CA2517553C - Platform-independent scanning subsystem api for use in a mobile communication framework - Google Patents
Platform-independent scanning subsystem api for use in a mobile communication framework Download PDFInfo
- Publication number
- CA2517553C CA2517553C CA2517553A CA2517553A CA2517553C CA 2517553 C CA2517553 C CA 2517553C CA 2517553 A CA2517553 A CA 2517553A CA 2517553 A CA2517553 A CA 2517553A CA 2517553 C CA2517553 C CA 2517553C
- Authority
- CA
- Canada
- Prior art keywords
- application program
- platform
- data
- mobile communication
- scanning subsystem
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
- 238000010295 mobile communication Methods 0.000 title claims abstract description 78
- 238000000034 method Methods 0.000 claims abstract description 26
- 230000006870 function Effects 0.000 claims description 102
- 238000012546 transfer Methods 0.000 claims description 6
- 230000001413 cellular effect Effects 0.000 claims description 4
- 238000004590 computer program Methods 0.000 claims 10
- 238000004891 communication Methods 0.000 abstract description 13
- 239000011800 void material Substances 0.000 description 64
- 238000001514 detection method Methods 0.000 description 13
- 241000700605 Viruses Species 0.000 description 12
- 230000008569 process Effects 0.000 description 12
- 101001039113 Homo sapiens Leucine-rich repeat-containing protein 15 Proteins 0.000 description 11
- 102100040645 Leucine-rich repeat-containing protein 15 Human genes 0.000 description 11
- 230000009471 action Effects 0.000 description 8
- 230000006399 behavior Effects 0.000 description 7
- 230000002085 persistent effect Effects 0.000 description 7
- 230000002155 anti-virotic effect Effects 0.000 description 4
- 230000000875 corresponding effect Effects 0.000 description 4
- 230000004044 response Effects 0.000 description 3
- 230000001419 dependent effect Effects 0.000 description 2
- 230000008439 repair process Effects 0.000 description 2
- HTRJZMPLPYYXIN-UHFFFAOYSA-N 2-acetamido-3-[[4-[(2-acetamido-2-carboxyethyl)sulfanylcarbothioylamino]phenyl]carbamothioylsulfanyl]propanoic acid Chemical compound CC(=O)NC(C(O)=O)CSC(=S)NC1=CC=C(NC(=S)SCC(NC(C)=O)C(O)=O)C=C1 HTRJZMPLPYYXIN-UHFFFAOYSA-N 0.000 description 1
- 101100011538 Caenorhabditis elegans emre-1 gene Proteins 0.000 description 1
- 206010000210 abortion Diseases 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 150000002500 ions Chemical class 0.000 description 1
- 239000002674 ointment Substances 0.000 description 1
- 208000019585 progressive encephalomyelitis with rigidity and myoclonus Diseases 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M1/00—Substation equipment, e.g. for use by subscribers
- H04M1/72—Mobile telephones; Cordless telephones, i.e. devices for establishing wireless links to base stations without route selection
- H04M1/724—User interfaces specially adapted for cordless or mobile telephones
- H04M1/72403—User interfaces specially adapted for cordless or mobile telephones with means for local support of applications that increase the functionality
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M1/00—Substation equipment, e.g. for use by subscribers
- H04M1/72—Mobile telephones; Cordless telephones, i.e. devices for establishing wireless links to base stations without route selection
- H04M1/724—User interfaces specially adapted for cordless or mobile telephones
- H04M1/72403—User interfaces specially adapted for cordless or mobile telephones with means for local support of applications that increase the functionality
- H04M1/72445—User interfaces specially adapted for cordless or mobile telephones with means for local support of applications that increase the functionality for supporting Internet browser applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M1/00—Substation equipment, e.g. for use by subscribers
- H04M1/72—Mobile telephones; Cordless telephones, i.e. devices for establishing wireless links to base stations without route selection
- H04M1/724—User interfaces specially adapted for cordless or mobile telephones
- H04M1/72403—User interfaces specially adapted for cordless or mobile telephones with means for local support of applications that increase the functionality
- H04M1/7243—User interfaces specially adapted for cordless or mobile telephones with means for local support of applications that increase the functionality with interactive means for internal management of messages
Abstract
A platform-independent system and associated method are provided for use with a mobile communication device. Included is a mobile communication device capable of communicating via a wireless network. Such mobile communication device includes an operating system installed thereon. Associated therewith is a platform-independent scanning subsystem in communication with the operating system of the mobile communication device for scanning purposes. Further provided is a platform-independent application program interface for interfacing the operating system and the scanning subsystem. The platform-independent application program interface includes an abstract library for porting the platform-independent scanning subsystem to the mobile communication device and associated operating system.
Description
PLATFORM-INDEPENDENT SCANNING SUBSYSTEM API FOR USE
IN A MOBILE COMMUNICATION FRAMEWORK
FIELD OF THE INVENTION
The present invention relates to mobile communication device security, and more particularly to scanning mobile communication devices for malware.
BACKGROUND OF THE INVENTION
The last decade has seen a rapid growth in the number and use of mobile cellular telephones. More recently, wireless devices have been introduced which combine the functionality of mobile telephones and Personal Digital Assistants (PDAs). It is expected that this area will undergo massive growth in the near future as new cellular telecommunication standards (i.e. GPRS, UNITS, and WAP) make possible the high speed transfer of data across the wireless interface.
It can be expected that such platforms will be susceptible to attack from so-called "malware" such as viruses, Trojan horses, and worms (referred to collectively hereinafter as "viruses"); and other unwanted/harmful content in much the same way as present day personal computers and workstations are susceptible. A number of mobile telephone viruses have already been identified.
In order to resist virus attacks, anti-virus software must be deployed into mobile platforms in much the same way as it has been deployed in the desktop environment. A
number of different desktop anti-virus applications are currently available.
The majority of these applications rely upon a basic scanning engine which searches suspect files for WO 2004/095177 - ~ - PCT/US2004/011652 the presence of predetermined virus signatures. These signatures are held in a database which must be constantly updated to reflect the most recently identified viruses.
Typically, users download replacement databases every so often, either over the Internet, from a received e-mail, or from a CDROM or floppy disk. Users are also expected to update there software engines every so often in order to take advantage of new virus detection techniques which may be required when a new strain of virus is detected.
Mobile wireless platforms present a series of problems for software developers (including developers of anti-virus software). In particular, mobile wireless platforms are traditionally not standardized like conventional desktops. For example, instead of running MicrosoftTM WindowsTM, such mobile wireless platforms may have installed thereon a variety of types of operating systems. This and various other lack of standardization complicates the act of designing an anti-virus scanner that is capable of operating on any one of a plurality of mobile wireless platforms.
DISCLOSURE OF THE INVENTION
A platform-independent system and associated method are provided for use with a mobile communication device. Included is a mobile communication device capable of S communicating via a wireless network. Such mobile communication device includes an operating system installed thereon. Associated therewith is a platform-independent scanning subsystem in communication with the operating system of the mobile communication device for scanning purposes. Further provided is a platform-independent application program interface for interfacing the operating system and the scanning subsystem. The platform-independent application program interface includes an abstract library for porting the platform-independent scanning subsystem to the mobile communication device and associated operating system.
In one embodiment, the application program may include a mail application program, a browser application program, a phone book application program, a message application program, andlor a Java application program.
In another embodiment, the abstract library may support system initialization, library initialization, error functions, memory allocation, input/output (I/O), data authentication, synchronization, hypertext transfer protocol, shared memory, system time, device information, and/or debugging.
WO 2004/095177 ' 4 ' PCT/US2004/011652 BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 illustrates a mobile communication framework, in accordance with one embodiment.
Figure 2 illustrates a mobile communication framework, in accordance with another embodiment.
Figure 3 illustrates an architecture associated with a mobile communication device, in accordance with one embodiment.
Figure 4 shows a system for accessing security or content analysis functionality utilizing a mobile communication device, in accordance with one embodiment.
Figure 5 shows a framework for accessing security or content analysis functionality utilizing a mobile communication device, in accordance with an application server embodiment of the system of Figure 4.
Figure 6 shows a framework for accessing security or content analysis fiuictionality utilizing a mobile communication device, in accordance with a re-entrant library embodiment of the system of Figure 4.
Figure 7 shows an on-demand scanning system implemented in the context of the system of Figure 4.
Figure 8 shows a hierarchy of various components of an application program interface (API) which may be used to interface mobile application programs and a scanning subsystem, in accordance with one embodiment.
Figure 9 illustrates an exemplary library interface initialization.
Figure 10 illustrates an exemplary format of an error code functionality, in accordance with one embodiment.
Figure 11 illustrates a scanning subsystem API call sequence, in accordance with one embodiment.
Figure 12 illustrates one exemplary configuration API call sequence, in accordance with one embodiment.
Figure 13 illustrates various exemplary scan data types which the application programs are capable of communicating to the scanning subsystem via an API.
Figure 14 shows a bit-field variable containing malware severity flags and application program behavior levels, in accordance with one exemplary embodiment.
Figure 15 illustrates a chart setting forth the manner in which the timing of scanning by the scanning subsystem varies as a function of the data types identified via the variables of Figure 13.
Figure 16 illustrates an exemplary flow describing the manner in which the update is initiated by a user interface, in accordance with one embodiment.
WO 2004/095177 ' 6 ' PCT/US2004/011652 Figure 17 illustrates a method for efficiently updating a scanning subsystem of a mobile communication device, in accordance with one embodiment.
WO 2004/095177 ' ~ - PCT/US2004/011652 DETAILED DESCRIPTION
Figure 1 illustrates a mobile communication framework 100, in accordance with one embodiment. As shown, included are a mobile communication device 102 and a backend server 104 capable of communicating via a wireless network. In the context of the present description, the mobile communication device 102 may include, but is not limited to a cellular telephone, a wireless personal digital assistant (PDA), a wireless hand-held computer, a wireless portable computer or any other mobile device capable of communication via a wireless network.
In one embodiment, the mobile communication device 102 may be equipped with a scanning subsystem 105. Such scanning subsystem 105 rnay include any subsystem capable of scanning data that is either stored on the mobile communication device 102 or in communication therewith. Of course, such scanning may refer to on-access scanning, on-demand scanning, or any other type of scanning. Moreover, the scanning may involve content (i.e. text, pictures, etc.) represented by the aforementioned data, general security-type scanning for malware, etc.
With continuing reference to Figure 1, the mobile communication device 102 may be further equipped with a display 106 capable of depicting a plurality of graphical user interfaces 108 adapted for managing various functionality including the aforementioned scanning functionality.
In use, the display 106 of the mobile communication device 102 is used to display data on a network (i.e. the Internet, etc.). See operation 1. In the present course of use, the user may use the display 106 to browse various data on the network by selecting link or anchors for retrieving the data from the network via the backend server 104.
See WO 2004/095177 ' g ' PCT/US2004/011652 operation 2. Next, in operation 3, the scanning subsystem 105 is called to scan the retrieved data.
In the present instance, the scanning subsystem 105 is shown to have located malware in association with the retrieved data in operation 4. At this point, a user is provided with an option via the display 106 to either halt the retrieval and/or use/access the data regardless of the identified malware. Note operation 5. Based on the decision in operation 5, the user may or may not be the subject of an "attack," as indicated in operation 6.
Figure 2 illustrates a mobile communication framework 200, in accordance with another embodiment. The present mobile communication framework 200 is similar to the mobile communication framework 100 of Figure 1 with the exception of the manner in which the mobile communication device reacts to the identification of malware in retrieved data.
In particular, the user is only provided with one option in operation 5. That is, the user is capable of only closing any dialogue associated with the data found to incorporate malware. Note operation 6.
Figure 3 illustrates an architecture 300 associated with a mobile communication device, in accordance with one embodiment. The present architecture 300 may be incorporated into the mobile communication devices of Figures 1 and 2. Of course, the architecture 300 may be implemented in any desired context.
As shown, the present architecture 300 may include a plurality of mobile application programs 302. In the context of the present description, the mobile application programs 302 rnay include any application program, software, etc. installed on a mobile communication device for carrying out various tasks. It should be further noted that such application programs 302 may also be implemented in firmware, hardware, etc. per the desires of the user.
In another embodiment, the application programs 302 may include, but axe not limited to a mail application program, where the tasks include managing electronic mail.
Further, the application program may include a browser application program, where the tasks include browsing a network. Still yet, the application program may include a phone book application program, where the tasks include managing a plurality telephone numbers. As an option, the application program may include a message application program, where the tasks include communicating messages. It should be noted that any type of application program may be included. For example, a Java application program or the like may be included.
With continuing reference to Figure 3, a scanning subsystem 304 resides in communication with the application programs 302 via a first application program interface (API) 306 and a first library 308 associated with the scanning subsystem 304.
More information regarding optional exemplary details relating to the first application program interface 306 and the first library 308 will be set forth later in greater detail during reference to Figures 4-12.
As an option, the application programs 302 may communicate information to the scanning subsystem 304 to facilitate the scanning by the scanning subsystem 304. Such information may relate to the type of data to be scanned, and the timing associated with such scanning. More exemplary information regarding the way in which the scanning subsystem 304 interacts with the application programs 302 in such a manner will be set forth during reference to Figures 13-15.
WO 2004/095177 ' 1~ - PCT/US2004/011652 As shown in Figure 3, the first library 308 may include an update manager 310, a configuration manager 312, and a signature database 314. In use, the update manager 310 may manage the process with which the signature database 314 is updated with the latest signatures for scanning purposes. In one embodiment, the update process may be streamlined to accommodate the limited bandwidth inherent in mobile communication frameworks.. More exemplary information regarding such update process will be set forth during reference to Figures 16-17.
Further provided as a component of the architecture 300 of Figure 3 is an operating system 316 installed on the mobile communication device and adapted for executing the application programs 302. In one embodiment, the scanning subsystem 304 may be platform-independent, and thus be capable of being implemented on any type of operating systemlmobile communication device combination.
To accommodate this feature, a second application program interface 318 and a second library 320 capable of supporting various functionality such as systemllibrary initialization 322, error functions 336, memory allocation 334, inputloutput (I/O) 328, data authentication 332, synchronization 330, hypertext transfer protocol 326, device information 324, debugging 338, and other functionality (i.e. shared memory, system time, etc.). In one embodiment, the second application program interface 318 may be platform independent, similar to the scanning subsystem 304. More information regarding optional exemplary details relating to the second application program interface 318 and the second library 320 will be set forth later in greater detail during reference to Appendix A.
Figure 4 shows a system 400 for accessing security or content analysis functionality utilizing a mobile communication device, in accordance with one embodiment. In one example, the present system 400 may be implemented in the context of the application programs, scanning subsystem, and operating system of the architecture 300 of Figure 3.
It should be noted, however, that the present system 400 may be implemented in any desired context.
As shown, included is an operating system 402 installed on a mobile communication device capable of communicating via a wireless network. Further provided is an application program 404 installed on the mobile communication device and executed utilizing the operating system 402 for performing tasks.
A scanning subsystem 406 remains in communication with the application program via an application program interface and an associated library (see, for example, the first application program interface 306 and first library 308 of Figure 3). Such scanning subsystem 406 is adapted for accessing security or content analysis functionality in conjunction with the tasks performed by the application program 404. In one embodiment, the security or content analysis may include security analysis. In another embodiment, the security or content analysis may include content analysis.
Still yet, the security or content analysis may include on-demand virus scanning and/or on-access virus scanning.
In use, the security or content analysis functionality may be applied to application data associated with the tasks performed by the application program 404. In the context of the present description, the application data may include any data input, processed, output, or otherwise associated with the performance of the tasks carried out by the application program 404.
By the tight coupling of the scanning subsystem 406 and application program 404 via the application program interface, less overhead and code redundancies are required.
More exemplary information regarding such application program interface and the WO 2004/095177 - 12 ' PCT/US2004/011652 associated library will be set forth hereinafter in greater detail during reference to subsequent figures.
Figure 5 shows a framework 500 for accessing security or content analysis functionality utilizing a mobile communication device, in accordance with an application server embodiment of the system 400 of Figure 4. It should be noted that the present framework 500 may be implemented in any desired context.
As shown, the scanning subsystem may include a scanning program 502 that communicates with the application program 504 via the application program interface 506 and an associated protocol (i.e. uItron messaging system). As will be set forth in greater detail later, the application program interface 506 may involve a first component 508 associated with the scanning program 502 and a second component 510 associated with the application program 504.
Various calls 512 provided with the application program interface 506 may include an open call, a data call, and a close call. In use, the scanning program 502 may scan application data 516 associated with the tasks performed by the application program 504.
Figure 6 shows a framework 600 for accessing security or content analysis functionality utilizing a mobile communication device, in accordance with a re-entrant library embodiment of the system 400 of Figure 4. It should be noted that the present framework 600 may be implemented in any desired context.
As shown, the scanning subsystem may include a re-entrant library 602. In use, the scanning subsystem re-entrant library 602 may be linked to an application program 604 WO 2004/095177 - 13 ' PCT/US2004/011652 at run-time. Thus, an application program interface 606 may be populated into each of a plurality of application programs 604.
Similar to the previous framework 500 of Figure 5, the application program interface 606 may involve various calls 612 including an open call, a data call, and a close call.
In use, the re-entrant library 602 may be used to scan application data 616 associated with the tasks performed by the application program 604.
Figure 7 shows an on-demand scanning system 700 implemented in the context of the system 400 of Figure 4. It should be noted that the present system 700 may be implemented in any desired context.
On-demand scanning provides scanning of stored application data 702 for malicious content or code for removal. The user may initiate on-demand scanning via a user interface 703. Moreover, each application program 704 may call a scanning subsystem 706 to perform scanning of objects stored in the corresponding memory.
On the other hand, on-access scanning provides identification of malicious code or content before the application program 704 processes or renders the application data 702. The on-access scanning is transparent to the user until the scanning subsystem 706 detects malicious application data 702.
Figure 8 shows a hierarchy of various components of an application program interface 800 which may be used to interface mobile application programs and a scanning subsystem, in accordance with one embodiment. As an option, the present application program interface 800 may be implemented in the context of the system 400 of Figure 4.
It should be noted, however, that the present application program interface 800 may be implemented in any desired context.
As shown in Figure 8, the application program interface functions include MDoScanOpen() 802, MDoScanClose~ 804, MDoScanVersion() 806, and MDoScanData() 808. MoDoScanOpenU 802 and MDoScanClose() 804 are used to create/open and close a scanning subsystem object instance. MDoScanVersion~
provides scanning subsystem and signature pattern data version information.
MDoScanDataU 808 performs content/data scanning and reporting. Also included in the scanner application program interface is MDoScanUpdate() 810 that provides malware signature database and detection logic updates. When MDoScanUpdate() 810 is called by an update application, the library connects to a remote back-end server (see, for example, Figure 1) and downloads the latest files (i.e. mdo.sdb, mdo.pd).
Scanning subsystem configuration is done using the MDoConfigOpen() 812, MDoConfigClose() 814, MDoConfigGet() 816, and MDoConfigSet() 818. Once a configuration handle is obtained by calling the present application program interface 800, the calling application program uses the get and set configuration API to query and set scanning subsystem configuration variables.
Also included in the present application program interface 800 is an error retrieval function named MDoGetLastError() 820. This function is used to retrieve information about the last error that occurred.
Before any of the API calls are made, preferably at boot-time, MDoSystemInit() 825 is called to initialize the library environment settings. The library keeps configuration settings, malicious code detection logic (i.e. mdo.pd) and signature database (i.e.
mdo.sdb), and internal variables (i.e. synchronization objects, etc.) at fixed persistent storage locations.
MDoLibraryOpenn 830 and MDoLibraryCloseo 840 are used to initialize the library.
