Detecting data corruption by control flow interceptions
First Claim
Patent Images
1. A computer program product tangibly embodied on a non-transient computer readable medium, the computer program product comprising instructions operable, when executed, to perform a method comprising:
- intercepting, by an execution profiling handler implemented at least partially in hardware, an invocation by an executable application to a memory allocation library to allocate memory;
observing, by the execution profiling handler, memory allocation information associated with the invocation of the memory allocation library, the memory allocation information indicating a module of the executable application that is run, a size of the memory, an address or range of the memory, an attribute of the memory, or a location of the memory, the attribute defined as at least one of READ, WRITE, or EXECUTE;
setting a permission for accessing heap memory in an extended page table based on the memory allocation information;
intercepting (i) an indirect branch execution from the executable application or (ii) an exploitation of heap memory; and
determining, based on the permission set in the extended page table, to block (i) the indirect branch execution from accessing heap memory or (ii) the exploitation of heap memory.
10 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of this disclosure are directed to an execution profiling handler configured for intercepting an invocation of memory allocation library and observing memory allocation for an executable application process. The observed memory allocation can be used to update memory allocation meta-data for tracking purposes. The execution profiling handler can also intercept indirect branch calls to prevent heap allocation from converting to execution and intercept exploitation of heap memory to block execution.
-
Citations
19 Claims
-
1. A computer program product tangibly embodied on a non-transient computer readable medium, the computer program product comprising instructions operable, when executed, to perform a method comprising:
-
intercepting, by an execution profiling handler implemented at least partially in hardware, an invocation by an executable application to a memory allocation library to allocate memory; observing, by the execution profiling handler, memory allocation information associated with the invocation of the memory allocation library, the memory allocation information indicating a module of the executable application that is run, a size of the memory, an address or range of the memory, an attribute of the memory, or a location of the memory, the attribute defined as at least one of READ, WRITE, or EXECUTE; setting a permission for accessing heap memory in an extended page table based on the memory allocation information; intercepting (i) an indirect branch execution from the executable application or (ii) an exploitation of heap memory; and determining, based on the permission set in the extended page table, to block (i) the indirect branch execution from accessing heap memory or (ii) the exploitation of heap memory. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer implemented method, comprising:
-
intercepting, by an execution profiling handler implemented at least partially in hardware, an invocation by an executable application to a memory allocation library to allocate memory; observing, by the execution profiling handler, memory allocation information associated with the invocation of the memory allocation library, the memory allocation information indicating a module of the executable application that is run, a size of the memory, an address or range of the memory, an attribute of the memory, or a location of the memory, the attribute defined as at least one of READ, WRITE, or EXECUTE; setting a permission for accessing heap memory in an extended page table based on the memory allocation information; intercepting (i) an indirect branch execution from the executable application or (ii) an exploitation of heap memory; and determining, based on the permission set in the extended page table, to block (i) the indirect branch execution from accessing heap memory or (ii) the exploitation of heap memory. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A system for intercepting a process flow, the system comprising:
-
a processor implemented at least partially in hardware; a memory; and an execution profiling handler implemented at least partially in hardware to intercept a memory allocation library invocation by an executable application to allocate memory; observe memory allocation information associated with the invocation of the memory allocation library, the memory allocation information indicating a module of the executable application that is run, a size of the memory, an address or range of the memory, an attribute of the memory, or a location of the memory, the attribute defined as at least one of READ, WRITE, or EXECUTE; set a permission for accessing heap memory in an extended page table based on the memory allocation information; intercept (i) an indirect branch execution from the executable application or (ii) an exploitation of heap memory; and determine, based on the permission set in the extended page table, to block (i) the indirect branch execution from accessing heap memory or (ii) the exploitation of heap memory. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
Specification