Hardware assisted branch transfer self-check mechanism
First Claim
Patent Images
1. A computer program product tangibly embodied on non-transient computer readable media, the computer program product comprising instructions operable when executed to:
- receive, from an execution profiler implemented at least partially in hardware, execution control of an indirect branch for a function call in an executable application;
execute a callback to a self-check policy associated with the executable application for the indirect branch, wherein the self-check policy comprises at least one of a defense to a control-flow attack and a white list of authorized memory address locations for the indirect branch; and
determine, by a self-check application module implemented at least partially in hardware, whether to execute the indirect branch based on the self-check policy associated with the executable application, by;
evaluating one or more parameters for the indirect branch provided to the self-check application module by the execution profiler; and
determining whether the one or more parameters are permitted for execution based on the self-check policy;
wherein;
the parameters comprise one or both of a source register location from which the indirect call originated or a destination register location for the indirect branch call; and
the self-check application module determines whether the self-check policy permits an indirect branch from the source register to the destination register.
10 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the present disclosure are directed to a self-check application to determine whether an indirect branch execution is permissible for an executable application. The self-check application uses one or more parameters received from an execution profiling module to determine whether the indirect branch execution is permitted by one or more self-check policies.
17 Citations
5 Claims
-
1. A computer program product tangibly embodied on non-transient computer readable media, the computer program product comprising instructions operable when executed to:
-
receive, from an execution profiler implemented at least partially in hardware, execution control of an indirect branch for a function call in an executable application; execute a callback to a self-check policy associated with the executable application for the indirect branch, wherein the self-check policy comprises at least one of a defense to a control-flow attack and a white list of authorized memory address locations for the indirect branch; and determine, by a self-check application module implemented at least partially in hardware, whether to execute the indirect branch based on the self-check policy associated with the executable application, by; evaluating one or more parameters for the indirect branch provided to the self-check application module by the execution profiler; and determining whether the one or more parameters are permitted for execution based on the self-check policy; wherein; the parameters comprise one or both of a source register location from which the indirect call originated or a destination register location for the indirect branch call; and the self-check application module determines whether the self-check policy permits an indirect branch from the source register to the destination register. - View Dependent Claims (2)
-
-
3. A system comprising:
-
a processor implemented at least partially in hardware; a memory; an execution profiler module implemented at least partially in hardware to; receive, from an execution profiler implemented at least partially in hardware, execution control of an indirect branch for a function call in an executable application; and determine, by a self-check handler module, whether to execute the indirect branch based on a self-check policy associated with the executable application, wherein the self-check police comprises at least one of a defense to a control-flow attack and a white list of authorized memory address locations for the indirect branch, by; evaluating one or more parameters for the indirect branch provided to a self-check handler by the execution profiler; and determining whether the one or more parameters are permitted for execution based on the self-check policy; wherein; the parameters comprise one or both of a source register location from which the indirect call originated or a destination register location for the indirect call; and the self-check handler module determines whether the self-check policies permits an indirect branch from the source register to the destination register. - View Dependent Claims (4)
-
-
5. A system for control flow protection, the system comprising:
-
a processor implemented at least partially in hardware; a memory; an execution profiler module implemented at least partially in hardware to; assemble an execution profile of a executable application execution; monitor the executable application execution for an indirect branch instruction; and identify one or more parameters associated with the indirect branch instruction; and a self-check application module implemented at least partially in hardware to determine whether the indirect branch is permitted by performing a self-check using the parameters identified by the execution profiler module, by; evaluating one or more parameters for the indirect branch provided to a self-check handler by the execution profiler; and determining whether the one or more parameters are permitted for execution based on a self-check policy, wherein the self-check policy comprises at least one of a defense to a control-flow attack and a white list of authorized memory address locations for the indirect branch; wherein; the parameters comprise one or both of a source register location from which the indirect call originated or a destination register location for the indirect call; and the self-check application module determines whether the self-check policies permits an indirect branch from the source register to the destination register.
-
Specification