An application program may call MDoLibraryOpen~ 830 before any other API calls are made, and the application program may call MDoLibraryClose() 840 before terminating.
The application program interface 800 may be capable of supporting various functionality such as system environment initialization, version status information retrieval, updating the scanning subsystem, scanning, configuring the scanning subsystem, etc. using various application program interface components. More information will now be set forth regarding the foregoing fimctionality in the context of the application program interface 800.
System Initialization MDoSystemlnit() 825 performs validation and environment initialization for data kept at specific persistent storage locations. A malicious codelcontent signature pattern database (i.e. mdo.sdb), detection logic (i.e. mdo.pd), configuration settings, and synchronization objects may be stored at these locations. MDoSystemlnit() 825 may be called once (i.e. at boot-time) before any of the API functions are executed.
Table #1 illustrates exemplary information regarding MDoSystemlnitU 825.
Table #1 MDoSystemInit Description Verify and initialize system environment information.
prototype int MDoSystemInit( void );
Parameters WO 2004/095177 ' 16 ' PCT/US2004/011652 none Return Value 0 if successful, non-zero error code otherwise.
Library Interface API
The application program interface 800 includes a plurality of library interface components. The API interface instantiation may be accomplished using MDoLibraryOpen() 830. The instantiated library interface handle obtained using this function may be used for subsequent API calls. Before the application program terminates, MDoLibraryClose() 840 may be called to release the handle. Figure illustrates an exemplary library interface initialization 900 utilizing MDoLibraryOpen() 830 and MDoLibraryClose() 840.
Table #2 illustrates exemplary information regarding MDoLibraryOpen() 830.
Table #2 MDoLibraryOpen Description Initializes and returns an API library interface handle.
Prototype MDOLIB HANDLE MDoLibrary0pen( void );
Parameters none Return Value library interface handle if successful, INVALID MDOLIB HANDLE otherwise.
- -See Also MDoLibraryClose() Table #3 illustrates exemplary information regarding MDoLibraryClose() 840.
WO 2004/095177 - 1~ - PCT/US2004/011652 Table #3 MDoLibraryClose Description Releases system resource associated with an API
library handle returned by the MDoLibraryClose() function.
Prototype void MDoLibraryClose( MDOLIB HANDLE hLib );
Parameter hLib [in] library handled returned by MDoLibraryOpen.
Return Value none See Also MDoLibrary0pen() Error Retrieval Once the library has been successfully initialized and instantiated by lVmoLibraryOpen() 830,1VE.~oGetLastError() 820 provides the application program with information about the last error occurred.
Table #4 illustrates exemplary information regarding lVmoGetLastError() 820.
Table #4 MDoGetLastError Description Returns the specified library instance's last-error value.
Prototype MDoErrorCode MDoGetLastError(MDOLIB HANDLE hLib);
Parameters hLib [in] library handled returned by MDoLibraryOpen.
WO 2004/095177 ' 1$ ' PCT/US2004/011652 Return Value The MDoErrorCode data type may be defined as a 32-bit unsigned integer which contains both component and error codes. Often times, the error information retrieved may be set at the platform abstraction API layer. For this reason, the MDoErrorCode format given herein is similar to AlErrorCode format defined by the abstraction layer API (See Appendix A). Figure 10 illustrates an exemplary format 1000 of MDoErrorCode, in accordance with one embodiment.
Table #5 illustrates exemplary information regarding MDoGetLastError() 820.
Table #5 1S MDoErrorCode is defined as:
typedef unsigned long MDoErrorCode;
See Also MDoLibraryOpen(), MDoScanOpen(), MDoScanData(), MDoScanUpdate() Exemplary Computer Code #1 illustrates a sample library calling sequence with a call to MDoGetLastError() 820.
Computer Code #1 MDOLIB_HANDLE hLib;
MDOSCAN_HANDLE hScanner;
MDoErrorCode errCode;
WO 2004/095177 ' 19 - PCT/US2004/011652 hMDoLib = MDoLibraryOpen();
if( hMDoLib =- INVALID_MDOLIB_HANDLE ) f return( -1 );
hScanner = MDoScanOpen( hLib );
if( hScanner =- INVALID MDOSCAN HANDLE ) _ _ errCode = MDoGetLastError( hLib );
ReportError( errCode );
MDoLibraryClose( hMDoLib );
return( -1 );
MDoScanClose( hScanner );
MDoLibraryClose( hMDoLib );
Error Codes An error code reported by lVIDoGetLastError 820 includes two parts: component code and error code. See Appendix A for more information. Table #6 lists exemplary error codes and corresponding component codes. MDoGetLastError 820 also returns error codes set at the abstract library layer. It should be noted that the following list is for illustrative purposes only and should not be construed as limiting in any manner.
Table #6 Component Code Error Code '~ Desoription MDO ERROR_MODUL MDOE CFG_UNKNOWN_VARIABLE Unknown/invali E d WO 2004/095177 ' 2~ ' PCT/US2004/011652 configuration variable name.
ML MODE Invalid meta ERROR MLE
MODULE XFILE
SEEK
_ _ file seek mode _ _ _ value.
MLE Invalid meta XFILE
SEEK
OOB
_ file seek _ _ location.
MLE_XFILE Invalid meta SIZE
OOB
_ file size.
_ MLE PKG Invalid update INVALID FILE
_ package file.
MLE PKG_INVALID FORMAT Invalid update package file format.
MLE_SDB_INVALID_POSITION Invalid SDB
record position.
MLE SDB_INVALID STRUCTURE Invalid/corrup t S DB record structure.
MLE SDB RECORD_NOT FOUND Missing SDB
record. Record not found.
MLE_SDB_NO_INODES No more SDB
INode space.
MLE_SDB_NO_BLOCKS No more SDB
block space.
MLE_SDB_INVALID_OFFSET_SIZEInvalid SDB
offset.
MLE Invalid SDB
SDB
BAD
INITIALIZE
PARAMS
_ initialization _ _ _ parameter(s).
MLE_ME_INVALID_SUBTYPE Invalid sub-record ID
value.
MLE_ME_INVALID_TYPE Invalid sub-record ID
value.
MLE_ME_TYPE_NOT_FOUND Unknown sub-record ID
value.
MLE_ME_VIRUS_NOT FOUND Missing/invali d virus code.
MLE_DBU_INVALID_COMMAND Invalid SDB
update command.
MLE_ME_SMALL_VREC_ARRAY Bad virus-record array size.
MLE_ME_T00_MANY_WVSELECT_BUCKETFailed to add S new SDB
record.
MLE_ME_BACKPTR_OVERFLOW Failed to update SDB
record.
Scannin_~ystem API
The application program interface 800 includes a plurality of scanning subsystem $ components. The scanning subsystem API components provide data/content scanning and signature update service. Included are MDoScanOpen() 802, MDoScanClose() 804, MDoScanVersion~ 806, MDoScanUpdate() 810, and MDoScanData~ 808.
MDoScanOpen() 802 is used for scanning subsystem object instantiation.
MDoScanVersion~ 806 provides scanning subsystem and signature database version information. MDoScanUpdate() 810 performs the signature database update.
MDoScanData() 808 performs malicious code/content data scanning. Figure 11 illustrates a scanning subsystem API call sequence 1100, in accordance with one embodiment.
1$ MDoScanOpen Table #7 illustrates exemplary information regarding MDoScanOpen() 802.
Table #7 Description Returns a scanning subsystem instance handle.
IN A MOBILE COMMUNICATION FRAMEWORK
FIELD OF THE INVENTION
The present invention relates to mobile communication device security, and more particularly to scanning mobile communication devices for malware.
BACKGROUND OF THE INVENTION
The last decade has seen a rapid growth in the number and use of mobile cellular telephones. More recently, wireless devices have been introduced which combine the functionality of mobile telephones and Personal Digital Assistants (PDAs). It is expected that this area will undergo massive growth in the near future as new cellular telecommunication standards (i.e. GPRS, UNITS, and WAP) make possible the high speed transfer of data across the wireless interface.
It can be expected that such platforms will be susceptible to attack from so-called "malware" such as viruses, Trojan horses, and worms (referred to collectively hereinafter as "viruses"); and other unwanted/harmful content in much the same way as present day personal computers and workstations are susceptible. A number of mobile telephone viruses have already been identified.
In order to resist virus attacks, anti-virus software must be deployed into mobile platforms in much the same way as it has been deployed in the desktop environment. A
number of different desktop anti-virus applications are currently available.
The majority of these applications rely upon a basic scanning engine which searches suspect files for WO 2004/095177 - ~ - PCT/US2004/011652 the presence of predetermined virus signatures. These signatures are held in a database which must be constantly updated to reflect the most recently identified viruses.
Typically, users download replacement databases every so often, either over the Internet, from a received e-mail, or from a CDROM or floppy disk. Users are also expected to update there software engines every so often in order to take advantage of new virus detection techniques which may be required when a new strain of virus is detected.
Mobile wireless platforms present a series of problems for software developers (including developers of anti-virus software). In particular, mobile wireless platforms are traditionally not standardized like conventional desktops. For example, instead of running MicrosoftTM WindowsTM, such mobile wireless platforms may have installed thereon a variety of types of operating systems. This and various other lack of standardization complicates the act of designing an anti-virus scanner that is capable of operating on any one of a plurality of mobile wireless platforms.
DISCLOSURE OF THE INVENTION
A platform-independent system and associated method are provided for use with a mobile communication device. Included is a mobile communication device capable of S communicating via a wireless network. Such mobile communication device includes an operating system installed thereon. Associated therewith is a platform-independent scanning subsystem in communication with the operating system of the mobile communication device for scanning purposes. Further provided is a platform-independent application program interface for interfacing the operating system and the scanning subsystem. The platform-independent application program interface includes an abstract library for porting the platform-independent scanning subsystem to the mobile communication device and associated operating system.
In one embodiment, the application program may include a mail application program, a browser application program, a phone book application program, a message application program, andlor a Java application program.
In another embodiment, the abstract library may support system initialization, library initialization, error functions, memory allocation, input/output (I/O), data authentication, synchronization, hypertext transfer protocol, shared memory, system time, device information, and/or debugging.
WO 2004/095177 ' 4 ' PCT/US2004/011652 BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 illustrates a mobile communication framework, in accordance with one embodiment.
Figure 2 illustrates a mobile communication framework, in accordance with another embodiment.
Figure 3 illustrates an architecture associated with a mobile communication device, in accordance with one embodiment.
Figure 4 shows a system for accessing security or content analysis functionality utilizing a mobile communication device, in accordance with one embodiment.
Figure 5 shows a framework for accessing security or content analysis functionality utilizing a mobile communication device, in accordance with an application server embodiment of the system of Figure 4.
Figure 6 shows a framework for accessing security or content analysis fiuictionality utilizing a mobile communication device, in accordance with a re-entrant library embodiment of the system of Figure 4.
Figure 7 shows an on-demand scanning system implemented in the context of the system of Figure 4.
Figure 8 shows a hierarchy of various components of an application program interface (API) which may be used to interface mobile application programs and a scanning subsystem, in accordance with one embodiment.
Figure 9 illustrates an exemplary library interface initialization.
Figure 10 illustrates an exemplary format of an error code functionality, in accordance with one embodiment.
Figure 11 illustrates a scanning subsystem API call sequence, in accordance with one embodiment.
Figure 12 illustrates one exemplary configuration API call sequence, in accordance with one embodiment.
Figure 13 illustrates various exemplary scan data types which the application programs are capable of communicating to the scanning subsystem via an API.
Figure 14 shows a bit-field variable containing malware severity flags and application program behavior levels, in accordance with one exemplary embodiment.
Figure 15 illustrates a chart setting forth the manner in which the timing of scanning by the scanning subsystem varies as a function of the data types identified via the variables of Figure 13.
Figure 16 illustrates an exemplary flow describing the manner in which the update is initiated by a user interface, in accordance with one embodiment.
WO 2004/095177 ' 6 ' PCT/US2004/011652 Figure 17 illustrates a method for efficiently updating a scanning subsystem of a mobile communication device, in accordance with one embodiment.
WO 2004/095177 ' ~ - PCT/US2004/011652 DETAILED DESCRIPTION
Figure 1 illustrates a mobile communication framework 100, in accordance with one embodiment. As shown, included are a mobile communication device 102 and a backend server 104 capable of communicating via a wireless network. In the context of the present description, the mobile communication device 102 may include, but is not limited to a cellular telephone, a wireless personal digital assistant (PDA), a wireless hand-held computer, a wireless portable computer or any other mobile device capable of communication via a wireless network.
In one embodiment, the mobile communication device 102 may be equipped with a scanning subsystem 105. Such scanning subsystem 105 rnay include any subsystem capable of scanning data that is either stored on the mobile communication device 102 or in communication therewith. Of course, such scanning may refer to on-access scanning, on-demand scanning, or any other type of scanning. Moreover, the scanning may involve content (i.e. text, pictures, etc.) represented by the aforementioned data, general security-type scanning for malware, etc.
With continuing reference to Figure 1, the mobile communication device 102 may be further equipped with a display 106 capable of depicting a plurality of graphical user interfaces 108 adapted for managing various functionality including the aforementioned scanning functionality.
In use, the display 106 of the mobile communication device 102 is used to display data on a network (i.e. the Internet, etc.). See operation 1. In the present course of use, the user may use the display 106 to browse various data on the network by selecting link or anchors for retrieving the data from the network via the backend server 104.
See WO 2004/095177 ' g ' PCT/US2004/011652 operation 2. Next, in operation 3, the scanning subsystem 105 is called to scan the retrieved data.
In the present instance, the scanning subsystem 105 is shown to have located malware in association with the retrieved data in operation 4. At this point, a user is provided with an option via the display 106 to either halt the retrieval and/or use/access the data regardless of the identified malware. Note operation 5. Based on the decision in operation 5, the user may or may not be the subject of an "attack," as indicated in operation 6.
Figure 2 illustrates a mobile communication framework 200, in accordance with another embodiment. The present mobile communication framework 200 is similar to the mobile communication framework 100 of Figure 1 with the exception of the manner in which the mobile communication device reacts to the identification of malware in retrieved data.
In particular, the user is only provided with one option in operation 5. That is, the user is capable of only closing any dialogue associated with the data found to incorporate malware. Note operation 6.
Figure 3 illustrates an architecture 300 associated with a mobile communication device, in accordance with one embodiment. The present architecture 300 may be incorporated into the mobile communication devices of Figures 1 and 2. Of course, the architecture 300 may be implemented in any desired context.
As shown, the present architecture 300 may include a plurality of mobile application programs 302. In the context of the present description, the mobile application programs 302 rnay include any application program, software, etc. installed on a mobile communication device for carrying out various tasks. It should be further noted that such application programs 302 may also be implemented in firmware, hardware, etc. per the desires of the user.
In another embodiment, the application programs 302 may include, but axe not limited to a mail application program, where the tasks include managing electronic mail.
Further, the application program may include a browser application program, where the tasks include browsing a network. Still yet, the application program may include a phone book application program, where the tasks include managing a plurality telephone numbers. As an option, the application program may include a message application program, where the tasks include communicating messages. It should be noted that any type of application program may be included. For example, a Java application program or the like may be included.
With continuing reference to Figure 3, a scanning subsystem 304 resides in communication with the application programs 302 via a first application program interface (API) 306 and a first library 308 associated with the scanning subsystem 304.
More information regarding optional exemplary details relating to the first application program interface 306 and the first library 308 will be set forth later in greater detail during reference to Figures 4-12.
As an option, the application programs 302 may communicate information to the scanning subsystem 304 to facilitate the scanning by the scanning subsystem 304. Such information may relate to the type of data to be scanned, and the timing associated with such scanning. More exemplary information regarding the way in which the scanning subsystem 304 interacts with the application programs 302 in such a manner will be set forth during reference to Figures 13-15.
WO 2004/095177 ' 1~ - PCT/US2004/011652 As shown in Figure 3, the first library 308 may include an update manager 310, a configuration manager 312, and a signature database 314. In use, the update manager 310 may manage the process with which the signature database 314 is updated with the latest signatures for scanning purposes. In one embodiment, the update process may be streamlined to accommodate the limited bandwidth inherent in mobile communication frameworks.. More exemplary information regarding such update process will be set forth during reference to Figures 16-17.
Further provided as a component of the architecture 300 of Figure 3 is an operating system 316 installed on the mobile communication device and adapted for executing the application programs 302. In one embodiment, the scanning subsystem 304 may be platform-independent, and thus be capable of being implemented on any type of operating systemlmobile communication device combination.
To accommodate this feature, a second application program interface 318 and a second library 320 capable of supporting various functionality such as systemllibrary initialization 322, error functions 336, memory allocation 334, inputloutput (I/O) 328, data authentication 332, synchronization 330, hypertext transfer protocol 326, device information 324, debugging 338, and other functionality (i.e. shared memory, system time, etc.). In one embodiment, the second application program interface 318 may be platform independent, similar to the scanning subsystem 304. More information regarding optional exemplary details relating to the second application program interface 318 and the second library 320 will be set forth later in greater detail during reference to Appendix A.
Figure 4 shows a system 400 for accessing security or content analysis functionality utilizing a mobile communication device, in accordance with one embodiment. In one example, the present system 400 may be implemented in the context of the application programs, scanning subsystem, and operating system of the architecture 300 of Figure 3.
It should be noted, however, that the present system 400 may be implemented in any desired context.
As shown, included is an operating system 402 installed on a mobile communication device capable of communicating via a wireless network. Further provided is an application program 404 installed on the mobile communication device and executed utilizing the operating system 402 for performing tasks.
A scanning subsystem 406 remains in communication with the application program via an application program interface and an associated library (see, for example, the first application program interface 306 and first library 308 of Figure 3). Such scanning subsystem 406 is adapted for accessing security or content analysis functionality in conjunction with the tasks performed by the application program 404. In one embodiment, the security or content analysis may include security analysis. In another embodiment, the security or content analysis may include content analysis.
Still yet, the security or content analysis may include on-demand virus scanning and/or on-access virus scanning.
In use, the security or content analysis functionality may be applied to application data associated with the tasks performed by the application program 404. In the context of the present description, the application data may include any data input, processed, output, or otherwise associated with the performance of the tasks carried out by the application program 404.
By the tight coupling of the scanning subsystem 406 and application program 404 via the application program interface, less overhead and code redundancies are required.
More exemplary information regarding such application program interface and the WO 2004/095177 - 12 ' PCT/US2004/011652 associated library will be set forth hereinafter in greater detail during reference to subsequent figures.
Figure 5 shows a framework 500 for accessing security or content analysis functionality utilizing a mobile communication device, in accordance with an application server embodiment of the system 400 of Figure 4. It should be noted that the present framework 500 may be implemented in any desired context.
As shown, the scanning subsystem may include a scanning program 502 that communicates with the application program 504 via the application program interface 506 and an associated protocol (i.e. uItron messaging system). As will be set forth in greater detail later, the application program interface 506 may involve a first component 508 associated with the scanning program 502 and a second component 510 associated with the application program 504.
Various calls 512 provided with the application program interface 506 may include an open call, a data call, and a close call. In use, the scanning program 502 may scan application data 516 associated with the tasks performed by the application program 504.
Figure 6 shows a framework 600 for accessing security or content analysis functionality utilizing a mobile communication device, in accordance with a re-entrant library embodiment of the system 400 of Figure 4. It should be noted that the present framework 600 may be implemented in any desired context.
As shown, the scanning subsystem may include a re-entrant library 602. In use, the scanning subsystem re-entrant library 602 may be linked to an application program 604 WO 2004/095177 - 13 ' PCT/US2004/011652 at run-time. Thus, an application program interface 606 may be populated into each of a plurality of application programs 604.
