Detecting data corruption by control flow interceptions

US 10,289,570 B2
Filed: 12/24/2015
Issued: 05/14/2019
Est. Priority Date: 12/24/2015
Status: Active Grant

First Claim

Patent Images

1. A computer program product tangibly embodied on a non-transient computer readable medium, the computer program product comprising instructions operable, when executed, to perform a method comprising:

intercepting, by an execution profiling handler implemented at least partially in hardware, an invocation by an executable application to a memory allocation library to allocate memory;

observing, by the execution profiling handler, memory allocation information associated with the invocation of the memory allocation library, the memory allocation information indicating a module of the executable application that is run, a size of the memory, an address or range of the memory, an attribute of the memory, or a location of the memory, the attribute defined as at least one of READ, WRITE, or EXECUTE;

setting a permission for accessing heap memory in an extended page table based on the memory allocation information;

intercepting (i) an indirect branch execution from the executable application or (ii) an exploitation of heap memory; and

determining, based on the permission set in the extended page table, to block (i) the indirect branch execution from accessing heap memory or (ii) the exploitation of heap memory.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of this disclosure are directed to an execution profiling handler configured for intercepting an invocation of memory allocation library and observing memory allocation for an executable application process. The observed memory allocation can be used to update memory allocation meta-data for tracking purposes. The execution profiling handler can also intercept indirect branch calls to prevent heap allocation from converting to execution and intercept exploitation of heap memory to block execution.

Citations

19 Claims

1. A computer program product tangibly embodied on a non-transient computer readable medium, the computer program product comprising instructions operable, when executed, to perform a method comprising:
- intercepting, by an execution profiling handler implemented at least partially in hardware, an invocation by an executable application to a memory allocation library to allocate memory;
  
  observing, by the execution profiling handler, memory allocation information associated with the invocation of the memory allocation library, the memory allocation information indicating a module of the executable application that is run, a size of the memory, an address or range of the memory, an attribute of the memory, or a location of the memory, the attribute defined as at least one of READ, WRITE, or EXECUTE;
  
  setting a permission for accessing heap memory in an extended page table based on the memory allocation information;
  
  intercepting (i) an indirect branch execution from the executable application or (ii) an exploitation of heap memory; and
  
  determining, based on the permission set in the extended page table, to block (i) the indirect branch execution from accessing heap memory or (ii) the exploitation of heap memory.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer program product of claim 1, wherein the method further comprises:
    - intercepting the indirect branch execution from the executable application; and
      
      determining to block the indirect branch execution from accessing heap memory based on the memory allocation information.
  - 3. The computer program product of claim 2, wherein the indirect branch execution is blocked from accessing heap memory based on the permission set in the extended page table.
  - 4. The computer program product of claim 1, wherein the method further comprises:
    - intercepting the exploitation of heap memory; and
      
      determining to block the exploitation of heap memory based on the memory allocation information.
  - 5. The computer program product of claim 4, wherein the exploitation of heap memory is blocked based on the permission in the extended page table.
  - 6. The computer program product of claim 1, wherein the method further comprises:
    - building a memory allocation tracking library for the executable application by iteratively intercepting memory allocation library invocations and observing the memory allocation information.

7. A computer implemented method, comprising:
- intercepting, by an execution profiling handler implemented at least partially in hardware, an invocation by an executable application to a memory allocation library to allocate memory;
  
  observing, by the execution profiling handler, memory allocation information associated with the invocation of the memory allocation library, the memory allocation information indicating a module of the executable application that is run, a size of the memory, an address or range of the memory, an attribute of the memory, or a location of the memory, the attribute defined as at least one of READ, WRITE, or EXECUTE;
  
  setting a permission for accessing heap memory in an extended page table based on the memory allocation information;
  
  intercepting (i) an indirect branch execution from the executable application or (ii) an exploitation of heap memory; and
  
  determining, based on the permission set in the extended page table, to block (i) the indirect branch execution from accessing heap memory or (ii) the exploitation of heap memory.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer implemented method of claim 7, further comprising:
    - intercepting the indirect branch execution from the executable application; and
      
      determining to block the indirect branch execution from accessing heap memory based on the memory allocation information.
  - 9. The computer implemented method of claim 8, further comprising:
    - blocking, by the execution profiling handler, the indirect branch execution from accessing heap memory based on the permission set in the extended page table.
  - 10. The computer implemented method of claim 7, further comprising:
    - intercepting the exploitation of heap memory; and
      
      determining to block the exploitation of heap memory based on the memory allocation information.
  - 11. The computer implemented method of claim 10, further comprising:
    - blocking, by the execution profiling handler, the exploitation of heap memory based on the permission in the extended page table.
  - 12. The computer implemented method of claim 7, further comprising:
    - building a memory allocation tracking library for the executable application by iteratively intercepting memory allocation library invocations and observing the memory allocation information.

13. A system for intercepting a process flow, the system comprising:
- a processor implemented at least partially in hardware;
  
  a memory; and
  
  an execution profiling handler implemented at least partially in hardware tointercept a memory allocation library invocation by an executable application to allocate memory;
  
  observe memory allocation information associated with the invocation of the memory allocation library, the memory allocation information indicating a module of the executable application that is run, a size of the memory, an address or range of the memory, an attribute of the memory, or a location of the memory, the attribute defined as at least one of READ, WRITE, or EXECUTE;
  
  set a permission for accessing heap memory in an extended page table based on the memory allocation information;
  
  intercept (i) an indirect branch execution from the executable application or (ii) an exploitation of heap memory; and
  
  determine, based on the permission set in the extended page table, to block (i) the indirect branch execution from accessing heap memory or (ii) the exploitation of heap memory.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13, wherein the permission is set in a hypervisor implemented at least partially in hardware.
  - 15. The system of claim 13, wherein the execution profiling handler is further configured to:
    - intercept the indirect branch execution from the executable application; and
      
      determine to block the indirect branch execution from accessing heap memory based on the memory allocation information.
  - 16. The system of claim 15, wherein the execution profiling handler is configured to block the indirect branch execution from accessing heap memory based on the permission set in the extended page table.
  - 17. The system of claim 13, wherein the execution profiling handler is further configured to:
    - intercept the exploitation of heap memory; and
      
      determine to block the exploitation of heap memory based on the memory allocation information.
  - 18. The system of claim 17, wherein the execution profiling handler is further configured to block an exploitation of heap memory based on the permission in the extended page table.
  - 19. The system of claim 13, wherein a memory allocation tracking library for the executable application is built by iteratively intercepting memory allocation library invocations and observing the memory allocation information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Li, Xiaoning, Lu, Lixin, Sahita, Ravi
Primary Examiner(s)
Bayou, Yonas A

Application Number

US14/998,201
Publication Number

US 20170185536A1
Time in Patent Office

1,237 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/00   Error detection; Error corr...

G06F 11/302   where the computing system ...

G06F 11/3037   where the computing system ...

G06F 11/3086   where the reporting involve...

G06F 11/3466   Performance evaluation by t...

G06F 12/1458   by checking the subject acc...

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2201/865   Monitoring of software

G06F 2212/1052   Security improvement

G06F 3/0622   in relation to access

G06F 3/0631   by allocating resources to ...

G06F 3/0673   Single storage device

G06F 9/3005   to perform operations for f...

G06F 9/30054   Unconditional branch instru...

G06F 9/30061   Multi-way branch instructio...

G06F 9/323   for indirect branch instruc...

G06F 9/3804   for branches, e.g. hedging,...

Detecting data corruption by control flow interceptions

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting data corruption by control flow interceptions

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links