Systems and methods for detecting gadgets on computing devices

US 10,043,013 B1
Filed: 09/09/2016
Issued: 08/07/2018
Est. Priority Date: 09/09/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting gadgets on computing devices, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying, on the computing device, a process comprising a plurality of modules;

identifying, within the process, each module that does not implement a security protocol that randomizes, each time the module executes, a memory location of at least one portion of data accessed by the module;

copying each module that does not implement the security protocol to a section of memory dedicated to security analyses;

determining, based on detecting at least one gadget-specific characteristic within at least one copied module, that the process comprises a gadget that is capable of being maliciously exploited; and

performing a security action on the computing device to prevent the gadget from being maliciously exploited.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for detecting gadgets on computing devices may include (i) identifying, on a computing device, a process containing multiple modules, (ii) identifying, within the process, each module that does not implement a security protocol that randomizes, each time the module executes, a memory location of at least one portion of data accessed by the module, (iii) copying each module that does not implement the security protocol to a section of memory dedicated to security analyses, (iv) determining, based on detecting at least one gadget-specific characteristic within at least one copied module, that the process contains a gadget that is capable of being maliciously exploited, and then (v) performing a security action on the computing device to prevent the gadget from being maliciously exploited. Various other methods, systems, and computer-readable media are also disclosed.

Citations

20 Claims

1. A computer-implemented method for detecting gadgets on computing devices, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying, on the computing device, a process comprising a plurality of modules;
  
  identifying, within the process, each module that does not implement a security protocol that randomizes, each time the module executes, a memory location of at least one portion of data accessed by the module;
  
  copying each module that does not implement the security protocol to a section of memory dedicated to security analyses;
  
  determining, based on detecting at least one gadget-specific characteristic within at least one copied module, that the process comprises a gadget that is capable of being maliciously exploited; and
  
  performing a security action on the computing device to prevent the gadget from being maliciously exploited.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein identifying the process on the computing device comprises identifying a process currently running on the computing device.
  - 3. The method of claim 1, wherein identifying each module that does not implement the security protocol comprises identifying each module that does not implement address space layout randomization.
  - 4. The method of claim 3, wherein identifying each module that does not implement address space layout randomization comprises identifying each module that does not contain, within a header of the module, a predetermined value that indicates the module implements address space layout randomization.
  - 5. The method of claim 1, wherein the section of memory dedicated to security analyses comprises a dedicated section of memory within the computing device.
  - 6. The method of claim 1, wherein:
    - detecting the gadget-specific characteristic within the copied module comprises determining that the module contains executable instructions; and
      
      determining that the process comprises the gadget comprises determining that the copied module both does not implement the security protocol and contains the executable instructions.
  - 7. The method of claim 1, wherein performing the security action on the computing device comprises terminating the process.
  - 8. The method of claim 1, wherein performing the security action on the computing device comprises monitoring the gadget while the gadget runs on the computing device to detect an indication that the gadget is being maliciously exploited.

9. A system for detecting gadgets on computing devices, the system comprising:
- an identification module, stored in memory, that;
  
  identifies, on a computing device, a process comprising a plurality of modules; and
  
  identifies, within the process, each module that does not implement a security protocol that randomizes, each time the module executes, a memory location of at least one portion of data accessed by the module;
  
  a copying module, stored in memory, that copies each module that does not implement the security protocol to a section of memory dedicated to security analyses;
  
  a determination module, stored in memory, that determines, based on detecting at least one gadget-specific characteristic within at least one copied module, that the process comprises a gadget that is capable of being maliciously exploited;
  
  a security module, stored in memory, that performs a security action on the computing device to prevent the gadget from being maliciously exploited; and
  
  at least one physical processor configured to execute the identification module, the copying module, the determination module, and the security module.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the identification module identifies the process on the computing device by identifying a process currently running on the computing device.
  - 11. The system of claim 9, wherein the identification module identifies each module that does not implement the security protocol by identifying each module that does not implement address space layout randomization.
  - 12. The system of claim 11, wherein the identification module identifies each module that does not implement address space layout randomization by identifying each module that does not contain, within a header of the module, a predetermined value that indicates the module implements address space layout randomization.
  - 13. The system of claim 9, wherein the section of memory dedicated to security analyses comprises a dedicated section of memory within the computing device.
  - 14. The system of claim 9, wherein the determination module:
    - detects the gadget-specific characteristic within the copied module by determining that the module contains executable instructions; and
      
      determines that the process comprises the gadget by determining that the copied module both does not implement the security protocol and contains the executable instructions.
  - 15. The system of claim 9, wherein the security module performs the security action on the computing device by terminating the process.
  - 16. The system of claim 9, wherein the security module performs the security action on the computing device by monitoring the gadget while the gadget runs on the computing device to detect an indication that the gadget is being maliciously exploited.

17. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify, on the computing device, a process comprising a plurality of modules;
  
  identify, within the process, each module that does not implement a security protocol that randomizes, each time the module executes, a memory location of at least one portion of data accessed by the module;
  
  copy each module that does not implement the security protocol to a section of memory dedicated to security analyses;
  
  determine, based on detecting at least one gadget-specific characteristic within at least one copied module, that the process comprises a gadget that is capable of being maliciously exploited; and
  
  perform a security action on the computing device to prevent the gadget from being maliciously exploited.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-readable medium of claim 17, wherein the one or more computer-executable instructions cause the computing device to identify the process on the computing device by identifying a process currently running on the computing device.
  - 19. The computer-readable medium of claim 17, wherein the one or more computer-executable instructions cause the computing device to identify each module that does not implement the security protocol by identifying each module that does not implement address space layout randomization.
  - 20. The computer-readable medium of claim 17, wherein the one or more computer-executable instructions cause the computing device to identify each module that does not implement address space layout randomization by identifying each module that does not contain, within a header of the module, a predetermined value that indicates the module implements address space layout randomization.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Ferrie, Peter, Chen, Joseph
Primary Examiner(s)
ZAIDI, SYED A

Application Number

US15/260,961
Time in Patent Office

697 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

Systems and methods for detecting gadgets on computing devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detecting gadgets on computing devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links