Similar to the previous framework 500 of Figure 5, the application program interface 606 may involve various calls 612 including an open call, a data call, and a close call.
In use, the re-entrant library 602 may be used to scan application data 616 associated with the tasks performed by the application program 604.
Figure 7 shows an on-demand scanning system 700 implemented in the context of the system 400 of Figure 4. It should be noted that the present system 700 may be implemented in any desired context.
On-demand scanning provides scanning of stored application data 702 for malicious content or code for removal. The user may initiate on-demand scanning via a user interface 703. Moreover, each application program 704 may call a scanning subsystem 706 to perform scanning of objects stored in the corresponding memory.
On the other hand, on-access scanning provides identification of malicious code or content before the application program 704 processes or renders the application data 702. The on-access scanning is transparent to the user until the scanning subsystem 706 detects malicious application data 702.
Figure 8 shows a hierarchy of various components of an application program interface 800 which may be used to interface mobile application programs and a scanning subsystem, in accordance with one embodiment. As an option, the present application program interface 800 may be implemented in the context of the system 400 of Figure 4.
It should be noted, however, that the present application program interface 800 may be implemented in any desired context.
As shown in Figure 8, the application program interface functions include MDoScanOpen() 802, MDoScanClose~ 804, MDoScanVersion() 806, and MDoScanData() 808. MoDoScanOpenU 802 and MDoScanClose() 804 are used to create/open and close a scanning subsystem object instance. MDoScanVersion~
provides scanning subsystem and signature pattern data version information.
MDoScanDataU 808 performs content/data scanning and reporting. Also included in the scanner application program interface is MDoScanUpdate() 810 that provides malware signature database and detection logic updates. When MDoScanUpdate() 810 is called by an update application, the library connects to a remote back-end server (see, for example, Figure 1) and downloads the latest files (i.e. mdo.sdb, mdo.pd).
Scanning subsystem configuration is done using the MDoConfigOpen() 812, MDoConfigClose() 814, MDoConfigGet() 816, and MDoConfigSet() 818. Once a configuration handle is obtained by calling the present application program interface 800, the calling application program uses the get and set configuration API to query and set scanning subsystem configuration variables.
Also included in the present application program interface 800 is an error retrieval function named MDoGetLastError() 820. This function is used to retrieve information about the last error that occurred.
Before any of the API calls are made, preferably at boot-time, MDoSystemInit() 825 is called to initialize the library environment settings. The library keeps configuration settings, malicious code detection logic (i.e. mdo.pd) and signature database (i.e.
mdo.sdb), and internal variables (i.e. synchronization objects, etc.) at fixed persistent storage locations.
MDoLibraryOpenn 830 and MDoLibraryCloseo 840 are used to initialize the library.
An application program may call MDoLibraryOpen~ 830 before any other API calls are made, and the application program may call MDoLibraryClose() 840 before terminating.
The application program interface 800 may be capable of supporting various functionality such as system environment initialization, version status information retrieval, updating the scanning subsystem, scanning, configuring the scanning subsystem, etc. using various application program interface components. More information will now be set forth regarding the foregoing fimctionality in the context of the application program interface 800.
System Initialization MDoSystemlnit() 825 performs validation and environment initialization for data kept at specific persistent storage locations. A malicious codelcontent signature pattern database (i.e. mdo.sdb), detection logic (i.e. mdo.pd), configuration settings, and synchronization objects may be stored at these locations. MDoSystemlnit() 825 may be called once (i.e. at boot-time) before any of the API functions are executed.
Table #1 illustrates exemplary information regarding MDoSystemlnitU 825.
Table #1 MDoSystemInit Description Verify and initialize system environment information.
prototype int MDoSystemInit( void );
Parameters WO 2004/095177 ' 16 ' PCT/US2004/011652 none Return Value 0 if successful, non-zero error code otherwise.
Library Interface API
The application program interface 800 includes a plurality of library interface components. The API interface instantiation may be accomplished using MDoLibraryOpen() 830. The instantiated library interface handle obtained using this function may be used for subsequent API calls. Before the application program terminates, MDoLibraryClose() 840 may be called to release the handle. Figure illustrates an exemplary library interface initialization 900 utilizing MDoLibraryOpen() 830 and MDoLibraryClose() 840.
Table #2 illustrates exemplary information regarding MDoLibraryOpen() 830.
Table #2 MDoLibraryOpen Description Initializes and returns an API library interface handle.
Prototype MDOLIB HANDLE MDoLibrary0pen( void );
Parameters none Return Value library interface handle if successful, INVALID MDOLIB HANDLE otherwise.
- -See Also MDoLibraryClose() Table #3 illustrates exemplary information regarding MDoLibraryClose() 840.
WO 2004/095177 - 1~ - PCT/US2004/011652 Table #3 MDoLibraryClose Description Releases system resource associated with an API
library handle returned by the MDoLibraryClose() function.
Prototype void MDoLibraryClose( MDOLIB HANDLE hLib );
Parameter hLib [in] library handled returned by MDoLibraryOpen.
Return Value none See Also MDoLibrary0pen() Error Retrieval Once the library has been successfully initialized and instantiated by lVmoLibraryOpen() 830,1VE.~oGetLastError() 820 provides the application program with information about the last error occurred.
Table #4 illustrates exemplary information regarding lVmoGetLastError() 820.
Table #4 MDoGetLastError Description Returns the specified library instance's last-error value.
Prototype MDoErrorCode MDoGetLastError(MDOLIB HANDLE hLib);
Parameters hLib [in] library handled returned by MDoLibraryOpen.
WO 2004/095177 ' 1$ ' PCT/US2004/011652 Return Value The MDoErrorCode data type may be defined as a 32-bit unsigned integer which contains both component and error codes. Often times, the error information retrieved may be set at the platform abstraction API layer. For this reason, the MDoErrorCode format given herein is similar to AlErrorCode format defined by the abstraction layer API (See Appendix A). Figure 10 illustrates an exemplary format 1000 of MDoErrorCode, in accordance with one embodiment.
Table #5 illustrates exemplary information regarding MDoGetLastError() 820.
Table #5 1S MDoErrorCode is defined as:
typedef unsigned long MDoErrorCode;
See Also MDoLibraryOpen(), MDoScanOpen(), MDoScanData(), MDoScanUpdate() Exemplary Computer Code #1 illustrates a sample library calling sequence with a call to MDoGetLastError() 820.
Computer Code #1 MDOLIB_HANDLE hLib;
MDOSCAN_HANDLE hScanner;
MDoErrorCode errCode;
WO 2004/095177 ' 19 - PCT/US2004/011652 hMDoLib = MDoLibraryOpen();
if( hMDoLib =- INVALID_MDOLIB_HANDLE ) f return( -1 );
hScanner = MDoScanOpen( hLib );
if( hScanner =- INVALID MDOSCAN HANDLE ) _ _ errCode = MDoGetLastError( hLib );
ReportError( errCode );
MDoLibraryClose( hMDoLib );
return( -1 );
MDoScanClose( hScanner );
MDoLibraryClose( hMDoLib );
Error Codes An error code reported by lVIDoGetLastError 820 includes two parts: component code and error code. See Appendix A for more information. Table #6 lists exemplary error codes and corresponding component codes. MDoGetLastError 820 also returns error codes set at the abstract library layer. It should be noted that the following list is for illustrative purposes only and should not be construed as limiting in any manner.
Table #6 Component Code Error Code '~ Desoription MDO ERROR_MODUL MDOE CFG_UNKNOWN_VARIABLE Unknown/invali E d WO 2004/095177 ' 2~ ' PCT/US2004/011652 configuration variable name.
ML MODE Invalid meta ERROR MLE
MODULE XFILE
SEEK
_ _ file seek mode _ _ _ value.
MLE Invalid meta XFILE
SEEK
OOB
_ file seek _ _ location.
MLE_XFILE Invalid meta SIZE
OOB
_ file size.
_ MLE PKG Invalid update INVALID FILE
_ package file.
MLE PKG_INVALID FORMAT Invalid update package file format.
MLE_SDB_INVALID_POSITION Invalid SDB
record position.
MLE SDB_INVALID STRUCTURE Invalid/corrup t S DB record structure.
MLE SDB RECORD_NOT FOUND Missing SDB
record. Record not found.
MLE_SDB_NO_INODES No more SDB
INode space.
MLE_SDB_NO_BLOCKS No more SDB
block space.
MLE_SDB_INVALID_OFFSET_SIZEInvalid SDB
offset.
MLE Invalid SDB
SDB
BAD
INITIALIZE
PARAMS
_ initialization _ _ _ parameter(s).
MLE_ME_INVALID_SUBTYPE Invalid sub-record ID
value.
MLE_ME_INVALID_TYPE Invalid sub-record ID
value.
MLE_ME_TYPE_NOT_FOUND Unknown sub-record ID
value.
MLE_ME_VIRUS_NOT FOUND Missing/invali d virus code.
MLE_DBU_INVALID_COMMAND Invalid SDB
update command.
MLE_ME_SMALL_VREC_ARRAY Bad virus-record array size.
MLE_ME_T00_MANY_WVSELECT_BUCKETFailed to add S new SDB
record.
MLE_ME_BACKPTR_OVERFLOW Failed to update SDB
record.
Scannin_~ystem API
The application program interface 800 includes a plurality of scanning subsystem $ components. The scanning subsystem API components provide data/content scanning and signature update service. Included are MDoScanOpen() 802, MDoScanClose() 804, MDoScanVersion~ 806, MDoScanUpdate() 810, and MDoScanData~ 808.
MDoScanOpen() 802 is used for scanning subsystem object instantiation.
MDoScanVersion~ 806 provides scanning subsystem and signature database version information. MDoScanUpdate() 810 performs the signature database update.
MDoScanData() 808 performs malicious code/content data scanning. Figure 11 illustrates a scanning subsystem API call sequence 1100, in accordance with one embodiment.
1$ MDoScanOpen Table #7 illustrates exemplary information regarding MDoScanOpen() 802.
Table #7 Description Returns a scanning subsystem instance handle.
2$ Prototype MDOSCAN HANDLE MDoScanOpen( MDOLIB HANDLE hLib );
Parameters hLib [in] library handle obtained using the MDoLibrary0pen() function.
Return Value Scanning subsystem instance handle if successful.
Parameters hLib [in] library handle obtained using the MDoLibrary0pen() function.
Return Value Scanning subsystem instance handle if successful.
3$ INVALID MDOSCAN HANDLE is returned if error.
WO 2004/095177 ' 22 ' PCT/US2004/011652 See Also MDoScanClose(), MDoScanData(), MDoScanUpdate(), MDoLibrary0pen() MDoScanClose Table #8 illustrates exemplary information regarding MDoScanClose() 804.
Table #8 Description Releases scanning subsystem instance and associated system resource.
Prototype void MDoScanClose( MDOSCAN HANDLE hScan );
Parameters hScan [in] Scanning subsystem handle obtained using the MDoScanOpen() function.
Return Value none See Also MDoScanOpen(), MDoScanData(), MDoScanUpdate() MDoScanVersion Table #9 illustrates exemplary information regarding MDoScanVersion() 806.
Table #9 Description Obtain the scanning subsystem and signature version information from a scanner handle returned by the MDoScanOpen() function.
Prototype int MDoScanVersion( MDOSCAN_HANDLE hScan, SVerInfo* pVersion );
WO 2004/095177 ~ 23 - PCT/US2004/011652 Parameters hScan [in] Scanning subsystem handle obtained using the MDoScanOpen() function.
pVersion [out] Pointer to a structure contain version information.
Return Value 0 if successful, -1 otherwise.
See Also MDoScanOpen(), MDoScanClose(), MDoScanData(), 1$ MDoScanUpdate() Exemplary Computer Code #2 illustrates a sample version information structure.
Computer Code #2 /* version information consists of <device id> + <MDo> + <PD> + <SDB>
For example:
device id: "Win32TestPlatformRev05"
MDo: 1 mdo.pd: 2 mdo.sdb: 32 */
#define MDO DEVID MAX 32 typedef struct char szDevID[MDO DEVID MAX]; /* device id */ _ -unsigned int uMDoVer; /* version */
unsigned int uEngVer; /* detection logic (mdo.pd) version */
unsigned int uSDbVer; /* signature database (mdo.sdb) version */
SVerInfo;
The mobile communication device identification string reported by MDoScanVersion() 806 is set using the device identification string returned by AIDevGetInfo.
(See Appendix A).
lVmoScanData Table #10 illustrates exemplary information regarding MDoScanData() 808.
Table #10 Description MDoScanData is to be called from an application program to scan a specific data type. The calling application program specifies the scanner action, the scan target data type, a set I/O functions to access the data, and an optional callback function.
The result of the data scanning is returned in a caller provided data structure. MDoScanData is re-entrant.
Prototype int MDoScanData( MDOSCAN_HANDLE hScan, SScanParam* pParam, , SScanResult* pResult );
Parameters hScan [in] Scanning subsystem handle obtained from a call to the MDoScanOpen() function.
pParam [in] Pointer to a structure containing data scan parameters.
pResult [out] Pointer to a structure containing data scan results.
Return Value 0 if successful, -1 otherwise and error code is set.
See Also MDoScanOpen(), MDoScanClose(), MDoScanVersion(), MDoscanUpdate() MDoScanU~date Table #11 illustrates exemplary information regarding MDoScanUpdate() 810.
Table # 11 Description Performs malicious code/content signature pattern database (mdo.sdb) and detection logic (mdo.pd) update.
Prototype int MDoScanUpdate( MDOSCAN_HANDLE hScan, SUpdateParam* pParam );
IS
Parameters hScan [in] scan handle obtained using the MDoScanOpen() function.
pParam [in] Pointer to an update parameter structure containing a callback function pointer for update cancellation/abort and progress status update.
Exemplary Computer Code #3 illustrates the manner in which the update parameter structure is defined.
Computer Code #3 typedef struct SStatus struct int iCurrent;
int iTotal;
SStatus;
typedef struct SUpdateParam struct void* pPrivate;
int (*pfCallBack)(void *pPrivate, int iReason, void *pParam);
The calling application program may set the function pointer and the data to be passed to the function when calling the function. Note Table #12.
Table #12 Callback Ressoz~ Descri.~tion (.)..~C~aS(>T7,~
MDO UCB STATUS Callback is made to report update status. pParam points to the SStatus structure. SStatus.iCurrent contains amount of data received and iTotal reports the total update data size in bytes.
MDO UCB CANCEL Callback is made to see if update cancellation is set. pParam points NC1L,L .
Configuration API
The application program interface 800 includes a plurality of configuration components.
Included is a set of functions used to retrieve and specify the scanning subsystem settings. One goal of these functions is to provide application programs and the scanning subsystem with centralized runtime configuration access. The configuration data is stored in non-volatile persistent data storage (i.e. flash memory, etc.).
Figure 12 illustrates one exemplary configuration API call sequence 1200, in accordance with one embodiment. As shown, MDoConfigOpenn 830 returns a handle to be passed to the configuration retrieval and specification functions.
MDoConfigClose() 814 is used to release and close the configuration handle returned by MDoConfigOpen() 812. MDoConfigSet() 818 sets a specified configuration variable with a specified value, and MDoConfigGet() 816 returns a configuration value for a specified variable. Configuration variables) settings modified by MDoCon~etn 818 is not necessarily saved to the permanent storage until MDoConfigClose() 814 is called.
WO 2004/095177 - 2~ - PCT/US2004/011652 Application programs may call configuration open, get or set, and immediately follow with the close function when accessing and/or specifying a variable value.
The configuration variables and values specified/retrieved using the configuration components of the application program interface 800 may be represented in null-character ('\0') terminated, ~-bit character strings. Table #13 lists available configuration variables.
Table #13 Canfir~u~a~i.r~n,ValuelE~am~l' ~_ ;I3esorip~.a.an .
..~~iab';he ..._ _ . _.... ~~ ;< r::. ... : , ,:.:::
~ " f <~
"ScanEnable" "0" disable scanning "1" enable scanning "UpdateURL" "http://update.mcafeeacsa.com/504i"Base-URL
for signature for update ' (see section 0) MDoConfigO en Table #14 illustrates exemplary information regarding MDoConfigOpen() 812.
Table #14 Description Returns a handle to a configuration setting to be passed to subsequent calls to MDoConfigGet() and MDoConfigSet () .
Prototype MDOCONFIG HANDLE MDoConfigOpen( MDOLIB HANDLE hLib );
Parameters WO 2004/095177 - 2g - PCT/US2004/011652 hLib [in] library handle obtained using the MDoLibraryOpen() function.
$ Return Value Configuration handle if successful.
INVALID MDOCONFIG HANDLE is returned if error.
See Also MDoConfigClose(), MDoConfigSet(), MDoConfigGet() MDoConfi _ Close Table #15 illustrates exemplary information regarding MDoConfigClose() 814.
Table #15 Description Releases system resource and closes configuration handle.
Prototype void MDoConfigClose( MDOCONFIG HANDLE hConfig );
Parameters hConf ig [in] Configuration handle returned by the MDoConfigOpen() function.
Return Value none See Also MDoConfigOpen(), MDoConfigSet(), MDoConfigGet() MDoConfi~Get Table #16 illustrates exemplary information regarding MDoConfigGet() 816.
Table #16 WO 2004/095177 - ~9 - PCT/US2004/011652 Description Obtain a configuration value for the specified configuration variable.
Prototype int MDoConfigGet( MDOCONFIG_HANDLE hConfig char const* pszName, char* pBuffer, unsigned int uSize );
Parameters hConfig [in] Configuration handle returned by the MDoConfigOpen() function.
pszName [in] NULL-terminated configuration variable name.
pBuffer [out] NULL-terminated configuration setting/value for the variable specified uSize [in] Length of pBuffer in bytes.
Return Value 0 if successful, -1 otherwise.
MDoConfi.~Set See Also MDoConfigOpen(), MDoConfigClose(), MDoConfigSet() Table #17 illustrates exemplary information regarding MDoConfigSet() 818.
Table #17 Description Set a value for the specified configuration variable.
Prototype int MDoConfigGet( MDOCONFIG_HANDLE hConfig char const* pszName, char const* pszValue );
WO 2004/095177 - 3~ ' PCT/US2004/011652 Parameters hConfig , [in] Configuration handle returned by the MDoConfigOpen() function.
pszName [in] NULL-terminated configuration variable name.
pszValue [int] NULL-terminated new configuration setting/value for the variable specified Return Value 0 if successful, -1 otherwise.
See Also MDoConfigOpen () , MDoConfigClose () , MDoConfigGet () Application Pro~am/Scanning Subsystem Communication to Facilitate Scanning As mentioned earlier, the application programs may communicate information to the scanning subsystem to facilitate the scanning by the scanning subsystem. This communication may be facilitated via the API described above. The foregoing information may relate to the type of data to be scanned, and the timing associated with such scanning. More description regarding the manner in which the above API
accomplishes such will now be set forth.
Scan Parameters (SScanParam) The calling application program may supply the scanning subsystem with a scanning parameter using the SScanParam structure. The information contained in the scan parameter provides the scanning subsystem with: 1) scanning subsystem action type (i.e.
iAction), 2) the scan data type (i.e. the type of the application data to be scanned -iDataType), 3) data pointer to the scan target (i.e. pPrivate), 4) function to retrieve the data size in bytes (i.e. pfGetSize), 5) function to resize the scan data (i.e.
pfSetSize), 6) function used by the scanning subsystem to retrieve a block of scan data (i.e.
pfRead), 6) function used to write to the scan data (i.e. pfWrite), and 7) call-back function for scanning subsystem status/progress reporting (i.e. pfCallBack).
Exemplary Computer Code #4 illustrates a data scan parameter structure.
