Patents by Inventor Preet Mohinder
Preet Mohinder has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11531759Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; and instructions encoded within the memory to instruct the processor to: provide a permission list; allocate an executable, the executable to have permissions according to the permission list; designate a child object of the executable; allocate a certificate for the child object; and after a system reboot, grant the child object permissions of the executable after validating the certificate.Type: GrantFiled: February 22, 2021Date of Patent: December 20, 2022Assignee: McAfee, LLCInventors: Preet Mohinder, Ratnesh Pandey, Jaskaran Singh Khurana, Amritanshu Johri
-
Publication number: 20210173933Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; and instructions encoded within the memory to instruct the processor to: provide a permission list; allocate an executable, the executable to have permissions according to the permission list; designate a child object of the executable; allocate a certificate for the child object; and after a system reboot, grant the child object permissions of the executable after validating the certificate.Type: ApplicationFiled: February 22, 2021Publication date: June 10, 2021Applicant: McAfee, LLCInventors: Preet Mohinder, Ratnesh Pandey, Jaskaran Singh Khurana, Amritanshu Johri
-
Patent number: 10929540Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a whitelist; an updater, the updater being an executable object authorized to modify files within the whitelist and to launch one or more child processes; and instructions encoded within the memory to provide a system management agent to: maintain a chain of trust between the one or more child processes and the updater, wherein the one or more child processes inherit whitelist permissions associated with the updater; and track the chain of trust across a system reboot, including granting a child process the chain of trust after a reboot only if the child process has associated with it a valid certificate.Type: GrantFiled: September 10, 2019Date of Patent: February 23, 2021Assignee: McAfee, LLCInventors: Preet Mohinder, Ratnesh Pandey, Jaskaran Singh Khurana, Amritanshu Johri
-
Patent number: 10812466Abstract: Managed devices containing a Trusted Platform Module (TPM) to provide a trusted environment generate a device certificate at initialization of the TPM and send the device certificate to a management console for storing in a certificate database. Upon detecting a file of interest, the TPM signs the file, adding to a signature list created by previous managed devices. The signature list can be used to analyze the spread of the file across the system of managed devices, including tracking the file to the first managed device to have had a copy, without requiring real-time access to the managed devices during the spread of the file. In some embodiments, additional security measures may be taken responsive to determining the first managed device and the path the file has taken across the system of managed devices.Type: GrantFiled: May 5, 2015Date of Patent: October 20, 2020Assignee: McAfee, LLCInventors: Balbir Singh, Preet Mohinder, Manish Sharma, Rahul Chandra Khali
-
Publication number: 20200004966Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a whitelist; an updater, the updater being an executable object authorized to modify files within the whitelist and to launch one or more child processes; and instructions encoded within the memory to provide a system management agent to: maintain a chain of trust between the one or more child processes and the updater, wherein the one or more child processes inherit whitelist permissions associated with the updater; and track the chain of trust across a system reboot, including granting a child process the chain of trust after a reboot only if the child process has associated with it a valid certificate.Type: ApplicationFiled: September 10, 2019Publication date: January 2, 2020Applicant: McAfee, LLCInventors: Preet Mohinder, Ratnesh Pandey, Jaskaran Singh Khurana, Amritanshu Johri
-
Patent number: 10409989Abstract: In an example, a system and method are described for providing trusted updaters and trusted processes. An updater may be subject to a whitelist of files that it, and any child processes, are allowed to modify. But trust inheritance may break across reboots and over interprocess communication. Thus, it is desirable to provide a system and method to maintain trust across such events. In the case of a trusted installer, inheritance may be maintained by cross referencing a digital certificate to a workflow grid. In the case of updater processes, trust may be maintained by using a combination of digital certificates that are part of a trust chain and a unique identifier for each trust chain workflow.Type: GrantFiled: December 11, 2015Date of Patent: September 10, 2019Assignee: McAfee, LLCInventors: Preet Mohinder, Ratnesh Pandey, Jaskaran Singh Khurana, Amritanshu Johri
-
Patent number: 9946562Abstract: A system and method for rootkit protection in a hypervisor environment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page of a guest operating system in a hypervisor environment, wherein each entry is a duplicate page of the corresponding guest kernel page, generating a page fault when a process attempts to access a guest kernel page, and redirecting the process to the corresponding duplicate page. If the page fault is a data page fault, the method includes fixing the page fault, and marking a page table entry corresponding to the guest kernel page as non-executable and writeable. If the page fault is an instruction page fault, the method includes marking a page table entry corresponding to the guest kernel page as read-only. Redirecting changing a machine page frame number in a shadow page table of the hypervisor to point to the corresponding duplicate page.Type: GrantFiled: June 24, 2015Date of Patent: April 17, 2018Assignee: McAfee, LLCInventors: Amit Dang, Preet Mohinder, Vivek Srivastava
-
