Detecting return-oriented programming payloads by evaluating data for a gadget address space address and determining whether operations associated with instructions beginning at the address indicate a return-oriented programming payload

US 10,192,049 B2
Filed: 11/11/2016
Issued: 01/29/2019
Est. Priority Date: 09/15/2011
Status: Active Grant

First Claim

Patent Images

1. A system for detecting the presence of a return-oriented programming (ROP) payload in data, comprising:

a hardware processor that;

identifies a potential gadget address space;

determines if a piece of the data corresponds to an address of the potential gadget address space; and

in response to determining that the piece of the data corresponds to an address of the potential gadget address space;

for each instruction of a plurality of instructions beginning at the address;

attempts to execute the instruction;

determines whether at least one of;

that the instruction has an invalid execution address;

that the instruction is invalid; and

that the instruction is privileged;

counts the instruction as part of an instruction count; and

determines whether the instruction count meets at least one threshold;

in response to determining that the instruction count meets the at least one threshold, increases a gadget count; and

indicates that an ROP payload is present in the data in response to the gadget count meeting a threshold greater than one.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and media for detecting the presence of return-oriented programming (ROP) payloads are provided, comprising: identifying a potential gadget address space; determining if a piece of the data corresponds to an address of the potential gadget address space; and in response to determining that the piece of the data corresponds to an address of the potential gadget address space: determining whether a plurality of operations, each associated one of a plurality instructions beginning at the address, indicates that an ROP payload is present in the data, and indicating that an ROP payload is present in the data in response to making a determination that a plurality of operations indicates that an ROP payload is present in the data a given number of times.

Citations

27 Claims

1. A system for detecting the presence of a return-oriented programming (ROP) payload in data, comprising:
- a hardware processor that;
  
  identifies a potential gadget address space;
  
  determines if a piece of the data corresponds to an address of the potential gadget address space; and
  
  in response to determining that the piece of the data corresponds to an address of the potential gadget address space;
  
  for each instruction of a plurality of instructions beginning at the address;
  
  attempts to execute the instruction;
  
  determines whether at least one of;
  
  that the instruction has an invalid execution address;
  
  that the instruction is invalid; and
  
  that the instruction is privileged;
  
  counts the instruction as part of an instruction count; and
  
  determines whether the instruction count meets at least one threshold;
  
  in response to determining that the instruction count meets the at least one threshold, increases a gadget count; and
  
  indicates that an ROP payload is present in the data in response to the gadget count meeting a threshold greater than one.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein in determining whether at least one of:
    - that the instruction has an invalid execution address;
      
      that the instruction is invalid; and
      
      that the instruction is privileged, the hardware processor determines whether the instruction is invalid.
  - 3. The system of claim 1, wherein in attempting to execute the instruction, the hardware processor attempts to execute the instruction using an emulator.
  - 4. The system of claim 1, wherein in determining whether at least one of:
    - that the instruction has an invalid execution address;
      
      that the instruction is invalid; and
      
      that the instruction is privileged, the hardware processor determines whether the instruction has an invalid execution address.
  - 5. The system of claim 1, wherein in determining whether at least one of:
    - that the instruction has an invalid execution address;
      
      that the instruction is invalid; and
      
      that the instruction is privileged, the hardware processor determines whether the instruction is a privileged instruction.
  - 6. The system of claim 1, wherein the hardware processor determines if an indirect control transfer instruction that is controlled by an unchanged piece of the data is effected.
  - 7. The system of claim 1, wherein the hardware processor determines if a return instruction that is controlled by an unchanged piece of the data is effected.
  - 8. The system of claim 1, wherein the instruction count is a count of the number of instructions in a gadget.
  - 9. The system of claim 1, wherein the instruction count is a count of the total number of instructions executed.