Computer Code #4 typedef struct SScanParam struc int iAction;
int iDataType;
void* pPrivate;
unsigned (*pfGetSize) ( void* pPrivate int ) ;
int (*pfSetSize)( void* pPrivate, unsigned int uSize );
unsigned (*pfRead)( void* pPrivate, int unsigned int uOffset, void* pBuffer, unsigned int uCount );
unsigned (*pfWrite)( void* pPrivate, int unsigned int u0ffset, void const* pBuffer, unsigned int uCount );
int (*pfCallBack)( void* pPrivate, int iReason, SCBArg const* pCBArg );
SSCanParam;
Scan Action (iAction) The scan action specifies the type of scanning to be performed on supplied application data. Table #18 illustrates various exemplary scan actions.
Table #18 Scan Action ID Descripta.on MDO SA_SCAN_ONLY The scanning subsystem performs scanning and r eports malicious code found. No repairing will be performed.
MDO SA_SCAN_REPAIRAfter performing scanning, object containing malicious code will be repaired.
Scan Data Type (iDataTyael The calling application program may inform the scanning subsystem of the application data type and format using this variable.
Figure 13 illustrates various exemplary application data types 1300 which the application programs are capable of communicating to the scanning subsystem via the API. The url-string format may conform to the Uniform Resource Locators (RFC
1738) specification. The email-string format may conform with the Internet E-mail address format (RFC 822) specification. The default domain may be set to any desired domain.
Still yet, the phone-number string may include the numeric characters '0' through '9', and the '#' and '*' characters.
Scan Data Pointer/Handle (pPrivate) A pointer (or handle) to an application scan object is further provided. The scanning subsystem does not necessarily perform direct memory I/O using this data pointer/handle. The data pointer/handle is passed back to the caller to perform read/write using the caller specified I/O functions.
Scan Data Size (pfGetSize) The present function is used by the scanning subsystem to obtain the scan target data size (in bytes) from the calling application program.
Scan Data Resize (pf~etSize) This function is used by the scanning subsystem to request the calling application program to resize the application data being repaired/cleaned to a given size (in bytes).
This function may be used in conjunction with the scan-and-repair/delete option.
Scan Data Read Function (pfRead) The instant function may be used by the scanning subsystem to read a specified amount of application data from the calling application program.
Scan Data Write Function (pfVVrite) This is an optional parameter which may be used by the scanning subsystem to write a specified amount of application data to the scan object as a part of the repair process.
This function pointer may be set if the scan-action is set for repair or deletion.
Callback Function (pfCallBack) If specified, the scanning subsystem calls the specified function with the information described in below table. The callback function, if returned with a negative return value, aborts the scanning process. Table #19 sets forth an exemplary callback code list.
Table #19 Callbaa~ Desariptiqzx-Reasc~n ID
MDO CB_DETECTED Informs the~calling application program a malicious code has been detected in the scan target. The callback data argument 'arg' is set to pointer to a SCBArg structure.
MDO CB CLEAN_READYInforms the calling application program identified malware is ready to be cleaned/repaired. The callback data argument 'arg' is set to pointer to a SCBArg structure.
Exemplary Computer Code #5 illustrates a scanning subsystem callback structure.
Computer Code #5 typedef struct SCBArg struct f text t const* pszName; /* detected malware name */
text t const* pszVariant; /* detected malware's variant name */
unsigned int uType; /* malware type */
} SCBArg;
Scan Result (SScanResult~, The result of object scanning, detected malware information, is returned to the calling application program in the SScanResult structure provided by the calling application program. The SScanResult structure contains a pointer to a structure that contains scan result information, and a pointer to a function used to remove the scan result resource.
The memory used to hold the scan result is allocated by the scanning subsystem and freed by calling the function pointed by the p~eleteResult pointer.
Exemplary Computer Code #6 illustrates a sample calling sequence.
WO 2004/095177 ' 35 ' PCT/US2004/011652 Computer Code #6 int ScanAppData( ... ) SScanResult scanResult;
if(MDoScanData( hScanner, &scanParam, &scanResult ) _- 0) scanResult.pfFreeResult( &scanResult );
Exemplary Computer Code #7 illustrates a detected malicious code/content information structure.
Computer Code #7 typedef struct SDetected-struct struct SDetected_struct* pNext;
/* pointer to next malware found */
/* NULL if at the end of list */
text t const* pszName; /* detected malware name *~
text t const* pszVariant; /* detected malware's variant name */
unsigned int uType; /* detected malware type */
unsigned int uBehavior; /* bit-field specifiying severity */
/* class and behavior level */
SDetected;
WO 2004/095177 ' 36 ' PCT/US2004/011652 Exemplary Computer Code #8 illustrates a scan result structure.
Computer Code #8 typedef struct SScanResult_struct int iNumDectected; /* number of malware f ound * /
SDetected* pList; /* detected malware list */
/* function ptr used to free reported scan result */
void (* pfFreeResult)( struct SScanResult struct*
pResult );
SScanResult Severity Class and Behavior Level (uBehavior~
Figure 14 shows a bit-field variable 1400 containing malware severity flags and application program behavior levels included in the SDetect structure, in accordance with one exemplary embodiment.
Table #20 sets forth an exemplary malware severity class list.
Table #20 Severity E'~'ag_Descriptiori.
MDO SC USER Detected malware is harmful to the user.
MDO_SC_TERMINALDetected malware is harmful to the device.
The scanning subsystem sets the MDO SC USER flag, if the scanned application data contains malware harmful to the user of the mobile communication device.
MDO SC TERMINAL flag is set if it is harmful to the mobile communication device itself. Both MDO SC USER and MDO SC TERMINAL flags are set if it is harmful to both the user and the mobile communication device.
The application program behavior level specifies what to do with the application data containing the detected malware. Table #21 lists the behavior level values and corresponding actions by the application program.
Table #21 ~3ehavior ~es~~~.p~ion L~veT:_- ;y.
x~
MDO BC LEVELOProcess with a warning.
This severity 1 evel may be assigned to data previously considered malicious.
MDO Prompt the user before processing.
BC LEVEL1 Ask _ he user if he/she wants the application t to process the data.
MDO BC LEVEL2Do not process the data.
MDO BC LEVEL3Do not process the data and prompt user f or removal. If the content is stored on the device, prompt the user for permission before removal.
MDO BC LEVEL4Do not process the data and automatically remove if stored.
When multiple malicious codes are found in a scanned application data, the calling application program is expected to act with the highest behavior level. For example, if both MDO BC LEVELO and MDO BC LEVEL3 are reported, the application program may take on MDO BC LEVEL3 actions.
WO 2004/095177 - 3~ - PCT/US2004/011652 Figure 15 illustrates a chart 1500 setting forth the manner in which the timing of scanning by the scanning subsystem varies as a function of the data types identified via the variables of Figure 13.
Signature Database Update As mentioned earlier, the update process may be streamlined to accommodate the limited bandwidth inherent in mobile communication frameworks. More information regarding the various ways that this may be accomplished will now be set forth.
Updated Com op nents The MDoScanUpdate function provides two components [i.e. malicious code detection logic (mdo.pd) and signature database (mdo.sdb)] with update service. One component (i.e. mdo.pd) may contain the detection logic and be updated fully when a newer version is available. Another component (i.e. mdo.sdb) may be updated incrementally up to n previous versions. A full update for the second component may be performed on mobile communication devices with versions older than n. For example, if h is set to 5, and the latest version is 20, then a full update is performed on mobile communication devices with a version older than 15.
Activation via User Interface Figure 16 illustrates an exemplary flow 1600 describing the manner in which the update is initiated by a user interface, in accordance with one embodiment. As shown, the virus pattern update may be initiated by the mobile communication device user by selecting a menu entry via a user interface 1602. Once the user selects the update menu, an update application 1604 is activated and connects to a back end server via the appropriate update interface function 1606.
Communication Protocol The update library may communicate with the back end server via HTTP protocol.
Update Process Figure 17 illustrates a method 1700 for efficiently updating a scanning subsystem of a mobile communication device, in accordance with one embodiment. In one embodiment, the present method 1700 may be implemented in the context of the application programs, scanning subsystem, and operating system of the architecture 300 of Figure 3 and systems of Figures 1 and 2. It should be noted, however, that the . present method 1700 may be implemented in any desired context.
To initiate the process, a request for an update may be sent from at least one mobile communication device to a back-end server. Of course, in other embodiments, the update may be sent without a request.
In one embodiment, the update may be requested by the mobile communication device utilizing a request data structure. Optionally, such data structure may include variables such as a uniform resource locator (URL) variable, mobile communication identifier variable, an application program interface version variable, a detection logic variable, a signature version variable, and/or a portion number variable.
Table #22 illustrates an exemplary URL that may be used for such purpose.
WO 2004/095177 ' 22 ' PCT/US2004/011652 See Also MDoScanClose(), MDoScanData(), MDoScanUpdate(), MDoLibrary0pen() MDoScanClose Table #8 illustrates exemplary information regarding MDoScanClose() 804.
Table #8 Description Releases scanning subsystem instance and associated system resource.
Prototype void MDoScanClose( MDOSCAN HANDLE hScan );
Parameters hScan [in] Scanning subsystem handle obtained using the MDoScanOpen() function.
Return Value none See Also MDoScanOpen(), MDoScanData(), MDoScanUpdate() MDoScanVersion Table #9 illustrates exemplary information regarding MDoScanVersion() 806.
Table #9 Description Obtain the scanning subsystem and signature version information from a scanner handle returned by the MDoScanOpen() function.
Prototype int MDoScanVersion( MDOSCAN_HANDLE hScan, SVerInfo* pVersion );
WO 2004/095177 ~ 23 - PCT/US2004/011652 Parameters hScan [in] Scanning subsystem handle obtained using the MDoScanOpen() function.
pVersion [out] Pointer to a structure contain version information.
Return Value 0 if successful, -1 otherwise.
See Also MDoScanOpen(), MDoScanClose(), MDoScanData(), 1$ MDoScanUpdate() Exemplary Computer Code #2 illustrates a sample version information structure.
Computer Code #2 /* version information consists of <device id> + <MDo> + <PD> + <SDB>
For example:
device id: "Win32TestPlatformRev05"
MDo: 1 mdo.pd: 2 mdo.sdb: 32 */
#define MDO DEVID MAX 32 typedef struct char szDevID[MDO DEVID MAX]; /* device id */ _ -unsigned int uMDoVer; /* version */
unsigned int uEngVer; /* detection logic (mdo.pd) version */
unsigned int uSDbVer; /* signature database (mdo.sdb) version */
SVerInfo;
The mobile communication device identification string reported by MDoScanVersion() 806 is set using the device identification string returned by AIDevGetInfo.
(See Appendix A).
lVmoScanData Table #10 illustrates exemplary information regarding MDoScanData() 808.
Table #10 Description MDoScanData is to be called from an application program to scan a specific data type. The calling application program specifies the scanner action, the scan target data type, a set I/O functions to access the data, and an optional callback function.
The result of the data scanning is returned in a caller provided data structure. MDoScanData is re-entrant.
Prototype int MDoScanData( MDOSCAN_HANDLE hScan, SScanParam* pParam, , SScanResult* pResult );
Parameters hScan [in] Scanning subsystem handle obtained from a call to the MDoScanOpen() function.
pParam [in] Pointer to a structure containing data scan parameters.
pResult [out] Pointer to a structure containing data scan results.
Return Value 0 if successful, -1 otherwise and error code is set.
See Also MDoScanOpen(), MDoScanClose(), MDoScanVersion(), MDoscanUpdate() MDoScanU~date Table #11 illustrates exemplary information regarding MDoScanUpdate() 810.
Table # 11 Description Performs malicious code/content signature pattern database (mdo.sdb) and detection logic (mdo.pd) update.
Prototype int MDoScanUpdate( MDOSCAN_HANDLE hScan, SUpdateParam* pParam );
IS
Parameters hScan [in] scan handle obtained using the MDoScanOpen() function.
pParam [in] Pointer to an update parameter structure containing a callback function pointer for update cancellation/abort and progress status update.
Exemplary Computer Code #3 illustrates the manner in which the update parameter structure is defined.
Computer Code #3 typedef struct SStatus struct int iCurrent;
int iTotal;
SStatus;
typedef struct SUpdateParam struct void* pPrivate;
int (*pfCallBack)(void *pPrivate, int iReason, void *pParam);
The calling application program may set the function pointer and the data to be passed to the function when calling the function. Note Table #12.
Table #12 Callback Ressoz~ Descri.~tion (.)..~C~aS(>T7,~
MDO UCB STATUS Callback is made to report update status. pParam points to the SStatus structure. SStatus.iCurrent contains amount of data received and iTotal reports the total update data size in bytes.
MDO UCB CANCEL Callback is made to see if update cancellation is set. pParam points NC1L,L .
Configuration API
The application program interface 800 includes a plurality of configuration components.
Included is a set of functions used to retrieve and specify the scanning subsystem settings. One goal of these functions is to provide application programs and the scanning subsystem with centralized runtime configuration access. The configuration data is stored in non-volatile persistent data storage (i.e. flash memory, etc.).
Figure 12 illustrates one exemplary configuration API call sequence 1200, in accordance with one embodiment. As shown, MDoConfigOpenn 830 returns a handle to be passed to the configuration retrieval and specification functions.
MDoConfigClose() 814 is used to release and close the configuration handle returned by MDoConfigOpen() 812. MDoConfigSet() 818 sets a specified configuration variable with a specified value, and MDoConfigGet() 816 returns a configuration value for a specified variable. Configuration variables) settings modified by MDoCon~etn 818 is not necessarily saved to the permanent storage until MDoConfigClose() 814 is called.
WO 2004/095177 - 2~ - PCT/US2004/011652 Application programs may call configuration open, get or set, and immediately follow with the close function when accessing and/or specifying a variable value.
The configuration variables and values specified/retrieved using the configuration components of the application program interface 800 may be represented in null-character ('\0') terminated, ~-bit character strings. Table #13 lists available configuration variables.
Table #13 Canfir~u~a~i.r~n,ValuelE~am~l' ~_ ;I3esorip~.a.an .
..~~iab';he ..._ _ . _.... ~~ ;< r::. ... : , ,:.:::
~ " f <~
"ScanEnable" "0" disable scanning "1" enable scanning "UpdateURL" "http://update.mcafeeacsa.com/504i"Base-URL
for signature for update ' (see section 0) MDoConfigO en Table #14 illustrates exemplary information regarding MDoConfigOpen() 812.
Table #14 Description Returns a handle to a configuration setting to be passed to subsequent calls to MDoConfigGet() and MDoConfigSet () .
Prototype MDOCONFIG HANDLE MDoConfigOpen( MDOLIB HANDLE hLib );
Parameters WO 2004/095177 - 2g - PCT/US2004/011652 hLib [in] library handle obtained using the MDoLibraryOpen() function.
$ Return Value Configuration handle if successful.
INVALID MDOCONFIG HANDLE is returned if error.
See Also MDoConfigClose(), MDoConfigSet(), MDoConfigGet() MDoConfi _ Close Table #15 illustrates exemplary information regarding MDoConfigClose() 814.
Table #15 Description Releases system resource and closes configuration handle.
Prototype void MDoConfigClose( MDOCONFIG HANDLE hConfig );
Parameters hConf ig [in] Configuration handle returned by the MDoConfigOpen() function.
Return Value none See Also MDoConfigOpen(), MDoConfigSet(), MDoConfigGet() MDoConfi~Get Table #16 illustrates exemplary information regarding MDoConfigGet() 816.
Table #16 WO 2004/095177 - ~9 - PCT/US2004/011652 Description Obtain a configuration value for the specified configuration variable.
Prototype int MDoConfigGet( MDOCONFIG_HANDLE hConfig char const* pszName, char* pBuffer, unsigned int uSize );
Parameters hConfig [in] Configuration handle returned by the MDoConfigOpen() function.
pszName [in] NULL-terminated configuration variable name.
pBuffer [out] NULL-terminated configuration setting/value for the variable specified uSize [in] Length of pBuffer in bytes.
Return Value 0 if successful, -1 otherwise.
MDoConfi.~Set See Also MDoConfigOpen(), MDoConfigClose(), MDoConfigSet() Table #17 illustrates exemplary information regarding MDoConfigSet() 818.
Table #17 Description Set a value for the specified configuration variable.
Prototype int MDoConfigGet( MDOCONFIG_HANDLE hConfig char const* pszName, char const* pszValue );
WO 2004/095177 - 3~ ' PCT/US2004/011652 Parameters hConfig , [in] Configuration handle returned by the MDoConfigOpen() function.
pszName [in] NULL-terminated configuration variable name.
pszValue [int] NULL-terminated new configuration setting/value for the variable specified Return Value 0 if successful, -1 otherwise.
See Also MDoConfigOpen () , MDoConfigClose () , MDoConfigGet () Application Pro~am/Scanning Subsystem Communication to Facilitate Scanning As mentioned earlier, the application programs may communicate information to the scanning subsystem to facilitate the scanning by the scanning subsystem. This communication may be facilitated via the API described above. The foregoing information may relate to the type of data to be scanned, and the timing associated with such scanning. More description regarding the manner in which the above API
accomplishes such will now be set forth.
Scan Parameters (SScanParam) The calling application program may supply the scanning subsystem with a scanning parameter using the SScanParam structure. The information contained in the scan parameter provides the scanning subsystem with: 1) scanning subsystem action type (i.e.
iAction), 2) the scan data type (i.e. the type of the application data to be scanned -iDataType), 3) data pointer to the scan target (i.e. pPrivate), 4) function to retrieve the data size in bytes (i.e. pfGetSize), 5) function to resize the scan data (i.e.
pfSetSize), 6) function used by the scanning subsystem to retrieve a block of scan data (i.e.
pfRead), 6) function used to write to the scan data (i.e. pfWrite), and 7) call-back function for scanning subsystem status/progress reporting (i.e. pfCallBack).
Exemplary Computer Code #4 illustrates a data scan parameter structure.
Computer Code #4 typedef struct SScanParam struc int iAction;
int iDataType;
void* pPrivate;
unsigned (*pfGetSize) ( void* pPrivate int ) ;
int (*pfSetSize)( void* pPrivate, unsigned int uSize );
unsigned (*pfRead)( void* pPrivate, int unsigned int uOffset, void* pBuffer, unsigned int uCount );
unsigned (*pfWrite)( void* pPrivate, int unsigned int u0ffset, void const* pBuffer, unsigned int uCount );
int (*pfCallBack)( void* pPrivate, int iReason, SCBArg const* pCBArg );
SSCanParam;
Scan Action (iAction) The scan action specifies the type of scanning to be performed on supplied application data. Table #18 illustrates various exemplary scan actions.
Table #18 Scan Action ID Descripta.on MDO SA_SCAN_ONLY The scanning subsystem performs scanning and r eports malicious code found. No repairing will be performed.
MDO SA_SCAN_REPAIRAfter performing scanning, object containing malicious code will be repaired.
Scan Data Type (iDataTyael The calling application program may inform the scanning subsystem of the application data type and format using this variable.
Figure 13 illustrates various exemplary application data types 1300 which the application programs are capable of communicating to the scanning subsystem via the API. The url-string format may conform to the Uniform Resource Locators (RFC
1738) specification. The email-string format may conform with the Internet E-mail address format (RFC 822) specification. The default domain may be set to any desired domain.
Still yet, the phone-number string may include the numeric characters '0' through '9', and the '#' and '*' characters.
Scan Data Pointer/Handle (pPrivate) A pointer (or handle) to an application scan object is further provided. The scanning subsystem does not necessarily perform direct memory I/O using this data pointer/handle. The data pointer/handle is passed back to the caller to perform read/write using the caller specified I/O functions.