Publication number: 20170351862Abstract: In an example, a system and method are described for providing trusted updaters and trusted processes. An updater may be subject to a whitelist of files that it, and any child processes, are allowed to modify. But trust inheritance may break across reboots and over interprocess communication. Thus, it is desirable to provide a system and method to maintain trust across such events. In the case of a trusted installer, inheritance may be maintained by cross referencing a digital certificate to a workflow grid. In the case of updater processes, trust may be maintained by using a combination of digital certificates that are part of a trust chain and a unique identifier for each trust chain workflow.Type: ApplicationFiled: December 11, 2015Publication date: December 7, 2017Inventors: Preet Mohinder, Ratnesh Pandey, Jaskaran Singh Khurana, Amritanshu Johri
-
Patent number: 9652607Abstract: A method in one example implementation includes intercepting a request associated with an execution of an object (e.g., a kernel module or a binary) in a computer configured to operate in a virtual machine environment. The request is associated with a privileged domain of the computer that operates logically below one or more operating systems. The method also includes verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element. The execution of the object is denied if it is not authorized. In other embodiments, the method can include evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. In other embodiments, the method can include intercepting an attempt from a remote computer to execute code from a previously authorized binary.Type: GrantFiled: October 3, 2014Date of Patent: May 16, 2017Assignee: McAfee, Inc.Inventors: Amit Dang, Preet Mohinder
-
Publication number: 20160330193Abstract: Managed devices containing a Trusted Platform Module (TPM) to provide a trusted environment generate a device certificate at initialization of the TPM and send the device certificate to a management console for storing in a certificate database. Upon detecting a file of interest, the TPM signs the file, adding to a signature list created by previous managed devices. The signature list can be used to analyze the spread of the file across the system of managed devices, including tracking the file to the first managed device to have had a copy, without requiring real-time access to the managed devices during the spread of the file. In some embodiments, additional security measures may be taken responsive to determining the first managed device and the path the file has taken across the system of managed devices.Type: ApplicationFiled: May 5, 2015Publication date: November 10, 2016Inventors: Balbir Singh, Preet Mohinder, Manish Sharma, Rahul Chandra Khali
-
Patent number: 9465700Abstract: A system and method in one embodiment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page in a guest operating system in a hypervisor environment, generating a page fault when an access attempt is made to a guest kernel page, fixing the page fault to allow access and execution if the guest kernel page corresponds to one of the entries in the soft whitelist, and denying execution if the guest kernel page does not correspond to any of the entries in the soft whitelist. If the page fault is an instruction page fault, and the guest kernel page corresponds to one of the entries in the soft whitelist, the method includes marking the guest kernel page as read-only and executable. The soft whitelist includes a hash of machine page frame numbers corresponding to virtual addresses of each guest kernel page.Type: GrantFiled: February 24, 2015Date of Patent: October 11, 2016Assignee: McAfee, Inc.Inventors: Amit Dang, Preet Mohinder, Vivek Srivastava
-
Publication number: 20150317178Abstract: A system and method for rootkit protection in a hypervisor environment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page of a guest operating system in a hypervisor environment, wherein each entry is a duplicate page of the corresponding guest kernel page, generating a page fault when a process attempts to access a guest kernel page, and redirecting the process to the corresponding duplicate page. If the page fault is a data page fault, the method includes fixing the page fault, and marking a page table entry corresponding to the guest kernel page as non-executable and writeable. If the page fault is an instruction page fault, the method includes marking a page table entry corresponding to the guest kernel page as read-only. Redirecting changing a machine page frame number in a shadow page table of the hypervisor to point to the corresponding duplicate page.Type: ApplicationFiled: June 24, 2015Publication date: November 5, 2015Applicant: McAfee, Inc.Inventors: Amit Dang, Preet Mohinder, Vivek Srivastava
-
Publication number: 20150234718Abstract: A system and method in one embodiment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page in a guest operating system in a hypervisor environment, generating a page fault when an access attempt is made to a guest kernel page, fixing the page fault to allow access and execution if the guest kernel page corresponds to one of the entries in the soft whitelist, and denying execution if the guest kernel page does not correspond to any of the entries in the soft whitelist. If the page fault is an instruction page fault, and the guest kernel page corresponds to one of the entries in the soft whitelist, the method includes marking the guest kernel page as read-only and executable. The soft whitelist includes a hash of machine page frame numbers corresponding to virtual addresses of each guest kernel page.Type: ApplicationFiled: February 24, 2015Publication date: August 20, 2015Inventors: Amit Dang, Preet Mohinder, Vivek Srivastava
-