10. A method for detecting the presence of a return-oriented programming (ROP) payload in data, comprising:
- identifying a potential gadget address space using a hardware processor;
  
  determining if a piece of the data corresponds to an address of the potential gadget address space using the hardware processor; and
  
  in response to determining that the piece of the data corresponds to an address of the potential gadget address space;
  
  for each instruction of a plurality of instructions beginning at the address, using the hardware processor to;
  
  attempt to execute the instruction;
  
  determine whether at least one of;
  
  that the instruction has an invalid execution address;
  
  that the instruction is invalid; and
  
  that the instruction is privileged;
  
  count the instruction as part of an instruction count; and
  
  determine whether the instruction count meets at least one threshold;
  
  in response to determining that the instruction count meets the at least one threshold, using the hardware processor to increase a gadget count; and
  
  indicating, using the hardware processor, that an ROP payload is present in the data in response to the gadget count meeting a threshold greater than one.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, wherein determining whether at least one of:
    - that the instruction has an invalid execution address;
      
      that the instruction is invalid; and
      
      that the instruction is privileged comprises determining whether the instruction is invalid.
  - 12. The method of claim 10, wherein attempting to execute the instruction comprises attempting to execute the instruction using an emulator.
  - 13. The method of claim 10, wherein determining whether at least one of:
    - that the instruction has an invalid execution address;
      
      that the instruction is invalid; and
      
      that the instruction is privileged comprises determining whether the instruction has an invalid execution address.
  - 14. The method of claim 10, wherein determining whether at least one of:
    - that the instruction has an invalid execution address;
      
      that the instruction is invalid; and
      
      that the instruction is privileged comprises determining whether the instruction is a privileged instruction.
  - 15. The method of claim 10, further comprising determining if an indirect control transfer instruction that is controlled by an unchanged piece of the data is effected.
  - 16. The method of claim 10, further comprising determining if a return instruction that is controlled by an unchanged piece of the data is effected.
  - 17. The method of claim 10, wherein the instruction count is a count of the number of instructions in a gadget.
  - 18. The method of claim 10, wherein the instruction count is a count of the total number of instructions executed.

19. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting the presence of a return-oriented programming (ROP) payload in data, the method comprising:
- identifying a potential gadget address space;
  
  determining if a piece of the data corresponds to an address of the potential gadget address space; and
  
  in response to determining that the piece of the data corresponds to an address of the potential gadget address space;
  
  for each instruction of a plurality of instructions beginning at the address;
  
  attempting to execute the instruction;
  
  determining whether at least one of;
  
  that the instruction has an invalid execution address;
  
  that the instruction is invalid; and
  
  that the instruction is privileged;
  
  counting the instruction as part of an instruction count; and
  
  determining whether the instruction count meets at least one threshold;
  
  in response to determining that the instruction count meets the at least one threshold, increasing a gadget count; and
  
  indicating that an ROP payload is present in the data in response to the gadget count meeting a threshold greater than one.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The non-transitory computer readable medium of claim 19, wherein determining whether at least one of:
    - that the instruction has an invalid execution address;
      
      that the instruction is invalid; and
      
      that the instruction is privileged comprises determining whether the instruction is invalid.
  - 21. The non-transitory computer-readable medium of claim 19, wherein attempting to execute the instruction comprises attempting to execute the instruction using an emulator.
  - 22. The non-transitory computer-readable medium of claim 19, wherein determining whether at least one of:
    - that the instruction has an invalid execution address;
      
      that the instruction is invalid; and
      
      that the instruction is privileged comprises determining whether the instruction has an invalid execution address.
  - 23. The non-transitory computer-readable medium of claim 19, wherein determining whether at least one of:
    - that the instruction has an invalid execution address;
      
      that the instruction is invalid; and
      
      that the instruction is privileged comprises determining whether the instruction is a privileged instruction.
  - 24. The non-transitory computer-readable medium of claim 19, wherein the method further comprises determining if an indirect control transfer instruction that is controlled by an unchanged piece of the data is effected.
  - 25. The non-transitory computer-readable medium of claim 19, wherein the method further comprises determining if a return instruction that is controlled by an unchanged piece of the data is effected.
  - 26. The non-transitory computer-readable medium of claim 19, wherein the instruction count is a count of the number of instructions in a gadget.
  - 27. The non-transitory computer-readable medium of claim 19, wherein the instruction count is a count of the total number of instructions executed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Original Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Inventors
Polychronakis, Michalis, Keromytis, Angelos D.
Primary Examiner(s)
Patel, Haresh N

Application Number

US15/349,445
Publication Number

US 20170243002A1
Time in Patent Office

809 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/54   by adding security routines...

G06F 21/562   Static detection

G06F 2221/034   Test or assess a computer o...

Detecting return-oriented programming payloads by evaluating data for a gadget address space address and determining whether operations associated with instructions beginning at the address indicate a return-oriented programming payload

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting return-oriented programming payloads by evaluating data for a gadget address space address and determining whether operations associated with instructions beginning at the address indicate a return-oriented programming payload

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links