	US 12,474,906 B2
	Automatic runtime execution hardening through static system application programming interface (API) data mapping
Yair Netzer, Ganei Tlkvah (IL); Ben Hania, Herzliya (IL); Igor Gokhman, Tel Aviv (IL); and Tomer Shaiman, Raanana (IL)
Assigned to Microsoft Technology Licensing, LLC, Redmond, WA (US)
Filed by Microsoft Technology Licensing, LLC, Redmond, WA (US)
Filed on May 3, 2023, as Appl. No. 18/311,461.
Claims priority of provisional application 63/495,220, filed on Apr. 10, 2023.
Prior Publication US 2024/0338185 A1, Oct. 10, 2024
Int. Cl. G06F 9/44 (2018.01); G06F 8/41 (2018.01); G06F 8/77 (2018.01); G06F 9/54 (2006.01)

CPC G06F 8/433 (2013.01) [G06F 8/447 (2013.01); G06F 9/541 (2013.01); G06F 8/77 (2013.01); G06F 9/54 (2013.01); G06F 9/547 (2013.01)]

20 Claims

1. A system, comprising:

a processing system; and

memory coupled to the processing system, the memory comprising computer executable instructions that, when executed by the processing system, causes the system to perform operations comprising:

performing a static analysis of an artifact associated with a software program, wherein the static analysis comprises:

scanning for and mapping possible control flow paths by analyzing entry points of a main portion of machine code of the artifact and analyzing libraries used by the main portion of machine code;

generating a control flow graph (“CFG”) based on the scanning for and mapping of possible control flow paths; and

identifying invocations of system calls in possible code paths of the software program, using the CFG;

generating system application programming interface (“API”) usage data based on the static analysis;

creating a platform-specific enforcement profile for a secure mode hardening feature based on the system API usage data and platform configuration data, the platform-specific enforcement profile defining allowed requests and blocked requests for the software program; and

storing the platform-specific enforcement profile on a data storage device.