US 12,367,281 B2
Automatic mitigation of corrupted or compromised compute resources
Shlomi Boutnaru, Beer Sheva (IL); Liran Tancman, Beer Sheva (IL); Artem Merkovich, Beer Sheva (IL); Royi Klein, Beer Sheva (IL); Omri Lahav, Beer Sheva (IL); Artum Zolotushko, Beer Sheva (IL); Tal Kopeliovich, Beer Sheva (IL); Yuri Shafet, Beer Sheva (IL); Lior Zur-Lotan, Beer Sheva (IL); and Yotam Perkal, Beer Sheva (IL)
Assigned to GitLab Inc., San Francisco, CA (US)
Appl. No. 17/426,294
Filed by GitLab Inc., San Francisco, CA (US)
PCT Filed Feb. 4, 2020, PCT No. PCT/IB2020/050883
§ 371(c)(1), (2) Date Jul. 28, 2021,
PCT Pub. No. WO2020/161622, PCT Pub. Date Aug. 13, 2020.
Claims priority of provisional application 62/801,511, filed on Feb. 5, 2019.
Prior Publication US 2021/0390182 A1, Dec. 16, 2021
Int. Cl. G06F 21/56 (2013.01)
CPC G06F 21/562 (2013.01) [G06F 21/568 (2013.01); G06F 2221/033 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method for determining whether an application has been compromised by malicious code, the method comprising:
obtaining an image corresponding to the application, the image including one or more binaries, one or more scripts, one or more configurations, executable program code of the application and/or one or more dependencies necessary for execution of the application;
statically analyzing the image file to obtain characteristics of the image file, the characteristics of the image file including at least one of: one or more packages included in the image file, one or more files included in the image file, or one or more commands that are to be executed during runtime of the application;
mapping the image into a memory space of a compute instance allocated for the application to create an executable instance of the application;
receiving runtime characteristics of the executable instance of the application executing on the compute instance, the runtime characteristics including at least one of: one or more packages loaded into a memory space allocated for the application, one or more files loaded into the memory space allocated for the application, or one or more commands executed by the application, wherein the runtime characteristics further comprise a bitmap representing pages that are loaded into the memory space allocated for application and that store executable segments of the application, and a first hash representative of executable segments of the application;
comparing the characteristics of the image file to the runtime characteristics of the executable instance of the application to determine discrepancies between at least one of: the one or more packages-included in the image file and the one or more packages loaded into the memory space allocated for the application, the one or more files included in the image file and the one or more files loaded into the memory space allocated for the application, or the one or more commands that are to be executed during runtime of the application and the one or more commands executed by the application, wherein the comparing comprises:
retrieving data from portions of a code segment of the image file, the portions being determined based on the bitmap and corresponding to the pages;
generating a second hash representative of the data retrieved from the portions of the code segment; and
determining whether the first hash is equal to the second hash; and
responsive to determining the discrepancies:
determining, in response to determining that the first hash is not equal to the second hash, that the executable instance of the application has been compromised with malicious code; and
performing one or more actions to mitigate the malicious code.