Scan Data Size (pfGetSize) The present function is used by the scanning subsystem to obtain the scan target data size (in bytes) from the calling application program.
Scan Data Resize (pf~etSize) This function is used by the scanning subsystem to request the calling application program to resize the application data being repaired/cleaned to a given size (in bytes).
This function may be used in conjunction with the scan-and-repair/delete option.
Scan Data Read Function (pfRead) The instant function may be used by the scanning subsystem to read a specified amount of application data from the calling application program.
Scan Data Write Function (pfVVrite) This is an optional parameter which may be used by the scanning subsystem to write a specified amount of application data to the scan object as a part of the repair process.
This function pointer may be set if the scan-action is set for repair or deletion.
Callback Function (pfCallBack) If specified, the scanning subsystem calls the specified function with the information described in below table. The callback function, if returned with a negative return value, aborts the scanning process. Table #19 sets forth an exemplary callback code list.
Table #19 Callbaa~ Desariptiqzx-Reasc~n ID
MDO CB_DETECTED Informs the~calling application program a malicious code has been detected in the scan target. The callback data argument 'arg' is set to pointer to a SCBArg structure.
MDO CB CLEAN_READYInforms the calling application program identified malware is ready to be cleaned/repaired. The callback data argument 'arg' is set to pointer to a SCBArg structure.
Exemplary Computer Code #5 illustrates a scanning subsystem callback structure.
Computer Code #5 typedef struct SCBArg struct f text t const* pszName; /* detected malware name */
text t const* pszVariant; /* detected malware's variant name */
unsigned int uType; /* malware type */
} SCBArg;
Scan Result (SScanResult~, The result of object scanning, detected malware information, is returned to the calling application program in the SScanResult structure provided by the calling application program. The SScanResult structure contains a pointer to a structure that contains scan result information, and a pointer to a function used to remove the scan result resource.
The memory used to hold the scan result is allocated by the scanning subsystem and freed by calling the function pointed by the p~eleteResult pointer.
Exemplary Computer Code #6 illustrates a sample calling sequence.
WO 2004/095177 ' 35 ' PCT/US2004/011652 Computer Code #6 int ScanAppData( ... ) SScanResult scanResult;
if(MDoScanData( hScanner, &scanParam, &scanResult ) _- 0) scanResult.pfFreeResult( &scanResult );
Exemplary Computer Code #7 illustrates a detected malicious code/content information structure.
Computer Code #7 typedef struct SDetected-struct struct SDetected_struct* pNext;
/* pointer to next malware found */
/* NULL if at the end of list */
text t const* pszName; /* detected malware name *~
text t const* pszVariant; /* detected malware's variant name */
unsigned int uType; /* detected malware type */
unsigned int uBehavior; /* bit-field specifiying severity */
/* class and behavior level */
SDetected;
WO 2004/095177 ' 36 ' PCT/US2004/011652 Exemplary Computer Code #8 illustrates a scan result structure.
Computer Code #8 typedef struct SScanResult_struct int iNumDectected; /* number of malware f ound * /
SDetected* pList; /* detected malware list */
/* function ptr used to free reported scan result */
void (* pfFreeResult)( struct SScanResult struct*
pResult );
SScanResult Severity Class and Behavior Level (uBehavior~
Figure 14 shows a bit-field variable 1400 containing malware severity flags and application program behavior levels included in the SDetect structure, in accordance with one exemplary embodiment.
Table #20 sets forth an exemplary malware severity class list.
Table #20 Severity E'~'ag_Descriptiori.
MDO SC USER Detected malware is harmful to the user.
MDO_SC_TERMINALDetected malware is harmful to the device.
The scanning subsystem sets the MDO SC USER flag, if the scanned application data contains malware harmful to the user of the mobile communication device.
MDO SC TERMINAL flag is set if it is harmful to the mobile communication device itself. Both MDO SC USER and MDO SC TERMINAL flags are set if it is harmful to both the user and the mobile communication device.
The application program behavior level specifies what to do with the application data containing the detected malware. Table #21 lists the behavior level values and corresponding actions by the application program.
Table #21 ~3ehavior ~es~~~.p~ion L~veT:_- ;y.
x~
MDO BC LEVELOProcess with a warning.
This severity 1 evel may be assigned to data previously considered malicious.
MDO Prompt the user before processing.
BC LEVEL1 Ask _ he user if he/she wants the application t to process the data.
MDO BC LEVEL2Do not process the data.
MDO BC LEVEL3Do not process the data and prompt user f or removal. If the content is stored on the device, prompt the user for permission before removal.
MDO BC LEVEL4Do not process the data and automatically remove if stored.
When multiple malicious codes are found in a scanned application data, the calling application program is expected to act with the highest behavior level. For example, if both MDO BC LEVELO and MDO BC LEVEL3 are reported, the application program may take on MDO BC LEVEL3 actions.
WO 2004/095177 - 3~ - PCT/US2004/011652 Figure 15 illustrates a chart 1500 setting forth the manner in which the timing of scanning by the scanning subsystem varies as a function of the data types identified via the variables of Figure 13.
Signature Database Update As mentioned earlier, the update process may be streamlined to accommodate the limited bandwidth inherent in mobile communication frameworks. More information regarding the various ways that this may be accomplished will now be set forth.
Updated Com op nents The MDoScanUpdate function provides two components [i.e. malicious code detection logic (mdo.pd) and signature database (mdo.sdb)] with update service. One component (i.e. mdo.pd) may contain the detection logic and be updated fully when a newer version is available. Another component (i.e. mdo.sdb) may be updated incrementally up to n previous versions. A full update for the second component may be performed on mobile communication devices with versions older than n. For example, if h is set to 5, and the latest version is 20, then a full update is performed on mobile communication devices with a version older than 15.
Activation via User Interface Figure 16 illustrates an exemplary flow 1600 describing the manner in which the update is initiated by a user interface, in accordance with one embodiment. As shown, the virus pattern update may be initiated by the mobile communication device user by selecting a menu entry via a user interface 1602. Once the user selects the update menu, an update application 1604 is activated and connects to a back end server via the appropriate update interface function 1606.
Communication Protocol The update library may communicate with the back end server via HTTP protocol.
Update Process Figure 17 illustrates a method 1700 for efficiently updating a scanning subsystem of a mobile communication device, in accordance with one embodiment. In one embodiment, the present method 1700 may be implemented in the context of the application programs, scanning subsystem, and operating system of the architecture 300 of Figure 3 and systems of Figures 1 and 2. It should be noted, however, that the . present method 1700 may be implemented in any desired context.
To initiate the process, a request for an update may be sent from at least one mobile communication device to a back-end server. Of course, in other embodiments, the update may be sent without a request.
In one embodiment, the update may be requested by the mobile communication device utilizing a request data structure. Optionally, such data structure may include variables such as a uniform resource locator (URL) variable, mobile communication identifier variable, an application program interface version variable, a detection logic variable, a signature version variable, and/or a portion number variable.
Table #22 illustrates an exemplary URL that may be used for such purpose.
- 4~ - PCT/US2004/011652 Table #22 <BASE-URL>?dev=<DEV-ID>&mdo=<MDO-VER>&eng=<ENG-VER>&sdb=<SDB-VER>&chk=<CHUNK>
S
Below is a table that describes the above URL
variables Vaxiable Description <BASE- update server URL obtained using the URL> MDoConfigGet function (see section 0) <DEV-ID> Mobile communication device identifier;
returned by the AlDevGetlnfo function.
<MDO- MDo API version VER>
<ENG- detection logic, mdo.pd, version VER>
<SDB- signature database, mdo.sdb, version VER>
<CHUNK> update package chunk, or portion, number;
one (=1) initially Table #23 illustrates a specific example of a URL that conforms with the above description.
Table #23 http://update.mcafeeacsa.com/5041?dev=X504105&mdo=2&eng=3&sdb=56&chk=1 The above URL of Table #23 specifies base-URL
"http://update.mcafeeacsa.com/504i", "X504105" as the device identifier, API version 2, malicious code detection logic version 3, and signature database version 56. It should be noted that the "chunk," or portion, number may be set to 1 when the mobile communication device initially contacts the back end server. Also, the base-URL may be obtained using the MDoConfigGet API using the "UpdateURL" configuration variable.
After receiving the request, the back end server determines which update package needs to be downloaded by comparing stored malicious code detection logic and signature database versions with the version information encoded in the URL.
If no update is needed, the backend returns a no-content response. In operation 1701, the mobile communication device receives the response as the first portion. If it is determined that the first portion includes the foregoing no-content response (see decision 1702), the method 1700 is terminated, as there is no update to download. Such feature is beneficial in accommodating the limited bandwidth inherent in mobile communication frameworks.
On the other hand, if the first portion of an update package is returned, the method 1700 is continued by receiving additional portions of the update subsequent to (or possibly in parallel with) the receipt of the first portion of the update. Note operations 1704-1708.
It should be noted that the first portion may be accompanied with the total package size and portion count information.
To download the remaining update portions, the portion number of the download URL
may be modified. Table #24 illustrates a specific example of a URL that specifies portion number "3."
Table #24 http://update.mcafeeacsa.com/504i?dev=X504105&mdo=2&eng=3&sdb=56&chk=3 In one embodiment, integrity of the update may be determined. Accordingly, the update may be conditionally installed with the scanning subsystem, based on whether the integrity of the update is verified.
As an option, the integrity of the update may be determined utilizing a signature. Such signature may be received with one of the portions (i.e. a last portion) of the update.
Then, the signature may be compared against another signature generated utilizing each of the portions of the update. Note operation 1710.
In one embodiment, the signature may be generated using a RSA private key and authenticated on the mobile communication device using a corresponding public key included in the update. The signature verification and generation may further be performed using a specified authentication library.
Assuming that the integrity is verified, any scanning being performed by the scanning subsystem is paused, or halted. Note operation 1712. It should be noted that such pausing may be optional.
Next, the update may be installed with the scanning subsystem. Note operation 1714.
In the embodiment where any scanning is paused, the scanning may subsequently be resumed utilizing the scanning subsystem upon the update being installed with the scanning subsystem. See operation 1716.
To accommodate the limited bandwidth inherent in mobile communication frameworks, a size of the portions of the update may be minimized. Moreover, the portions of the update rnay be compressed.
In yet another embodiment, a format of each portion of the update may be designed to accommodate the limited bandwidth inherent in mobile communication frameworks.
More information will now be set forth regarding such format.
Table #25 illustrates an exemplary format for downloading the portions of the update.
Table #25 MPKG
<partl>
<part2 >
<partn>
[signature:sig-len]
[sig-len:4]
Each of the foregoing parts set forth in Table #25 is defined as follows in Table #26.
Table #26 X-ContentLength: <part-length>\r\n X-ContentName: <part-name>\r\n X-Name: <component-name>\r\n X-Version: <component-version>\r\n \r\n [part-data: part-length bytes]
Each part is made up of a header and data. Such header may indicate an identifier of the associated portion of the update, a length of the associated portion of the update, etc.
Moreover, the header may specify the contained data name and length, and be separated from the actual data with an extra CR+LF pair. Table #27 sets forth exemplary data/content names associated with the header.
Table #27 Component D~saription Name "pd" detection logic "sdb" signature database update Table #28 illustrates an exemplary update package.
Table #28 MPKG
X-ContentLength: 6423\r\n X-ContentName: update30-32\r\n X-Name: sdb\r\n X-Version: 32\r\n \r\n <SDB update binary:6423>
<signature:sig-len>
<sig-len:4>
S
Abstract Library API
As mentioned previously, a platform-independent system and associated method are provided for use with a mobile communication device. Included is a platform-independent scanning subsystem in communication with the operating system of a mobile communication device for scanning purposes. Further provided is a platform-independent application program interface for interfacing the operating system and the scanning subsystem. The platform-independent application program interface includes an abstract library for porting the platform-independent scanning subsystem to the mobile communication device and associated operating system.
By this design, the scanning subsystem may be platform-independent, and thus be capable of being implemented on any type of operating system/mobile communication device combination.
In one embodiment, the abstract library may support system initialization, library initialization, error functions, memory allocation, inputloutput (I/O), data authentication, synchronization, hypertext transfer protocol, shared memory, system time, device information, and debugging. More exemplary information relating to one optional WO 2004/095177 ' 45 ' PCT/US2004/011652 implementation of the foregoing application program interface is set forth in Appendix A.
While various embodiments have been described above, it should be understood that they have been presented by way of example only, and not limitation. Thus, the breadth and scope of a preferred embodiment should not be limited by any of the above described exemplary embodiments, but should be defined only in accordance with the following claims and their equivalents.
APPENDIX A
The present application program interface (API) includes the following subsystems:
~ system initialization ~ library initialization ~ error functions ~ heap memory allocation ~ persistent memory/storage I/O
~ data authentication ~ synchronization object (semaphore) ~ HTTP API
~ shared memory ~ system time ~ device information ~ debugging Also described in this Appendix is a set of C-language definitions) defined in the abstraction library (AL) layer for use in the API library.
System Initialization Platform/system dependent boot initialization is performed by the AlLibrarySysInit ( ) function. This function is designed to be called from the MDoSystemlnit ( ) function described earlier.
AlLibrar~ysInit Description Performs system dependent initialization.
Prototype int AlLibrarySysInit( void );
Parameters none Return Value 0 if successful, -1 otherwise.
Library Initialization The platform abstraction API library is initialized using the Al InitLibrary ( ) function. The abstraction library is to be initialized once before an abstraction API
function is called. The system resource obtained and initialized by Al InitLibrary ( ) is released when the AlCleanupLibrary ( ) function is called.
AlInitLibrary Description Performs library initialization. This function is to be called by the MDoLibraryOpen ( ) function.
Prototype int AlInitLibrary( void );
Parameters none Return Value 0 if successful, -1 otherwise.
AlCleanupLibrary Description Releases system resource acquired by the Al InitLibrary ( ) function. This function is to be called by the MDoLibraryClose ( ) function specified earlier.
Prototype void AlCleanupLibrary( void );
Parameters none Return Value none Error Functions Parameters pszOutput [in] String to output to debug console.
Return Value 0 on success, -1 on failure.
Included in the AL library is a set of error functions used to set and retrieve tasklthread specific error codes. It is the responsibility of the abstraction layer implementer to set appropriate error codes and component codes.
AIGetLastError Description Returns the calling task/thread's last-error code value. Functions set the returned value using the AlSetLastError() function.
The AlErrorCode data type is internally represented using a 32-bit unsigned value.
Prototype AlErrorCode AIGetLastError( void );
Parameters none Return Value The calling threadltask's last-error value set using the Al S a t La s t Error ( ) function.
AISetLastError Description Sets the last-error code for the calling thread/task.
Prototype void AISetLastError( AlErrorCode errorCode );
Parameters errorCode [in] 32-bit error code value.
Return Value none ErrorlStatus Codes Component _ Error ~ ~ ~. ~ __ _..._..~~~~e ~o~e ~ ~. v~~~~ . oe~~~~~~~~~
N/A 0 0 ALE-SUCCES S 0 0 success; not an h 0 error h N/A 0 0 ALE CANCELLED 0 0 operation cancelled;
h 01 not an error AL-SYS MODULE 01h ALE BAD FILE MODE 2711 invalid file mode h ALE FILE OPEN 2 712 failed to open h ALE F I LE_WRI TE 2 713 failed to write to a file h ALE BAD SEEK_MODE 2 714 invalid seek mode h ALE-SEEK_OOB 2 715 invalid seek location h ALE FILE SEEK 2716 failed to seek to a s ecific file location ALE FILE READ 2717 failed to read h ALE FILE WRITE MODE 2 718 invalid write mode h access ALE-S I ZE OOB 2 719 invalid file size;
failed to char a file size ALE-SEM_CREATE 2 71A semaphore creation h failed ALE-SEM OPEN 271B semaphore open failed h ALE-SEM WAIT 2 71C wait on semaphore h failed AL FiTTP MODULEllh ALE HTTP OK 11C8 "200 - - ok"; not an error (1000h lFFFh) - ALE HTTP NO CONTENT 11CC "204 no content";
not an error ALE~HTTP FORBIDDEN 1193h "403 forbidden";
forbidden URL
ALE HTTP NOT FOUND 1194h "404 not found";
- - invalid ALE HTTP REQ TIMEOUT 1198h "408 request timeout";
GET/PUT re uest time out ALE_HTTP GW TIMEOUT 11F8h "504 gateway timeout";
failed to receive info from atewa AL_COM_MODULE 2 0 ALE COM_TEMP ERROR 2 0 temporary ( z o 0 oh-2 h 0 communication o FFh) 0 error h ALE COM PERM ERROR 2 0 permanent 01 communication error AL DA_MODULE 21h ALE DA_CERT EXPIRED 2100 expired certificate h (2looh-2oFFh) ALE_DA_CERT_BAD 2101 invalid certificate h ALE_DA_CERT_UNSUPPORTED2102h u~u orted certificate ALE DA_CERT_REVOKE 2103h revoked certificate ' _DA_CERT_EXPIRED 2104h certificate ex ALE fired ALE_DA_SCA_CERT_EXPIRED2105h sub CA certificate ex iced ALE_DA_RCA_CERT_EXPIRED2106h root CA certificate ex fired ALE_DA_RCA_CERT_DISABLED2107h root CA certificate disabled ALE_DA_CERT_UNKNOWN 2108h ~o~certificate ALE DA DATA ALTERED 210 data altered 9h The above table lists a set of AL component and error codes. An error reported using the AISetLastError function is a 32-bit value formed by combining a component code with an error code. The error set at the AL level is retrieved using the MDoGetLastError function to take an appropriate action when an error occurs.
Heau Memory Allocation The abstraction layer provides a heap memory allocation API for a calling application program (i.e. a "caller") to dynamically allocate memory needed. The allocated memory is assumed to be globally sharable which can be accessed by multiple applications/tasks.
The AlMemAl loC ( ) and AlMemFree ( ) API functions provide allocation and deallocation of the heap memory.
Function Descri filon=. .~ . , '' void* AlMemAlloc allocate a block of dynamic memory c unsigned int uSize) void AlMemFree ( free memory allocated using AIMemAlloc void* ptr) AIMemAlloc Description Allocate a specified amount of dynamic memory and returns a pointer to that memory. The allocated memory block is directly accessible by the caller (i.e.
calling application program) without requiring a special operation (i.e.
memory locking).
Prototype void* AlMemAlloc( unsigned int uSize );
Parameters uSize [in] Amount of memory to allocate in bytes.
Return Value A pointer to the allocated memory. NULL if the request fails or the request size is zero.
See Also AlMemFree ( ) AlMemFree Description Frees a dynamic memory block returned by the AlMemAl loc ( ) function.
Prototype void AIMemFree( void* pData );
Parameters pData [in] Pointer to a memory block to be freed.
Return Value none See Also AlMemAlloc() Persistent Storage y0 The persistent storage (i.e. flash memory) access is performed using a file I/O API. See below:
Name ..__ _._.. pescri ' tion ~~ """" ..
AL_FILE HANDLE AlFileOpen c open, create if.necessary, specified file and return char oonst* pszFilename, int iMode ) lts handle void AlFileclose ( close file handle returned by AlFileOpen ( ) AL FILE HANDLE hFile) unsigned int AlFileseekreppSltlori f 1e OffSet ( AL FILE HANDLE hFile) unsigned int AlFileReadread from a file handle ( AL FILE_HANDLE hFile, void* pBuffer, unsigned int uSize) unsigned int AlFileWritewrite to a ale handle ( HANDLE hFile, AL FILE
_ void const * pBuffer, unsigned int uSize) int AlFileSetSize ( resize file AL_FILE
HANDLE hFile, _ unsigned int uSize) int AlFileStat ( obtain file information char const* pszFilename, ALStatBuf* pStat) The file handle type AL FILE HANDLE is defined as typedef struct AL FILE HANDLE struct - - -*AL_FILE HANDLE;
And a constant used to specify an invalid persistent storage handle INVALID AL FILE HANDLE is defined as #define INVALID AL FILE HANDLE ((AL FILE HANDLE)0) The file status buffer type AlStatBuf is defined as typedef struct AlStatBuf struct f unsigned long ulSize;
unsigned long ulTime;
AlStatBuf;
AlFileOpen Description Opens specified file and returns its handle.
