on non-uniform memory access multiprocessor machines, each processor's reference count is additionally allocated in a region of main memory that is physically close to that processor.

Abstract: Aspects of the present invention are directed at providing safe and efficient ways for a program to perform a one-time initialization of a data item in a multi-threaded environment. In accordance with one embodiment, a method is provided that allows a program to perform a synchronized initialization of a data item that may be accessed by multiple threads. More specifically, the method includes receiving a request to initialize the data item from a current thread. In response to receiving the request, the method determines whether the current thread is the first thread to attempt to initialize the data item. If the current thread is the first thread to attempt to initialize the data item, the method enforces mutual exclusion and blocks other attempts to initialize the data item made by concurrent threads. Then, the current thread is allowed to execute program code provided by the program to initialize the data item.

Abstract: Generally described, a method, software system, and computer-readable medium are provided for preventing a malware from colliding on a named object. In accordance with one aspect, a method is provided for creating a private namespace. More specifically, the method includes receiving a request to create a private namespace that contains data for defining the boundary of the private namespace from the current process. Then a determination is made regarding whether a principle associated with the current process has the security attributes that are alleged in the request. In this regard, if the principle that is associated with the current process has the security attributes that are alleged in the request, the method creates a container object to implement the private namespace that is defined by the data received in the request.

Abstract: A method, software system, and computer-readable medium are provided for determining whether a malware that implements stealth techniques is resident on a computer. In one exemplary embodiment, a method is provided that obtains a first set of data that describes the processes that are reported as being active on the computer in a non-interrupt environment. Then, the method causes program execution to be interrupted at runtime so that an analysis of the active processes on the computer may be performed. After program execution is interrupted, a second set data that describes the processes that are reported as being active on the computer in a interrupt environment is obtained. By performing a comparison between the first and second sets of data, a determination may be made regarding whether the collected data contains inconsistencies that are characteristic of malware.

Abstract: A technology for exclusively acquiring a shared resource is disclosed. In one method approach, the method determines that a shared resource is available to be exclusively acquired by a first thread. The method also prevents partial execution of operations by a second thread, during operations to exclusively acquire the shared resource by the first thread, which may be accomplished by using an interrupt. The preventing of partial execution of operations by the second thread may be initiated by the first thread. The method embodiment then performs operations to exclusively acquire the shared resource by the first thread.

Abstract: A blocking local sense synchronization barrier is provided. The local sense variable is not processor private or global, but truly local to the synchronization barrier function. Safe deletion is provided by making sure the last operation a thread performs on a barrier is a write. Just before returning, threads increment a field that indicates the count of threads that have left the barrier. Blocking is supported such that threads spin for some interval, and when they decide to block, examine and set (if not already set) the indication of whether a thread is blocking that is to be examined by the last thread to arrive at the barrier to determine whether to set an event to release blocking threads.

Abstract: Sharing access to resources using an inter-process communication (“IPC”) provides a connection in which references to resources may be passed from a sender to a receiver in a trusted third party environment. A sender in possession of a reference to a resource, such as a handle to an object, may initiate the connection with the receiver. In turn, the receiver may accept or refuse the connection, and may further specify the types of resources in which the receiver is interested when accepting through the connection. Sharing access to resources in this manner advantageously insures that only a process that already has access to a resource is able to share that access with another process, and further that only processes that wish to do so will accept such access.

Abstract: Object rundown protection that scales with the number of processors in a shared-memory computer system is disclosed. Prior to object rundown, a cache-aware reference count data structure is used to prevent cache-pinging that would otherwise result from data sharing across processors in a multiprocessor computer system. In this data structure, a counter of positive references and negative dereferences, aligned on a particular cache line, is maintained for each processor. When an object is to be destroyed, a rundown wait process is begun, during which new references on the object are prohibited, and the total number of outstanding references is added to an on-stack global counter. Destruction is delayed until the global reference count is reduced to zero. In an implementation on non-uniform memory access multiprocessor machines, each processor's reference count is additionally allocated in a region of main memory that is physically close to that processor.

Abstract: A system and method for object rundown protection that scales with the number of processors in a shared-memory computer system is disclosed. In an embodiment of the present invention, prior to object rundown, a cache-aware reference count data structure is used to prevent cache-pinging that would otherwise result from data sharing across processors in a multiprocessor computer system. In this data structure, a counter of positive references and negative dereferences, aligned on a particular cache line, is maintained for each processor. When an object is to be destroyed, a rundown wait process is begun, during which new references on the object are prohibited, and the total number of outstanding references is added to an on-stack global counter. Destruction is delayed until the global reference count is reduced to zero.

Abstract: A system and method for object rundown protection that scales with the number of processors in a shared-memory computer system is disclosed. In an embodiment of the present invention, prior to object rundown, a cache-aware reference count data structure is used to prevent cache-pinging that would otherwise result from data sharing across processors in a multiprocessor computer system. In this data structure, a counter of positive references and negative dereferences, aligned on a particular cache line, is maintained for each processor. When an object is to be destroyed, a rundown wait process is begun, during which new references on the object are prohibited, and the total number of outstanding references is added to an on-stack global counter. Destruction is delayed until the global reference count is reduced to zero.

Abstract: The use of spinlocks is avoided in the combination of mutex and condition variables by using any suitable atomic compare and swap functionality to add a thread to a list of waiting threads that waits for a data event to occur. Various embodiments of the present invention also provide an organization scheme of data, which describes an access bit, an awaken count, and a pointer to the list of waiting threads. This organization scheme of data helps to optimize the list of waiting threads so as to better awaken a waiting thread or all waiting threads at once.

Abstract: In accordance with an embodiment of this invention, a mechanism for managing a plurality of access requests for a data object is provided. The mechanism includes a lock control identifying whether a requested data object is in use and a waiter control identifying whether at least one of the plurality of access requests have been denied immediate access to the data object and is currently waiting for access to the data object. Additionally, the mechanism maintains a list optimize control identifying whether one of the plurality of access requests is currently optimizing a waiters list of access requests waiting to access to the data object.

Abstract: A system, method and interface for consistently capturing kernel resident information are provided. An operating system architecture includes user mode modules and kernel mode applications. A user mode module initiates a kernel mode information request through an application program interface identifying one or more process threads of interest. A kernel mode module captures information corresponding to standard kernel mode information and corresponding to the specifically identified process threads. The information is returned in a pre-allocated buffer.

Abstract: A system and method for object rundown protection that scales with the number of processors in a shared-memory computer system is disclosed. In an embodiment of the present invention, prior to object rundown, a cache-aware reference count data structure is used to prevent cache-pinging that would otherwise result from data sharing across processors in a multiprocessor computer system. In this data structure, a counter of positive references and negative dereferences, aligned on a particular cache line, is maintained for each processor. When an object is to be destroyed, a rundown wait process is begun, during which new references on the object are prohibited, and the total number of outstanding references is added to an on-stack global counter. Destruction is delayed until the global reference count is reduced to zero.

Abstract: A system and method for fast referencing a reference counted item is provided. The system provides for establishing a reference counted item, establishing a fast referencing item, setting a pointer to the reference counted item and storing a local copy of the reference counted item in the pointer to the reference counted item, the pointer being associated with the fast referencing item. The system and method thus allow items to obtain references to the reference counted item from the fast referencing item without employing a locking algorithm wherein the reference counted item is locked, accessed, and unlocked.