Patent number: 9069586Abstract: A system and method for rootkit protection in a hypervisor environment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page of a guest operating system in a hypervisor environment, wherein each entry is a duplicate page of the corresponding guest kernel page, generating a page fault when a process attempts to access a guest kernel page, and redirecting the process to the corresponding duplicate page. If the page fault is a data page fault, the method includes fixing the page fault, and marking a page table entry corresponding to the guest kernel page as non-executable and writeable. If the page fault is an instruction page fault, the method includes marking a page table entry corresponding to the guest kernel page as read-only. Redirecting changing a machine page frame number in a shadow page table of the hypervisor to point to the corresponding duplicate page.Type: GrantFiled: October 13, 2011Date of Patent: June 30, 2015Assignee: McAfee, Inc.Inventors: Amit Dang, Preet Mohinder, Vivek Srivastava
-
Patent number: 8973144Abstract: A method includes creating a soft whitelist having an entry corresponding to a first guest kernel page in a guest operating system (OS) in a hypervisor environment including a hypervisor. The method also includes receiving an access attempt to a second guest kernel page, and generating a page fault when the access attempt is made to the second guest kernel page. In addition, the method includes determining that the second guest kernel page does not correspond to the entry in the soft whitelist, and denying an execution of the second guest kernel page if the second guest kernel page does not correspond to the entry in the soft whitelist.Type: GrantFiled: October 13, 2011Date of Patent: March 3, 2015Assignee: McAfee, Inc.Inventors: Amit Dang, Preet Mohinder, Vivek Srivastava
-
Publication number: 20150026762Abstract: A method in one example implementation includes intercepting a request associated with an execution of an object (e.g., a kernel module or a binary) in a computer configured to operate in a virtual machine environment. The request is associated with a privileged domain of the computer that operates logically below one or more operating systems. The method also includes verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element. The execution of the object is denied if it is not authorized. In other embodiments, the method can include evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. In other embodiments, the method can include intercepting an attempt from a remote computer to execute code from a previously authorized binary.Type: ApplicationFiled: October 3, 2014Publication date: January 22, 2015Inventors: Amit Dang, Preet Mohinder
-
Patent number: 8869265Abstract: A method in one example implementation includes intercepting a request associated with an execution of an object (e.g., a kernel module or a binary) in a computer configured to operate in a virtual machine environment. The request is associated with a privileged domain of the computer that operates logically below one or more operating systems. The method also includes verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element. The execution of the object is denied if it is not authorized. In other embodiments, the method can include evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. In other embodiments, the method can include intercepting an attempt from a remote computer to execute code from a previously authorized binary.Type: GrantFiled: December 21, 2012Date of Patent: October 21, 2014Assignee: McAfee, Inc.Inventors: Amit Dang, Preet Mohinder
-
Publication number: 20130117823Abstract: A method in one example implementation includes intercepting a request associated with an execution of an object (e.g., a kernel module or a binary) in a computer configured to operate in a virtual machine environment. The request is associated with a privileged domain of the computer that operates logically below one or more operating systems. The method also includes verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element. The execution of the object is denied if it is not authorized. In other embodiments, the method can include evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. In other embodiments, the method can include intercepting an attempt from a remote computer to execute code from a previously authorized binary.Type: ApplicationFiled: December 21, 2012Publication date: May 9, 2013Applicant: McAfee, Inc.Inventors: Amit Dang, Preet Mohinder
-
Publication number: 20130097356Abstract: A system and method for rootkit protection in a hypervisor environment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page of a guest operating system in a hypervisor environment, wherein each entry is a duplicate page of the corresponding guest kernel page, generating a page fault when a process attempts to access a guest kernel page, and redirecting the process to the corresponding duplicate page. If the page fault is a data page fault, the method includes fixing the page fault, and marking a page table entry corresponding to the guest kernel page as non-executable and writeable. If the page fault is an instruction page fault, the method includes marking a page table entry corresponding to the guest kernel page as read-only. Redirecting changing a machine page frame number in a shadow page table of the hypervisor to point to the corresponding duplicate page.Type: ApplicationFiled: October 13, 2011Publication date: April 18, 2013Inventors: Amit Dang, Preet Mohinder, Vivek Srivastava
-
Publication number: 20130097355Abstract: A system and method in one embodiment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page in a guest operating system in a hypervisor environment, generating a page fault when an access attempt is made to a guest kernel page, fixing the page fault to allow access and execution if the guest kernel page corresponds to one of the entries in the soft whitelist, and denying execution if the guest kernel page does not correspond to any of the entries in the soft whitelist. If the page fault is an instruction page fault, and the guest kernel page corresponds to one of the entries in the soft whitelist, the method includes marking the guest kernel page as read-only and executable. The soft whitelist includes a hash of machine page frame numbers corresponding to virtual addresses of each guest kernel page.Type: ApplicationFiled: October 13, 2011Publication date: April 18, 2013Inventors: Amit Dang, Preet Mohinder, Vivek Srivastava