Blocking routine redirection
First Claim
1. A method comprising:
- establishing one or more mechanisms that cause, in response to each call to a system routine performed by a computing device, execution of a routine that includes code configured to detect an attempt to perform a runtime redirection;
executing, in response to a first call to the system routine, the routine that includes the code;
based on executing, in response to the first call, the routine;
determining, based on determining that the first call is for writing to a memory location associated with the system routine, that the first call is an attempt to redirect from the system routine, andbased on determining that the first call is an attempt to redirect from the system routine, denying the first call;
executing, in response to a second call to the system routine, the routine that includes the code; and
based on executing, in response to the second call, the routine;
allowing the second call.
7 Assignments
0 Petitions
Accused Products
Abstract
Disclosed herein are methods, systems, and computer-readable media for blocking attempts at runtime redirection and attempts to change memory permissions during runtime. The present disclosure describes features that enable runtime detection of an attempt to redirect routines or change memory permissions, and determining whether to allow or deny the attempt. Such features may include changing memory write permissions on memory segments, such as those segments used by dynamic loaders after call associations have been saved or otherwise created. Other features may include swapping the addresses of system routines (e.g., open, read, write, close, etc.) to new routines that perform the same function as well as additional functionality configured to detect attempts to redirect or change memory permissions. Once detected by the new routine during runtime, a determination may be made to deny or allow the call based on a policy.
9 Citations
20 Claims
-
1. A method comprising:
-
establishing one or more mechanisms that cause, in response to each call to a system routine performed by a computing device, execution of a routine that includes code configured to detect an attempt to perform a runtime redirection; executing, in response to a first call to the system routine, the routine that includes the code; based on executing, in response to the first call, the routine; determining, based on determining that the first call is for writing to a memory location associated with the system routine, that the first call is an attempt to redirect from the system routine, and based on determining that the first call is an attempt to redirect from the system routine, denying the first call; executing, in response to a second call to the system routine, the routine that includes the code; and based on executing, in response to the second call, the routine; allowing the second call. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus comprising:
-
one or more processors; and memory storing executable instructions configured to, when executed by the one or more processors, cause the apparatus to; establish one or more mechanisms that cause, in response to each call to a system routine performed by the apparatus or each call to a virtual file system (VFS) operation performed by the apparatus, execution of a routine that includes code configured to detect an attempt to perform a runtime redirection; execute, in response to a first call to the system routine or to the VFS operation, the routine that includes the code; based on executing, in response to the first call, the routine; determine, based on determining that the first call is for writing to a memory location associated with the system routine or to a virtual file system associated with the VFS operation, that the first call is an attempt to redirect from the system routine or from the VFS operation; and based on determining that the first call is an attempt to redirect from the system routine or from the VFS operation, denying the first call; execute, in response to a second call to the system routine or to the VFS operation, the routine that includes the code; and based on executing, in response to the second call, the routine; allow the second call. - View Dependent Claims (11, 12)
-
-
13. A method comprising:
-
establishing one or more mechanisms that cause, in response to each call to a virtual file system (VFS) operation performed by a computing device, execution of a routine that includes code configured to detect an attempt to perform a runtime redirection; executing, in response to a first call to the VFS operation, the routine that includes the code; based on executing, in response to the first call, the routine; determining, based on determining that the first call is for writing to a virtual file system associated with the VFS operation, that the first call is an attempt to redirect from the VFS operation, and based on determining that the first call is an attempt to redirect from the VFS operation, denying the first call; executing, in response to a second call to the VFS operation, the routine that includes the code; and based on executing, in response to the second call, the routine; allowing the second call. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification