Blocking routine redirection

US 10,181,030 B2
Filed: 07/24/2015
Issued: 01/15/2019
Est. Priority Date: 07/24/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing one or more mechanisms that cause, in response to each call to a system routine performed by a computing device, execution of a routine that includes code configured to detect an attempt to perform a runtime redirection;

executing, in response to a first call to the system routine, the routine that includes the code;

based on executing, in response to the first call, the routine;

determining, based on determining that the first call is for writing to a memory location associated with the system routine, that the first call is an attempt to redirect from the system routine, andbased on determining that the first call is an attempt to redirect from the system routine, denying the first call;

executing, in response to a second call to the system routine, the routine that includes the code; and

based on executing, in response to the second call, the routine;

allowing the second call.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein are methods, systems, and computer-readable media for blocking attempts at runtime redirection and attempts to change memory permissions during runtime. The present disclosure describes features that enable runtime detection of an attempt to redirect routines or change memory permissions, and determining whether to allow or deny the attempt. Such features may include changing memory write permissions on memory segments, such as those segments used by dynamic loaders after call associations have been saved or otherwise created. Other features may include swapping the addresses of system routines (e.g., open, read, write, close, etc.) to new routines that perform the same function as well as additional functionality configured to detect attempts to redirect or change memory permissions. Once detected by the new routine during runtime, a determination may be made to deny or allow the call based on a policy.

9 Citations

20 Claims

1. A method comprising:
- establishing one or more mechanisms that cause, in response to each call to a system routine performed by a computing device, execution of a routine that includes code configured to detect an attempt to perform a runtime redirection;
  
  executing, in response to a first call to the system routine, the routine that includes the code;
  
  based on executing, in response to the first call, the routine;
  
  determining, based on determining that the first call is for writing to a memory location associated with the system routine, that the first call is an attempt to redirect from the system routine, andbased on determining that the first call is an attempt to redirect from the system routine, denying the first call;
  
  executing, in response to a second call to the system routine, the routine that includes the code; and
  
  based on executing, in response to the second call, the routine;
  
  allowing the second call.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein establishing the one or more mechanisms includes exchanging or setting an address of the system routine in a global symbol table with an address of the routine that includes the code.
  - 3. The method of claim 1, wherein the system routine comprises a file input/output (I/O) routine.
  - 4. The method of claim 1, wherein determining that the first call is an attempt to redirect from the system routine is performed based on information of a program stack.
  - 5. The method of claim 1, wherein denying the first call is performed based on information of a program stack.
  - 6. The method of claim 1, wherein the second call is associated with one or more parameters, and wherein allowing the second call is performed without modifying the second call and without modifying the one or more parameters.
  - 7. The method of claim 1, wherein the second call is associated with one or more parameters, and wherein allowing the second call is performed with a modification to the second call or with a modification to the one or more parameters.
  - 8. The method of claim 7, wherein allowing the second call is performed based on information of a program stack.
  - 9. The method of claim 1, further comprising:
    - based on denying the first call, throwing an exception or returning a false indication of success.

10. An apparatus comprising:
- one or more processors; and
  
  memory storing executable instructions configured to, when executed by the one or more processors, cause the apparatus to;
  
  establish one or more mechanisms that cause, in response to each call to a system routine performed by the apparatus or each call to a virtual file system (VFS) operation performed by the apparatus, execution of a routine that includes code configured to detect an attempt to perform a runtime redirection;
  
  execute, in response to a first call to the system routine or to the VFS operation, the routine that includes the code;
  
  based on executing, in response to the first call, the routine;
  
  determine, based on determining that the first call is for writing to a memory location associated with the system routine or to a virtual file system associated with the VFS operation, that the first call is an attempt to redirect from the system routine or from the VFS operation; and
  
  based on determining that the first call is an attempt to redirect from the system routine or from the VFS operation, denying the first call;
  
  execute, in response to a second call to the system routine or to the VFS operation, the routine that includes the code; and
  
  based on executing, in response to the second call, the routine;
  
  allow the second call.
- View Dependent Claims (11, 12)
- - 11. The apparatus of claim 10, wherein causing the apparatus to establish the one or more mechanisms includes causing the apparatus to exchange or set an address of the system routine in a global symbol table with an address of the routine that includes the code.
  - 12. The apparatus of claim 10, wherein causing the apparatus to establish the one or more mechanisms includes causing the apparatus to establish the routine that includes the code to be executed as pre-processing or post-processing for the VFS operation.

13. A method comprising:
- establishing one or more mechanisms that cause, in response to each call to a virtual file system (VFS) operation performed by a computing device, execution of a routine that includes code configured to detect an attempt to perform a runtime redirection;
  
  executing, in response to a first call to the VFS operation, the routine that includes the code;
  
  based on executing, in response to the first call, the routine;
  
  determining, based on determining that the first call is for writing to a virtual file system associated with the VFS operation, that the first call is an attempt to redirect from the VFS operation, andbased on determining that the first call is an attempt to redirect from the VFS operation, denying the first call;
  
  executing, in response to a second call to the VFS operation, the routine that includes the code; and
  
  based on executing, in response to the second call, the routine;
  
  allowing the second call.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13, wherein establishing the one or more mechanisms includes establishing the routine that includes the code to be executed as pre-processing or post-processing for the VFS operation.
  - 15. The method of claim 13, wherein the VFS operation comprises an operation of a VFS interface for a database that stores data for an application.
  - 16. The method of claim 13, wherein determining that the first call is an attempt to redirect from the VFS operation is performed based on information of a program stack.
  - 17. The method of claim 13, wherein denying the first call is performed based on information of a program stack.
  - 18. The method of claim 13, wherein the second call is associated with one or more parameters, and wherein allowing the second call is performed without modifying the second call and without modifying the one or more parameters.
  - 19. The method of claim 13, wherein the second call is associated with one or more parameters, and wherein allowing the second call is performed with a modification to the second call or with a modification to the one or more parameters.
  - 20. The method of claim 13, further comprising:
    - based on denying the first call, throwing an exception or returning a false indication of success.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Linde, David
Primary Examiner(s)
Naghdali, Khalil

Application Number

US14/808,601
Publication Number

US 20170024560A1
Time in Patent Office

1,271 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 21/305   by remotely controlling dev...

G06F 21/52   during program execution, e...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 2221/033   Test or assess software

G06F 2221/2123   Dummy operation

G06F 2221/2143   Clearing memory, e.g. to pr...

Blocking routine redirection

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Blocking routine redirection

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links