Prototype AL_FILE_HANDLE AlFileOpen( const char* pszFilename, int iMode);
Parameters pszFilename [in] File name/path string .
iMode [in] File access mode.
AL_OPEN READ Open file for reading P.L-OPEN WRITE Open file for both reading and writing Return Value File handle if successful, INVALID AL FILE HANDLE otherwise.
See Also AlFileClose ( ) , AlFileRead ( ) , AlFileWrite ( ) AlFileClose Description Closes and releases system resource associated with specified file handle.
Prototype void AIFileClose( AL FILE HANDLE hFile );
Parameter hFile [in] File handle returned by AlFileOpen ( ) .
Return Value none See Also AlFileOpen(),AlFileRead(),AlFileWrite() AlFileS eek Description Repositions read/write file offset.
Prototype long AlFileSeek( AL_FILE_HANDLE hFile, long lOffset, int iWhence);
Parameter hFile [in] An open file handle.
lOffset [in] File offset relative to the iWhence directive.
iWhence [in] Initial position. Possible values are:
AL_SEEK_SET The offset parameter specifies the absolute file offset. Tn other words, offset from the beginning of the file.
AL-SEEK CUR Specifies relative offset- the offset parameter specifies file offset from the current file offset.
Ai~-SEEK END Specifies file offset from the end of the file.
Return Value Resulting file offset if successful, -1L otherwise.
See Also AlFileOpen ( ) , AlFileClose ( ) , AlFileRead ( ) , AlFileWrite ( ) AIFileRead Description Reads a block of data from a file.
Prototype unsigned int AlFileRead( AL_FILE_HANDLE hFile, void* pBuffer, unsigned int uSize );
Parameter hFile [in] An open file handle.
pBuf f er [out] Data buffer.
uSize [out] Amount of data to read.
Return Value Number of bytes read if success, -1 otherwise.
See Also AlFileOpen ( ) , AlFileClose ( ) , AlFileSeek ( ) , AlFileWrite ( ) AlFileWrite Description Writes a block of data to a file.
Prototype unsigned int AlFileWrite( AL_FILE_HANDLE hFile, void const* pBuffer, unsigned int uSize );
Parameter hFile [in] An open file handle.
pBuf f er [int] Buffer holding data to write.
uSize [out] Amount of data to write.
Return Value Amount of data written if success, -1 otherwise.
See Also AlFileOpen ( ) , AlFileClose ( ) , AlFileSeek ( ) , AlFileRead ( ) AlFileS etSize Description Resizes open file.
For platforms without native file resize support, the abstraction library implements this functionality by modifying the size information stored at the beginning of each file when the AlFileClose ( ) function is called.
Prototype unsigned int AlFileSetSize( AL_FILE_HANDLE hFile, unsigned int uSize );
Parameter hFile [in] Handle referencing an open file with write-mode.
uSize [out] New file length in bytes.
Return Value 0 if success, -1 otherwise.
See Also AlFileStat() AlFileStat Description Retrieve file size and creation timestamp.
For platforms that have do not provide a native file size andlor timestamp information retrieval method, the abstraction library implements this function by storing the information at the beginning of each file.
Prototype int AlFileStat( char const* pszFilename, AlStatBuf"' pStat );
Parameter pszFilename [in] Name of file to retrieve information.
pStat [out] Pointer to a structure used to return size and timestamp information.
The structure contains the following fields:
typedef struct AlStatBuf struct unsigned long ulSize; /* size in bytes */
unsigned long ulTime; /* creation time */
} AlStatBuf;
Return Value 0 if success, -1 otherwise.
Data Authentication Included in the platform abstraction API is a set of functions for authenticating data.
The data authentication API is used to validate downloaded malware signature database.
Once the caller obtains an authentication object handle using the AlDaopen function, a call to the AlDaVeri fy is made to verify the data supplied.
AlDaGetSignerInfo ( ) is used to retrieve a signer information. AlDaClose ( ) is used to close and release data authentication handle and related system resources.
Below is an exemplary data authentication API
unction . Dsscriptioh AL_DA HANDLE AlDaOpen ( Obtain data authentication handle from a given const void *pSig, signature/certificate unsigned int uSigSize) void AlDaClose ( Close data authentication handle obtained using AL DA HANDLE hHandle) AlDaOpen() AlDaVeri fy ( Data authentication function.
The caller provides AL DA HANDLE hDA, a data retrieval method via callback function.
int (*pfRead)(void *, void *, int), void *pPrivate) int AlDaGetSignerInfo ( Retrieve signer information.
HANDLE hDA, AL
DA
_ _ DaSignerlnfo *pDSI) The data authentication handle returned by the AlDaopen ( ) function is defined as ALHANDLE(AL DA HANDLE);
#define INVALID AL DA HANDLE ((AL DA HANDLE) 0) The signer information structure is defined as #define MAX DA SIGNER NAME 128 typedef struct DaSignerInfo-struct char szSignerName[MAX DA SIGNER NAME];
DaSignerInfo;
AIDaOpen Description Creates and returns a data authentication handle.
Prototype AL_DA_HANDLE AIDaOpen( const void* pSig, unsigned int uSigSize );
Parameters pSig [in] Pointer to a signature data.
uSigSize [in] Signature size in bytes.
Return Value Data authentication handle if successful, IrIV~zD ~ DA ALE OtherwlSe.
See Also AlDaClose ( ) , AlDaUpdate ( ) , AlDaVerify ( ) , AlDaGetSignerInfo() AIDaClose Description Releases system resource used for a data authentication handle.
Prototype void AIDaClose( AL DA HANDLE hDa );
Parameters hDa [in] Data authentication handle returned byAlDaopen.
Return Value none See Also AlDaOpen ( ) , AlDaUpdate ( ) , AlDaVerify ( ) , AlDaGetSignerInfo() AIDaVerify Description Performs data authentication.
Prototype int AIDaVerify( AL_DA_HANDLE hDa, int (*pfRead)(void *, void *, int), int iTotalSize, void *pPrivate );
Parameters hDa [in] Data authentication handle.
pfRead [in] Caller callback function to use for reading data (see ). It returns -1 in case of an error, 0 if there is no more data to read, and otherwise the amount of data read and returned to the AlDaVerify function. It is expected that the function is called multiple times.
iTotalSize [in] Total data size to be verified.
pPrivate [in] Caller's private data to be passed by pfRead callback.
Return Value 0 if the application data is authenticated, -1 otherwise.
See Also AlDaOpen ( ) , AlDaClose ( ) , AIDaGetSignerInfo ( ) Below is a sample data read callback function.
int ReadCallback(void *pPrivate, void *pData, int iSize) return iDataRead;
AlDaGetSi~nerInfo Description Retrieves data authentication signer information.
Prototype int AlDaGetSignerInfo( AL_DA_HANDLE hDA, DaSignerInfo *pDSI );
Parameters hDa [in] Data authentication handle.
pDSI
[out] Pointer to a structure containing the signer information.
Return Value 0 if the signer information is obtained successfully, -1 otherwise.
See Also AlDaOpen ( ) , AlDaClose ( ) , AlDaVerify ( ) Synchronization Obiect Resource synchronization and control is done using a semaphore. Included in the abstraction library is a set of functions to create, open, close and modify a semaphore object. Below is an exemplary semaphore API.
~~~~~~~. ~~~~
AL-SEM_HANDLE AlSemCreate create~a named semaphore and return ( its handle char const* pszName) AL SEM HANDLE AlSemOpen return a handle to an existing ( semaphore char const* pszName) void Alsemclose ( close semaphore handle; reference count is decremented AL_SEM HANDLE hHandle by one, and the semaphore referenced ) is released if the count reaches zero.
int AlSemGet ( acquire a semaphore AL SEM HANDLE hHandle) int AlSemRelease ( release a semaphore AL SEM HANDLE hHandle) A1S emCreate Description Creates a named-semaphore, sets internal counter to zero, and returns its handle.
Prototype AL SEM~HANDLE AISemCreate( char const* pszName );
Parameters pszName [in] Semaphore name string.
Return Value Semaphore~handle if successful, INVALm A1, SEM ALE otherwise.
See Also AlSemOpen ( ) , AlSemClose ( ) , AlSemGet ( ) , AlSemRelease ( ) AISemOpen Description Returns a handle to an existing semaphore.
Prototype AL SEM HANDLE AISemOpen( char const* pszName );
Parameters pszName [in] Semaphore name.
Return Value Semaphore handle if successful, INVALm AL SEM HANDLE otherwise.
See Also AlSemCreate ( ) , A7.SemClose ( ) , AlSemGet ( ) , AlSemRelease ( ) A1S emClose Description Closes and releases system resource associated specified semaphore handle.
Semaphore usage/reference count is also decremented, and the referenced semaphore object is destroyed if the count reaches zero.
Prototype void AISemClose( AL SEM HANDLE hSem );
Parameters hSem [in] Semaphore handle obtained using AlSemCreate ( ) or AlSemOpen ( ) .
Return Value none See Also AlSemCreate ( ) , AlSemOpen ( ) , AlSemGet ( ) , AlSemRelease ( ) AlSemGet Description Acquires specified semaphore. If the internal counter is greater than zero on entry, it is decremented by one and returned immediately. If the internal counter is zero on entry, the call is blocked until other tasks/threads call Al S emRe 1 a a s a ( ) to make it greater than zero.
Prototype int AISemGet( AL SEM HANDLE hSem );
Parameters hSem [in] Semaphore handle.
Return Value 0 if successful, -1 otherwise.
See Also AlSemCreate ( ) , AlSemOpen ( ) , AlSemClose ( ) , AlSemRelease ( ) AISemRelease Description Releases the semaphore, incrementing the internal counter by one.
Prototype int AISemRelease( AL SEM HANDLE hSem );
Parameters hSem [in] Semaphore handle.
Return Value 0 if successful, -1 otherwise.
See Also AlSemCreate ( ) , AlSemOpen ( ) , AlSemClose ( ) , AlSemGet ( ) HTTP API
Included in the abstraction library is a set of functions that provide HTTP
network I/O
using a caller provided callback structure. Below is an exemplary HTTP API.
Functian=' I~escri~ tion AL_HTTP HANDLE AlHttpopen Create and return an HTTP I/O handle.
(void) void AlHttpClose ( Close HTTP I/O handle.
AL HTTP HANDLE hHandle) int AlHttpExec ( Perform GET or PUT operation.
AL_HTTP_HANDLE hHandle, char const* pszMethod, char const* pszURL, AlHttpCallbacks* pHttpCb, void* pPrivate) The HTTP handle returned by the AlHttpopen ( ) function is defined as typedef struct AL_HTTP HANDLE_struct *AL HTTP HANDLE;
#define INVALID AL HTTP HANDLE ((AL HTTP HANDLE)0) The HTTP callback structure AlHttpCallbacks is defined as typedef struct AlHttpCallbacks struct unsigned int (* pWrite)(void* pPrivate, void const* pData, unsigned int uSize);
unsigned int (* pRead)(void* pPrivate.
void* pData, unsigned int uSize);
unsigned int (* pGetSize)(void* pPrivate);
unsigned int (* pSetSize)(void* pPrivate, AlHttpCallbacks;
unsigned int uSize);
The callback functions given in the above HTTP callback structure provide the following functionalities:
pWrite Called by the system HTTP library to store incoming HTTP
request data.
pRead Used to retrieve application data to be sent as part of an HTTP
request.
pGet S i ze Provides the HTTP library with application's content data size, "Content-Length".
pset s i ze Called by the HTTP library to inform calling application with incoming content data length when available.
AlHttpO eon Description Creates and returns a handle to the HTTP library.
Prototype AL HTTP HANDLE AlHttpOpen( void );
Parameters none Return Value INVALID_AL_HTTP_HANDLE is returned if failed to create an HTTP
instance.
See Also AlHttpClose() AlHttpClose Description Closes and release system resources associated with an HTTP handle.
Prototype void AIHttpClose( AL HTTP HANDLE hHTTP );
Parameters hHTTP
[in] HTTP library handle returned by the AlHttpopen ( ) function.
Return Value none See Also AlHttpClose() AlHt Exec Description Executes an HTTP method ( "GET" or "POST") on the specified URL with optional header information.
Prototype int ALHttpExec( AL_HTTP_HANDLE hHTTP, char const* pszMethod, char const* pszURL, AIHttpCallbacks* pHttpCb, void* pPrivate );
Parameters hHTTP
[in] HTTP library handle returned by the AlHttpopen ( ) function.
pszMethod [in] HTTP method specification. HTTP "GET" or "POST".
pszURL
[in] The URL where the HTTP request is made.
pHttpCb [in] Pointer to a set of caller specified HTTP I/O functions. The HTTP library uses the functions specified in the AlHttpCallbacks structure for data I/O.
pPrivate [in/out] Pointer to a caller data to be passed back to the callback functions specified in the AlHttpCal lbacks structure.
Return Value 0 if successful, -1 otherwise.
See Also AlHttpOpen ( ) , AlHttpClose ( ) Shared Memory The location of the system memory where the library's shared objects are stored is obtained using the AlShmAddress ( ) function. This shared information area is allocatedlprepared at device boot time and referenced by different instances of the library.
AIShmAddress Description Returns shared memory address.
Prototype void* AIShmAddress( void );
Parameters none Return Value shared memory address if successful, NULL otherwise.
Time AlTmGetCurrent ( ) provides callers with the current system time in seconds.
AITmGetCurrent Description Obtains current system time.
Prototype unsigned long AITmGetCurrent( void );
Parameters none Return Value On success, time in seconds since the Epoch ( 00:00:00 in UTC, January 1St , 1970). On error, ( ( unsigned l ong ) -1 L ) is returned.
Device Information AIDevGetInfo Description Retrieves device specific information. Device identification string returned by this function is used by the API.
Prototype int AlDevGetlnfo( AlDeviceInfo* pDevicelnfo );
Parameters pDeviceInfo [out] Pointer to device information.
The AlDevicelnfo structure is defined as #define AL MAX DEVICE ID 32 typedef struct AlDeviceInfo struct char szDeviceID[AL MAX DEVICE ID];
AlDeviceInfo;
The identification string, szDeviceID, is a unique terminal/device identifier-used to uniquely identify a particular mobile communication device from all others. This information is used in constructing a malware signature download URL for the mobile communication device. It must not contain any characters that are not allowed in an LTRL (i.e. white space).
Return Value 0 on success, -1 on failure.
Debugging AIDb _~Output Description Outputs debug string to a debug console. This function is a null function for release build.
Prototype int AlDbgOutput( char const* pszOutput );
S
Below is a table that describes the above URL
variables Vaxiable Description <BASE- update server URL obtained using the URL> MDoConfigGet function (see section 0) <DEV-ID> Mobile communication device identifier;
returned by the AlDevGetlnfo function.
<MDO- MDo API version VER>
<ENG- detection logic, mdo.pd, version VER>
<SDB- signature database, mdo.sdb, version VER>
<CHUNK> update package chunk, or portion, number;
one (=1) initially Table #23 illustrates a specific example of a URL that conforms with the above description.
Table #23 http://update.mcafeeacsa.com/5041?dev=X504105&mdo=2&eng=3&sdb=56&chk=1 The above URL of Table #23 specifies base-URL
"http://update.mcafeeacsa.com/504i", "X504105" as the device identifier, API version 2, malicious code detection logic version 3, and signature database version 56. It should be noted that the "chunk," or portion, number may be set to 1 when the mobile communication device initially contacts the back end server. Also, the base-URL may be obtained using the MDoConfigGet API using the "UpdateURL" configuration variable.
After receiving the request, the back end server determines which update package needs to be downloaded by comparing stored malicious code detection logic and signature database versions with the version information encoded in the URL.
If no update is needed, the backend returns a no-content response. In operation 1701, the mobile communication device receives the response as the first portion. If it is determined that the first portion includes the foregoing no-content response (see decision 1702), the method 1700 is terminated, as there is no update to download. Such feature is beneficial in accommodating the limited bandwidth inherent in mobile communication frameworks.
On the other hand, if the first portion of an update package is returned, the method 1700 is continued by receiving additional portions of the update subsequent to (or possibly in parallel with) the receipt of the first portion of the update. Note operations 1704-1708.
It should be noted that the first portion may be accompanied with the total package size and portion count information.
To download the remaining update portions, the portion number of the download URL
may be modified. Table #24 illustrates a specific example of a URL that specifies portion number "3."
Table #24 http://update.mcafeeacsa.com/504i?dev=X504105&mdo=2&eng=3&sdb=56&chk=3 In one embodiment, integrity of the update may be determined. Accordingly, the update may be conditionally installed with the scanning subsystem, based on whether the integrity of the update is verified.
As an option, the integrity of the update may be determined utilizing a signature. Such signature may be received with one of the portions (i.e. a last portion) of the update.
Then, the signature may be compared against another signature generated utilizing each of the portions of the update. Note operation 1710.
In one embodiment, the signature may be generated using a RSA private key and authenticated on the mobile communication device using a corresponding public key included in the update. The signature verification and generation may further be performed using a specified authentication library.
Assuming that the integrity is verified, any scanning being performed by the scanning subsystem is paused, or halted. Note operation 1712. It should be noted that such pausing may be optional.
Next, the update may be installed with the scanning subsystem. Note operation 1714.
In the embodiment where any scanning is paused, the scanning may subsequently be resumed utilizing the scanning subsystem upon the update being installed with the scanning subsystem. See operation 1716.
To accommodate the limited bandwidth inherent in mobile communication frameworks, a size of the portions of the update may be minimized. Moreover, the portions of the update rnay be compressed.
In yet another embodiment, a format of each portion of the update may be designed to accommodate the limited bandwidth inherent in mobile communication frameworks.
More information will now be set forth regarding such format.
Table #25 illustrates an exemplary format for downloading the portions of the update.
Table #25 MPKG
<partl>
<part2 >
<partn>
[signature:sig-len]
[sig-len:4]
Each of the foregoing parts set forth in Table #25 is defined as follows in Table #26.
Table #26 X-ContentLength: <part-length>\r\n X-ContentName: <part-name>\r\n X-Name: <component-name>\r\n X-Version: <component-version>\r\n \r\n [part-data: part-length bytes]
Each part is made up of a header and data. Such header may indicate an identifier of the associated portion of the update, a length of the associated portion of the update, etc.
Moreover, the header may specify the contained data name and length, and be separated from the actual data with an extra CR+LF pair. Table #27 sets forth exemplary data/content names associated with the header.
Table #27 Component D~saription Name "pd" detection logic "sdb" signature database update Table #28 illustrates an exemplary update package.
Table #28 MPKG
X-ContentLength: 6423\r\n X-ContentName: update30-32\r\n X-Name: sdb\r\n X-Version: 32\r\n \r\n <SDB update binary:6423>
<signature:sig-len>
<sig-len:4>
S
Abstract Library API
As mentioned previously, a platform-independent system and associated method are provided for use with a mobile communication device. Included is a platform-independent scanning subsystem in communication with the operating system of a mobile communication device for scanning purposes. Further provided is a platform-independent application program interface for interfacing the operating system and the scanning subsystem. The platform-independent application program interface includes an abstract library for porting the platform-independent scanning subsystem to the mobile communication device and associated operating system.
By this design, the scanning subsystem may be platform-independent, and thus be capable of being implemented on any type of operating system/mobile communication device combination.
In one embodiment, the abstract library may support system initialization, library initialization, error functions, memory allocation, inputloutput (I/O), data authentication, synchronization, hypertext transfer protocol, shared memory, system time, device information, and debugging. More exemplary information relating to one optional WO 2004/095177 ' 45 ' PCT/US2004/011652 implementation of the foregoing application program interface is set forth in Appendix A.
While various embodiments have been described above, it should be understood that they have been presented by way of example only, and not limitation. Thus, the breadth and scope of a preferred embodiment should not be limited by any of the above described exemplary embodiments, but should be defined only in accordance with the following claims and their equivalents.
APPENDIX A
The present application program interface (API) includes the following subsystems:
~ system initialization ~ library initialization ~ error functions ~ heap memory allocation ~ persistent memory/storage I/O
~ data authentication ~ synchronization object (semaphore) ~ HTTP API
~ shared memory ~ system time ~ device information ~ debugging Also described in this Appendix is a set of C-language definitions) defined in the abstraction library (AL) layer for use in the API library.
System Initialization Platform/system dependent boot initialization is performed by the AlLibrarySysInit ( ) function. This function is designed to be called from the MDoSystemlnit ( ) function described earlier.
AlLibrar~ysInit Description Performs system dependent initialization.
Prototype int AlLibrarySysInit( void );
Parameters none Return Value 0 if successful, -1 otherwise.
Library Initialization The platform abstraction API library is initialized using the Al InitLibrary ( ) function. The abstraction library is to be initialized once before an abstraction API
function is called. The system resource obtained and initialized by Al InitLibrary ( ) is released when the AlCleanupLibrary ( ) function is called.
AlInitLibrary Description Performs library initialization. This function is to be called by the MDoLibraryOpen ( ) function.
Prototype int AlInitLibrary( void );
Parameters none Return Value 0 if successful, -1 otherwise.
AlCleanupLibrary Description Releases system resource acquired by the Al InitLibrary ( ) function. This function is to be called by the MDoLibraryClose ( ) function specified earlier.
Prototype void AlCleanupLibrary( void );
Parameters none Return Value none Error Functions Parameters pszOutput [in] String to output to debug console.
Return Value 0 on success, -1 on failure.
Included in the AL library is a set of error functions used to set and retrieve tasklthread specific error codes. It is the responsibility of the abstraction layer implementer to set appropriate error codes and component codes.
AIGetLastError Description Returns the calling task/thread's last-error code value. Functions set the returned value using the AlSetLastError() function.
The AlErrorCode data type is internally represented using a 32-bit unsigned value.
Prototype AlErrorCode AIGetLastError( void );
Parameters none Return Value The calling threadltask's last-error value set using the Al S a t La s t Error ( ) function.
AISetLastError Description Sets the last-error code for the calling thread/task.
Prototype void AISetLastError( AlErrorCode errorCode );
Parameters errorCode [in] 32-bit error code value.
Return Value none ErrorlStatus Codes Component _ Error ~ ~ ~. ~ __ _..._..~~~~e ~o~e ~ ~. v~~~~ . oe~~~~~~~~~
N/A 0 0 ALE-SUCCES S 0 0 success; not an h 0 error h N/A 0 0 ALE CANCELLED 0 0 operation cancelled;
h 01 not an error AL-SYS MODULE 01h ALE BAD FILE MODE 2711 invalid file mode h ALE FILE OPEN 2 712 failed to open h ALE F I LE_WRI TE 2 713 failed to write to a file h ALE BAD SEEK_MODE 2 714 invalid seek mode h ALE-SEEK_OOB 2 715 invalid seek location h ALE FILE SEEK 2716 failed to seek to a s ecific file location ALE FILE READ 2717 failed to read h ALE FILE WRITE MODE 2 718 invalid write mode h access ALE-S I ZE OOB 2 719 invalid file size;
failed to char a file size ALE-SEM_CREATE 2 71A semaphore creation h failed ALE-SEM OPEN 271B semaphore open failed h ALE-SEM WAIT 2 71C wait on semaphore h failed AL FiTTP MODULEllh ALE HTTP OK 11C8 "200 - - ok"; not an error (1000h lFFFh) - ALE HTTP NO CONTENT 11CC "204 no content";
not an error ALE~HTTP FORBIDDEN 1193h "403 forbidden";
forbidden URL
ALE HTTP NOT FOUND 1194h "404 not found";
- - invalid ALE HTTP REQ TIMEOUT 1198h "408 request timeout";
GET/PUT re uest time out ALE_HTTP GW TIMEOUT 11F8h "504 gateway timeout";
failed to receive info from atewa AL_COM_MODULE 2 0 ALE COM_TEMP ERROR 2 0 temporary ( z o 0 oh-2 h 0 communication o FFh) 0 error h ALE COM PERM ERROR 2 0 permanent 01 communication error AL DA_MODULE 21h ALE DA_CERT EXPIRED 2100 expired certificate h (2looh-2oFFh) ALE_DA_CERT_BAD 2101 invalid certificate h ALE_DA_CERT_UNSUPPORTED2102h u~u orted certificate ALE DA_CERT_REVOKE 2103h revoked certificate ' _DA_CERT_EXPIRED 2104h certificate ex ALE fired ALE_DA_SCA_CERT_EXPIRED2105h sub CA certificate ex iced ALE_DA_RCA_CERT_EXPIRED2106h root CA certificate ex fired ALE_DA_RCA_CERT_DISABLED2107h root CA certificate disabled ALE_DA_CERT_UNKNOWN 2108h ~o~certificate ALE DA DATA ALTERED 210 data altered 9h The above table lists a set of AL component and error codes. An error reported using the AISetLastError function is a 32-bit value formed by combining a component code with an error code. The error set at the AL level is retrieved using the MDoGetLastError function to take an appropriate action when an error occurs.
Heau Memory Allocation The abstraction layer provides a heap memory allocation API for a calling application program (i.e. a "caller") to dynamically allocate memory needed. The allocated memory is assumed to be globally sharable which can be accessed by multiple applications/tasks.
The AlMemAl loC ( ) and AlMemFree ( ) API functions provide allocation and deallocation of the heap memory.
Function Descri filon=. .~ . , '' void* AlMemAlloc allocate a block of dynamic memory c unsigned int uSize) void AlMemFree ( free memory allocated using AIMemAlloc void* ptr) AIMemAlloc Description Allocate a specified amount of dynamic memory and returns a pointer to that memory. The allocated memory block is directly accessible by the caller (i.e.
calling application program) without requiring a special operation (i.e.
memory locking).
Prototype void* AlMemAlloc( unsigned int uSize );
Parameters uSize [in] Amount of memory to allocate in bytes.
Return Value A pointer to the allocated memory. NULL if the request fails or the request size is zero.
See Also AlMemFree ( ) AlMemFree Description Frees a dynamic memory block returned by the AlMemAl loc ( ) function.
Prototype void AIMemFree( void* pData );
Parameters pData [in] Pointer to a memory block to be freed.
Return Value none See Also AlMemAlloc() Persistent Storage y0 The persistent storage (i.e. flash memory) access is performed using a file I/O API. See below:
Name ..__ _._.. pescri ' tion ~~ """" ..
AL_FILE HANDLE AlFileOpen c open, create if.necessary, specified file and return char oonst* pszFilename, int iMode ) lts handle void AlFileclose ( close file handle returned by AlFileOpen ( ) AL FILE HANDLE hFile) unsigned int AlFileseekreppSltlori f 1e OffSet ( AL FILE HANDLE hFile) unsigned int AlFileReadread from a file handle ( AL FILE_HANDLE hFile, void* pBuffer, unsigned int uSize) unsigned int AlFileWritewrite to a ale handle ( HANDLE hFile, AL FILE
_ void const * pBuffer, unsigned int uSize) int AlFileSetSize ( resize file AL_FILE
HANDLE hFile, _ unsigned int uSize) int AlFileStat ( obtain file information char const* pszFilename, ALStatBuf* pStat) The file handle type AL FILE HANDLE is defined as typedef struct AL FILE HANDLE struct - - -*AL_FILE HANDLE;
And a constant used to specify an invalid persistent storage handle INVALID AL FILE HANDLE is defined as #define INVALID AL FILE HANDLE ((AL FILE HANDLE)0) The file status buffer type AlStatBuf is defined as typedef struct AlStatBuf struct f unsigned long ulSize;
unsigned long ulTime;
AlStatBuf;
AlFileOpen Description Opens specified file and returns its handle.
Prototype AL_FILE_HANDLE AlFileOpen( const char* pszFilename, int iMode);
Parameters pszFilename [in] File name/path string .
iMode [in] File access mode.
AL_OPEN READ Open file for reading P.L-OPEN WRITE Open file for both reading and writing Return Value File handle if successful, INVALID AL FILE HANDLE otherwise.
See Also AlFileClose ( ) , AlFileRead ( ) , AlFileWrite ( ) AlFileClose Description Closes and releases system resource associated with specified file handle.
Prototype void AIFileClose( AL FILE HANDLE hFile );
Parameter hFile [in] File handle returned by AlFileOpen ( ) .
Return Value none See Also AlFileOpen(),AlFileRead(),AlFileWrite() AlFileS eek Description Repositions read/write file offset.
Prototype long AlFileSeek( AL_FILE_HANDLE hFile, long lOffset, int iWhence);
Parameter hFile [in] An open file handle.
lOffset [in] File offset relative to the iWhence directive.
iWhence [in] Initial position. Possible values are:
AL_SEEK_SET The offset parameter specifies the absolute file offset. Tn other words, offset from the beginning of the file.
AL-SEEK CUR Specifies relative offset- the offset parameter specifies file offset from the current file offset.
Ai~-SEEK END Specifies file offset from the end of the file.
Return Value Resulting file offset if successful, -1L otherwise.
See Also AlFileOpen ( ) , AlFileClose ( ) , AlFileRead ( ) , AlFileWrite ( ) AIFileRead Description Reads a block of data from a file.
Prototype unsigned int AlFileRead( AL_FILE_HANDLE hFile, void* pBuffer, unsigned int uSize );
Parameter hFile [in] An open file handle.
pBuf f er [out] Data buffer.
uSize [out] Amount of data to read.
Return Value Number of bytes read if success, -1 otherwise.
See Also AlFileOpen ( ) , AlFileClose ( ) , AlFileSeek ( ) , AlFileWrite ( ) AlFileWrite Description Writes a block of data to a file.
Prototype unsigned int AlFileWrite( AL_FILE_HANDLE hFile, void const* pBuffer, unsigned int uSize );
Parameter hFile [in] An open file handle.
pBuf f er [int] Buffer holding data to write.
uSize [out] Amount of data to write.
Return Value Amount of data written if success, -1 otherwise.
See Also AlFileOpen ( ) , AlFileClose ( ) , AlFileSeek ( ) , AlFileRead ( ) AlFileS etSize Description Resizes open file.
For platforms without native file resize support, the abstraction library implements this functionality by modifying the size information stored at the beginning of each file when the AlFileClose ( ) function is called.
Prototype unsigned int AlFileSetSize( AL_FILE_HANDLE hFile, unsigned int uSize );
Parameter hFile [in] Handle referencing an open file with write-mode.
uSize [out] New file length in bytes.
Return Value 0 if success, -1 otherwise.
See Also AlFileStat() AlFileStat Description Retrieve file size and creation timestamp.
For platforms that have do not provide a native file size andlor timestamp information retrieval method, the abstraction library implements this function by storing the information at the beginning of each file.
Prototype int AlFileStat( char const* pszFilename, AlStatBuf"' pStat );
Parameter pszFilename [in] Name of file to retrieve information.
pStat [out] Pointer to a structure used to return size and timestamp information.
The structure contains the following fields:
typedef struct AlStatBuf struct unsigned long ulSize; /* size in bytes */
unsigned long ulTime; /* creation time */
} AlStatBuf;
Return Value 0 if success, -1 otherwise.
Data Authentication Included in the platform abstraction API is a set of functions for authenticating data.
The data authentication API is used to validate downloaded malware signature database.
Once the caller obtains an authentication object handle using the AlDaopen function, a call to the AlDaVeri fy is made to verify the data supplied.
AlDaGetSignerInfo ( ) is used to retrieve a signer information. AlDaClose ( ) is used to close and release data authentication handle and related system resources.
Below is an exemplary data authentication API
unction . Dsscriptioh AL_DA HANDLE AlDaOpen ( Obtain data authentication handle from a given const void *pSig, signature/certificate unsigned int uSigSize) void AlDaClose ( Close data authentication handle obtained using AL DA HANDLE hHandle) AlDaOpen() AlDaVeri fy ( Data authentication function.
The caller provides AL DA HANDLE hDA, a data retrieval method via callback function.
int (*pfRead)(void *, void *, int), void *pPrivate) int AlDaGetSignerInfo ( Retrieve signer information.
HANDLE hDA, AL
DA
_ _ DaSignerlnfo *pDSI) The data authentication handle returned by the AlDaopen ( ) function is defined as ALHANDLE(AL DA HANDLE);
#define INVALID AL DA HANDLE ((AL DA HANDLE) 0) The signer information structure is defined as #define MAX DA SIGNER NAME 128 typedef struct DaSignerInfo-struct char szSignerName[MAX DA SIGNER NAME];
DaSignerInfo;
AIDaOpen Description Creates and returns a data authentication handle.
Prototype AL_DA_HANDLE AIDaOpen( const void* pSig, unsigned int uSigSize );
Parameters pSig [in] Pointer to a signature data.
uSigSize [in] Signature size in bytes.
Return Value Data authentication handle if successful, IrIV~zD ~ DA ALE OtherwlSe.
See Also AlDaClose ( ) , AlDaUpdate ( ) , AlDaVerify ( ) , AlDaGetSignerInfo() AIDaClose Description Releases system resource used for a data authentication handle.
Prototype void AIDaClose( AL DA HANDLE hDa );
Parameters hDa [in] Data authentication handle returned byAlDaopen.
Return Value none See Also AlDaOpen ( ) , AlDaUpdate ( ) , AlDaVerify ( ) , AlDaGetSignerInfo() AIDaVerify Description Performs data authentication.
Prototype int AIDaVerify( AL_DA_HANDLE hDa, int (*pfRead)(void *, void *, int), int iTotalSize, void *pPrivate );
Parameters hDa [in] Data authentication handle.
pfRead [in] Caller callback function to use for reading data (see ). It returns -1 in case of an error, 0 if there is no more data to read, and otherwise the amount of data read and returned to the AlDaVerify function. It is expected that the function is called multiple times.
iTotalSize [in] Total data size to be verified.
pPrivate [in] Caller's private data to be passed by pfRead callback.
Return Value 0 if the application data is authenticated, -1 otherwise.
See Also AlDaOpen ( ) , AlDaClose ( ) , AIDaGetSignerInfo ( ) Below is a sample data read callback function.
int ReadCallback(void *pPrivate, void *pData, int iSize) return iDataRead;
AlDaGetSi~nerInfo Description Retrieves data authentication signer information.
Prototype int AlDaGetSignerInfo( AL_DA_HANDLE hDA, DaSignerInfo *pDSI );
Parameters hDa [in] Data authentication handle.
pDSI
[out] Pointer to a structure containing the signer information.
Return Value 0 if the signer information is obtained successfully, -1 otherwise.
See Also AlDaOpen ( ) , AlDaClose ( ) , AlDaVerify ( ) Synchronization Obiect Resource synchronization and control is done using a semaphore. Included in the abstraction library is a set of functions to create, open, close and modify a semaphore object. Below is an exemplary semaphore API.
~~~~~~~. ~~~~
AL-SEM_HANDLE AlSemCreate create~a named semaphore and return ( its handle char const* pszName) AL SEM HANDLE AlSemOpen return a handle to an existing ( semaphore char const* pszName) void Alsemclose ( close semaphore handle; reference count is decremented AL_SEM HANDLE hHandle by one, and the semaphore referenced ) is released if the count reaches zero.
int AlSemGet ( acquire a semaphore AL SEM HANDLE hHandle) int AlSemRelease ( release a semaphore AL SEM HANDLE hHandle) A1S emCreate Description Creates a named-semaphore, sets internal counter to zero, and returns its handle.
Prototype AL SEM~HANDLE AISemCreate( char const* pszName );
Parameters pszName [in] Semaphore name string.
Return Value Semaphore~handle if successful, INVALm A1, SEM ALE otherwise.
See Also AlSemOpen ( ) , AlSemClose ( ) , AlSemGet ( ) , AlSemRelease ( ) AISemOpen Description Returns a handle to an existing semaphore.
Prototype AL SEM HANDLE AISemOpen( char const* pszName );
Parameters pszName [in] Semaphore name.
Return Value Semaphore handle if successful, INVALm AL SEM HANDLE otherwise.
See Also AlSemCreate ( ) , A7.SemClose ( ) , AlSemGet ( ) , AlSemRelease ( ) A1S emClose Description Closes and releases system resource associated specified semaphore handle.
Semaphore usage/reference count is also decremented, and the referenced semaphore object is destroyed if the count reaches zero.
Prototype void AISemClose( AL SEM HANDLE hSem );
Parameters hSem [in] Semaphore handle obtained using AlSemCreate ( ) or AlSemOpen ( ) .
Return Value none See Also AlSemCreate ( ) , AlSemOpen ( ) , AlSemGet ( ) , AlSemRelease ( ) AlSemGet Description Acquires specified semaphore. If the internal counter is greater than zero on entry, it is decremented by one and returned immediately. If the internal counter is zero on entry, the call is blocked until other tasks/threads call Al S emRe 1 a a s a ( ) to make it greater than zero.
Prototype int AISemGet( AL SEM HANDLE hSem );
Parameters hSem [in] Semaphore handle.
Return Value 0 if successful, -1 otherwise.
See Also AlSemCreate ( ) , AlSemOpen ( ) , AlSemClose ( ) , AlSemRelease ( ) AISemRelease Description Releases the semaphore, incrementing the internal counter by one.
Prototype int AISemRelease( AL SEM HANDLE hSem );
Parameters hSem [in] Semaphore handle.
Return Value 0 if successful, -1 otherwise.
See Also AlSemCreate ( ) , AlSemOpen ( ) , AlSemClose ( ) , AlSemGet ( ) HTTP API
Included in the abstraction library is a set of functions that provide HTTP
network I/O
using a caller provided callback structure. Below is an exemplary HTTP API.
Functian=' I~escri~ tion AL_HTTP HANDLE AlHttpopen Create and return an HTTP I/O handle.
(void) void AlHttpClose ( Close HTTP I/O handle.
AL HTTP HANDLE hHandle) int AlHttpExec ( Perform GET or PUT operation.
AL_HTTP_HANDLE hHandle, char const* pszMethod, char const* pszURL, AlHttpCallbacks* pHttpCb, void* pPrivate) The HTTP handle returned by the AlHttpopen ( ) function is defined as typedef struct AL_HTTP HANDLE_struct *AL HTTP HANDLE;
#define INVALID AL HTTP HANDLE ((AL HTTP HANDLE)0) The HTTP callback structure AlHttpCallbacks is defined as typedef struct AlHttpCallbacks struct unsigned int (* pWrite)(void* pPrivate, void const* pData, unsigned int uSize);
unsigned int (* pRead)(void* pPrivate.
void* pData, unsigned int uSize);
unsigned int (* pGetSize)(void* pPrivate);
unsigned int (* pSetSize)(void* pPrivate, AlHttpCallbacks;
unsigned int uSize);
The callback functions given in the above HTTP callback structure provide the following functionalities:
pWrite Called by the system HTTP library to store incoming HTTP
request data.
pRead Used to retrieve application data to be sent as part of an HTTP
request.
pGet S i ze Provides the HTTP library with application's content data size, "Content-Length".
pset s i ze Called by the HTTP library to inform calling application with incoming content data length when available.
AlHttpO eon Description Creates and returns a handle to the HTTP library.
Prototype AL HTTP HANDLE AlHttpOpen( void );
Parameters none Return Value INVALID_AL_HTTP_HANDLE is returned if failed to create an HTTP
instance.
See Also AlHttpClose() AlHttpClose Description Closes and release system resources associated with an HTTP handle.
Prototype void AIHttpClose( AL HTTP HANDLE hHTTP );
Parameters hHTTP
[in] HTTP library handle returned by the AlHttpopen ( ) function.
Return Value none See Also AlHttpClose() AlHt Exec Description Executes an HTTP method ( "GET" or "POST") on the specified URL with optional header information.
Prototype int ALHttpExec( AL_HTTP_HANDLE hHTTP, char const* pszMethod, char const* pszURL, AIHttpCallbacks* pHttpCb, void* pPrivate );
Parameters hHTTP
[in] HTTP library handle returned by the AlHttpopen ( ) function.
pszMethod [in] HTTP method specification. HTTP "GET" or "POST".
pszURL
[in] The URL where the HTTP request is made.
pHttpCb [in] Pointer to a set of caller specified HTTP I/O functions. The HTTP library uses the functions specified in the AlHttpCallbacks structure for data I/O.
pPrivate [in/out] Pointer to a caller data to be passed back to the callback functions specified in the AlHttpCal lbacks structure.
Return Value 0 if successful, -1 otherwise.
See Also AlHttpOpen ( ) , AlHttpClose ( ) Shared Memory The location of the system memory where the library's shared objects are stored is obtained using the AlShmAddress ( ) function. This shared information area is allocatedlprepared at device boot time and referenced by different instances of the library.
AIShmAddress Description Returns shared memory address.
Prototype void* AIShmAddress( void );
Parameters none Return Value shared memory address if successful, NULL otherwise.
Time AlTmGetCurrent ( ) provides callers with the current system time in seconds.
AITmGetCurrent Description Obtains current system time.
Prototype unsigned long AITmGetCurrent( void );
Parameters none Return Value On success, time in seconds since the Epoch ( 00:00:00 in UTC, January 1St , 1970). On error, ( ( unsigned l ong ) -1 L ) is returned.
Device Information AIDevGetInfo Description Retrieves device specific information. Device identification string returned by this function is used by the API.
Prototype int AlDevGetlnfo( AlDeviceInfo* pDevicelnfo );
Parameters pDeviceInfo [out] Pointer to device information.
The AlDevicelnfo structure is defined as #define AL MAX DEVICE ID 32 typedef struct AlDeviceInfo struct char szDeviceID[AL MAX DEVICE ID];
AlDeviceInfo;
The identification string, szDeviceID, is a unique terminal/device identifier-used to uniquely identify a particular mobile communication device from all others. This information is used in constructing a malware signature download URL for the mobile communication device. It must not contain any characters that are not allowed in an LTRL (i.e. white space).
Return Value 0 on success, -1 on failure.
Debugging AIDb _~Output Description Outputs debug string to a debug console. This function is a null function for release build.
Prototype int AlDbgOutput( char const* pszOutput );
Claims (31)
1. A system for use with a mobile communication device, comprising:
a mobile communication device capable of communicating via a wireless network including an operating system and an application program installed thereon, the application program adapted to perform tasks utilizing the mobile communication device;
a platform-independent scanning subsystem adapted to scan application data related to the tasks performed by the application program using a first application program interface; and a platform-independent application program interface adapted to interface the platform-independent scanning subsystem and the operating system, the platform-independent application program interface including an abstract library adapted to facilitate porting the platform-independent scanning subsystem to the mobile communication device and the operating system.
a mobile communication device capable of communicating via a wireless network including an operating system and an application program installed thereon, the application program adapted to perform tasks utilizing the mobile communication device;
a platform-independent scanning subsystem adapted to scan application data related to the tasks performed by the application program using a first application program interface; and a platform-independent application program interface adapted to interface the platform-independent scanning subsystem and the operating system, the platform-independent application program interface including an abstract library adapted to facilitate porting the platform-independent scanning subsystem to the mobile communication device and the operating system.
2. The system of claim 1, wherein the application program includes a mail application program.
3. The system of claim 1, wherein the application program includes a browser application program.
4. The system of claim 1, wherein the application program includes a phone book application program.
5. The system of claim 1, wherein the application program includes a message application program.
6. The system of claim 1, wherein the application program includes a Java application program.
7. The system of claim 1, wherein the mobile communication device includes a cellular telephone.
8. The system of claim 1, wherein the abstract library supports system initialization.
9. The system of claim 1, wherein the abstract library supports library initialization.
10. The system of claim 1, wherein the abstract library supports error functions.
11. The system of claim 1, wherein the abstract library supports memory allocation.
12. The system of claim 1, wherein the abstract library supports memory input/output (I/O).
13. The system of claim 1, wherein the abstract library supports data authentication.
14. The system of claim 1, wherein the abstract library supports synchronization.
15. The system of claim 1, wherein the abstract library supports shared memory.
16. The system of claim 1, wherein the abstract library supports system time.
17. The system of claim 1, wherein the abstract library supports hypertext transfer protocol.
18. The system of claim 1, wherein the abstract library supports device information.
19. The system of claim 1, wherein the abstract library supports debugging.
20. The system of claim 1, wherein the abstract library supports system initialization, library initialization, error functions, memory allocation, input/output, data authentication, synchronization, hypertext transfer protocol, shared memory, system time, device information, and debugging.
21. A method for use with a mobile communication device, comprising:
communicating via a wireless network utilizing a mobile communication device including an operating system and an application program installed thereon;
executing the application program to perform tasks;
communicating data related to the tasks from the application program to a platform-independent scanning subsystem using a first application programming interface;
scanning the data with the platform-independent scanning subsystem; and interfacing and the scanning subsystem and the operating system utilizing a platform-independent application program interface, wherein the platform-independent application program interface includes an abstract library for porting the platform-independent scanning subsystem to the mobile communication device and the operating system.
communicating via a wireless network utilizing a mobile communication device including an operating system and an application program installed thereon;
executing the application program to perform tasks;
communicating data related to the tasks from the application program to a platform-independent scanning subsystem using a first application programming interface;
scanning the data with the platform-independent scanning subsystem; and interfacing and the scanning subsystem and the operating system utilizing a platform-independent application program interface, wherein the platform-independent application program interface includes an abstract library for porting the platform-independent scanning subsystem to the mobile communication device and the operating system.
22. A computer-readable medium having stored thereon machine executable code comprising:
a computer program product for use with a mobile communication device, comprising:
computer code for communicating via a wireless network utilizing a mobile communication device including an operating system and an application program installed thereon;
computer code for executing the application program to perform tasks;
computer code for communicating data related to the tasks to a platform-independent scanning subsystem using a first application programming interface;
computer code for scanning the data utilizing the platform-independent scanning subsystem; and computer code for interfacing the scanning subsystem and the operating system utilizing a platform-independent application program interface, wherein the platform-independent application program interface includes an abstract library for porting the platform-independent scanning subsystem to the mobile communication device and the operating system.
a computer program product for use with a mobile communication device, comprising:
computer code for communicating via a wireless network utilizing a mobile communication device including an operating system and an application program installed thereon;
computer code for executing the application program to perform tasks;
computer code for communicating data related to the tasks to a platform-independent scanning subsystem using a first application programming interface;
computer code for scanning the data utilizing the platform-independent scanning subsystem; and computer code for interfacing the scanning subsystem and the operating system utilizing a platform-independent application program interface, wherein the platform-independent application program interface includes an abstract library for porting the platform-independent scanning subsystem to the mobile communication device and the operating system.
23. The computer program product of claim 22, wherein the first application programming interface includes computer code for a first library, wherein the computer code for the first library facilitates the act of scanning the data.
24. The computer program product of claim 23, wherein the computer code for the first library further includes a malware signature database.
25. The computer program product of claim 22, wherein the data relating to the tasks includes information related to different types of application data.
26. The computer program product of claim 25, wherein the different types of application data include a hypertext markup language (HTML)-type, a uniform resource locator (URL)-type, an electronic mail-type, a telephone number-type, a Java-type, a text-type, and an unknown-type.
27. The computer program product of claim 25, wherein the data relating to the tasks further identifies a format associated with the different types of the application data.
28. The computer program product of claim 25, wherein the data relating to the tasks further includes variables that relate to the different types of the application data.
29. The computer program product of claim 22, wherein the data relating to the tasks includes a time indicating when the act of scanning the application program with the platform-independent scanning subsystem occurred.
30. The computer program product of claim 22, wherein the data relating to the tasks includes information that indicates scanning by the platform-independent scanning subsystem is optional.
31. The computer program product of claim 22, wherein the data relating to the tasks includes information that indicates scanning by the platform-independent scanning subsystem is mandatory.
Applications Claiming Priority (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US46384203P | 2003-04-17 | 2003-04-17 | |
| US60/463,842 | 2003-04-17 | ||
| US10/639,136 US6970697B2 (en) | 2003-04-17 | 2003-08-11 | Platform-independent scanning subsystem API for use in a mobile communication framework |
| US10/639,136 | 2003-08-11 | ||
| PCT/US2004/011652 WO2004095177A2 (en) | 2003-04-17 | 2004-04-05 | Platform-independent scanning subsystem api for use in a mobile communication framework |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA2517553A1 CA2517553A1 (en) | 2004-11-04 |
| CA2517553C true CA2517553C (en) | 2013-01-22 |
Family
ID=33162383
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA2517553A Expired - Lifetime CA2517553C (en) | 2003-04-17 | 2004-04-05 | Platform-independent scanning subsystem api for use in a mobile communication framework |
Country Status (8)
| Country | Link |
|---|---|
| US (1) | US6970697B2 (en) |
| EP (1) | EP1629346A4 (en) |
| JP (1) | JP4597975B2 (en) |
| KR (1) | KR101046544B1 (en) |
| CN (1) | CN1939042B (en) |
| CA (1) | CA2517553C (en) |
| NO (1) | NO20055431L (en) |
| WO (1) | WO2004095177A2 (en) |
Families Citing this family (35)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7392043B2 (en) * | 2003-04-17 | 2008-06-24 | Ntt Docomo, Inc. | API system, method and computer program product for accessing content/security analysis functionality in a mobile communication framework |
| US7254811B2 (en) * | 2003-04-17 | 2007-08-07 | Ntt Docomo, Inc. | Update system and method for updating a scanning subsystem in a mobile communication framework |
| US9100431B2 (en) | 2003-07-01 | 2015-08-04 | Securityprofiling, Llc | Computer program product and apparatus for multi-path remediation |
| US8984644B2 (en) | 2003-07-01 | 2015-03-17 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
| US9118711B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
| US20070113272A2 (en) | 2003-07-01 | 2007-05-17 | Securityprofiling, Inc. | Real-time vulnerability monitoring |
| US9118709B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
| US9118708B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Multi-path remediation |
| US9118710B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | System, method, and computer program product for reporting an occurrence in different manners |
| US9350752B2 (en) | 2003-07-01 | 2016-05-24 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
| WO2005096145A2 (en) * | 2004-03-22 | 2005-10-13 | Motorola Inc., A Corporation Of The State Of Delaware | Method and apparatus for dynamic extension of device management tree data model on a mobile device |
| US7506309B2 (en) * | 2004-03-23 | 2009-03-17 | General Motors Corporation | Method for managing vehicle software configuration updates |
| KR100607361B1 (en) | 2005-03-22 | 2006-07-28 | 주식회사 케이티프리텔 | An equipment and method for interfacing between native system software and mobile platform in the wireless handset |
| US7881700B2 (en) * | 2005-09-30 | 2011-02-01 | Ntt Docomo, Inc. | Information communication apparatus and message displaying method |
| KR100868201B1 (en) * | 2005-09-30 | 2008-11-12 | 가부시키가이샤 엔티티 도코모 | Information communicating apparatus and message displaying method |
| US7634262B1 (en) * | 2006-03-07 | 2009-12-15 | Trend Micro, Inc. | Virus pattern update for mobile device |
| WO2007117574A2 (en) | 2006-04-06 | 2007-10-18 | Smobile Systems Inc. | Non-signature malware detection system and method for mobile platforms |
| US7657793B2 (en) * | 2006-04-21 | 2010-02-02 | Siemens Corporation | Accelerating software rejuvenation by communicating rejuvenation events |
| FR2902905A1 (en) * | 2006-06-21 | 2007-12-28 | France Telecom | DETECTION AND REACTION TO VIRAL PROPAGATIONS BY AD-HOC NETWORK |
| WO2008043109A2 (en) * | 2006-10-06 | 2008-04-10 | Smobile Systems, Inc. | System and method of reporting and visualizing malware on mobile networks |
| US7984455B2 (en) * | 2007-05-30 | 2011-07-19 | Sony Ericsson Mobile Communications Ab | Enhanced native contact book application |
| US9167070B2 (en) * | 2007-07-31 | 2015-10-20 | Qualcomm Incorporated | Widget discovery in computing devices |
| US9544180B2 (en) * | 2007-08-31 | 2017-01-10 | Qualcomm Incorporated | Techniques for group messaging on a mobile computing device |
| US20090064190A1 (en) * | 2007-08-31 | 2009-03-05 | Mindy Pereira | Techniques for receiving event information |
| US8607344B1 (en) | 2008-07-24 | 2013-12-10 | Mcafee, Inc. | System, method, and computer program product for initiating a security action at an intermediate layer coupled between a library and an application |
| US8490176B2 (en) * | 2009-04-07 | 2013-07-16 | Juniper Networks, Inc. | System and method for controlling a mobile device |
| US9202049B1 (en) | 2010-06-21 | 2015-12-01 | Pulse Secure, Llc | Detecting malware on mobile devices |
| US8270963B1 (en) | 2010-10-01 | 2012-09-18 | Viasat, Inc. | Cross domain notification |
| US8458800B1 (en) | 2010-10-01 | 2013-06-04 | Viasat, Inc. | Secure smartphone |
| US8495731B1 (en) * | 2010-10-01 | 2013-07-23 | Viasat, Inc. | Multiple domain smartphone |
| US9113499B2 (en) | 2010-10-01 | 2015-08-18 | Viasat, Inc. | Multiple domain smartphone |
| US8726338B2 (en) | 2012-02-02 | 2014-05-13 | Juniper Networks, Inc. | Dynamic threat protection in mobile networks |
| US8909213B2 (en) * | 2012-06-08 | 2014-12-09 | Spirent Communications, Inc. | System and method for evaluating performance of concurrent mobile services of mobile devices |
| US20140156252A1 (en) | 2012-11-30 | 2014-06-05 | International Business Machines Corporation | Hybrid platform-dependent simulation interface |
| US9485203B2 (en) | 2013-02-08 | 2016-11-01 | Xerox Corporation | Method and system for attaching scanned documents to email replies via a mobile communications device |
Family Cites Families (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5951698A (en) * | 1996-10-02 | 1999-09-14 | Trend Micro, Incorporated | System, apparatus and method for the detection and removal of viruses in macros |
| JPH11167533A (en) * | 1997-12-03 | 1999-06-22 | Toshiba Information Systems Corp | Electronic mail firewall device |
| US6269254B1 (en) * | 1998-09-28 | 2001-07-31 | Motorola, Inc. | Radio communications device and method with API between user application program and telephony program and method |
| EP1118949A1 (en) * | 2000-01-21 | 2001-07-25 | Hewlett-Packard Company, A Delaware Corporation | Process and apparatus for allowing transaction between a user and a remote server |
| US20020072347A1 (en) * | 2000-12-07 | 2002-06-13 | Dunko Greg A. | System and method of receiving specific information at a mobile terminal |
| US6907423B2 (en) * | 2001-01-04 | 2005-06-14 | Sun Microsystems, Inc. | Search engine interface and method of controlling client searches |
| JP2002351686A (en) * | 2001-05-23 | 2002-12-06 | Sony Corp | Data processing method and program for data processing method |
| US7123933B2 (en) * | 2001-05-31 | 2006-10-17 | Orative Corporation | System and method for remote application management of a wireless device |
| US7827611B2 (en) * | 2001-08-01 | 2010-11-02 | Mcafee, Inc. | Malware scanning user interface for wireless devices |
| US6792543B2 (en) * | 2001-08-01 | 2004-09-14 | Networks Associates Technology, Inc. | Virus scanning on thin client devices using programmable assembly language |
| US7210168B2 (en) * | 2001-10-15 | 2007-04-24 | Mcafee, Inc. | Updating malware definition data for mobile data processing devices |
| US6999721B2 (en) * | 2002-01-17 | 2006-02-14 | Microsoft Corporation | Unified object transfer for multiple wireless transfer mechanisms |
| US6987963B2 (en) * | 2003-04-17 | 2006-01-17 | Ntt Docomo, Inc. | System, method and computer program product for content/context sensitive scanning utilizing a mobile communication device |
| US7392043B2 (en) * | 2003-04-17 | 2008-06-24 | Ntt Docomo, Inc. | API system, method and computer program product for accessing content/security analysis functionality in a mobile communication framework |
| US7254811B2 (en) | 2003-04-17 | 2007-08-07 | Ntt Docomo, Inc. | Update system and method for updating a scanning subsystem in a mobile communication framework |
-
2003
- 2003-08-11 US US10/639,136 patent/US6970697B2/en not_active Expired - Lifetime
-
2004
- 2004-04-05 CA CA2517553A patent/CA2517553C/en not_active Expired - Lifetime
- 2004-04-05 KR KR1020057019713A patent/KR101046544B1/en active IP Right Grant
- 2004-04-05 CN CN2004800169851A patent/CN1939042B/en not_active Expired - Fee Related
- 2004-04-05 EP EP04750172A patent/EP1629346A4/en not_active Ceased
- 2004-04-05 WO PCT/US2004/011652 patent/WO2004095177A2/en active Search and Examination
- 2004-04-05 JP JP2006510075A patent/JP4597975B2/en not_active Expired - Lifetime
-
2005
- 2005-11-16 NO NO20055431A patent/NO20055431L/en not_active Application Discontinuation
Also Published As
| Publication number | Publication date |
|---|---|
| CA2517553A1 (en) | 2004-11-04 |
| JP4597975B2 (en) | 2010-12-15 |
| KR101046544B1 (en) | 2011-07-05 |
| EP1629346A2 (en) | 2006-03-01 |
| JP2006524396A (en) | 2006-10-26 |
| NO20055431L (en) | 2006-01-10 |
| NO20055431D0 (en) | 2005-11-16 |
| EP1629346A4 (en) | 2010-12-15 |
| CN1939042B (en) | 2010-06-16 |
| WO2004095177A2 (en) | 2004-11-04 |
| US6970697B2 (en) | 2005-11-29 |
| WO2004095177A3 (en) | 2006-05-04 |
| US20040209609A1 (en) | 2004-10-21 |
| CN1939042A (en) | 2007-03-28 |
| KR20060008902A (en) | 2006-01-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2517553C (en) | Platform-independent scanning subsystem api for use in a mobile communication framework | |
| CA2517534C (en) | System, method and computer program product for content/context sensitive scanning utilizing a mobile communication device | |
| CA2517548C (en) | Update system and method for updating a scanning subsystem in a mobile communication framework | |
| EP1623297B1 (en) | Api system, method and computer program product for accessing content/security analysis functionality in a mobile communication framework | |
| RU2339076C2 (en) | Execution of non-verified programs in radio communication device | |
| CN1981263A (en) | Update system and method for updating a scanning subsystem in a mobile communication framework |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request |