Timely address space randomization

US 10,310,991 B2
Filed: 08/11/2016
Issued: 06/04/2019
Est. Priority Date: 08/11/2016
Status: Active Grant

First Claim

Patent Images

1. In a system executing a program within a memory address space, a method comprising:

loading a code region from a program binary to a first location within the address space;

detecting, during execution of the program, one or more output calls immediately followed by an input call (an “

output-input call pair”

) from the program; and

in response to detecting the output-input call pair from the program and before processing the input call on behalf of the program;

selecting a second location within the address space to move the code region to;

determining memory locations of one or more references to the code region;

updating the values of the references in memory based on the second location and using annotation information within the program binary; and

moving the code region to the second location within the address space;

wherein an output call comprises a function call, made by the program, that discloses contents of memory of the program to a user of the program, and wherein an input call comprises a function call, made by the program, that enables a user of the program to affect internal logic of the program.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for timely address space randomize includes loading a code region from a program binary to a first location within the address space, detecting, during execution of the program, an output-input call pair from the program and, in response to detecting the output-input call pair from the program: selecting a second location within the address space to move the code region to, determining memory locations of one or more references to the code region, updating the values of the references in memory based on the second location and using annotation information within the program binary, and moving the code region to the second location within the address space.

Citations

20 Claims

1. In a system executing a program within a memory address space, a method comprising:
- loading a code region from a program binary to a first location within the address space;
  
  detecting, during execution of the program, one or more output calls immediately followed by an input call (an “
  
  output-input call pair”
  
  ) from the program; and
  
  in response to detecting the output-input call pair from the program and before processing the input call on behalf of the program;
  
  selecting a second location within the address space to move the code region to;
  
  determining memory locations of one or more references to the code region;
  
  updating the values of the references in memory based on the second location and using annotation information within the program binary; and
  
  moving the code region to the second location within the address space;
  
  wherein an output call comprises a function call, made by the program, that discloses contents of memory of the program to a user of the program, and wherein an input call comprises a function call, made by the program, that enables a user of the program to affect internal logic of the program.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein selecting a second location within the address space comprises selecting a random location within the address space.
  - 3. The method of claim 1 wherein detecting an output-input call pair from the program is performed in kernel space and wherein updating the values of the references in memory based on the second location and using annotation information within the program binary is performed in userspace.
  - 4. The method of claim 3 further comprising, in response to detecting the output-input call pair:
    - injecting code into the address space, the injected code operable to update the values of the references in memory based on the second location and using annotation information within the program binary.
  - 5. The method of claim 1 wherein detecting an output-input call pair from the program comprises:
    - detecting an output call from a first process within a process group; and
      
      detecting an input call from a second process with the process group.
  - 6. The method of claim 1 wherein moving the code region to the second location within the address space comprises updating a virtual memory page table.
  - 7. The method of claim 1 further comprising, in response to detecting the output-input call pair from the program:
    - pausing the program;
      
      making a copy of a register set associated with the program;
      
      updating one or more references to the code region within the copy of the register set;
      
      restoring the register set associated with the program using the updated copy of the register set; and
      
      resuming the program.
  - 8. The method of claim 1 wherein updating the values of the references in memory comprises updating the value of global variables, stack-based variables, and dynamically allocated variables.
  - 9. The method of claim 8 wherein updating the value of global variables and stack-based variables comprises using tagged unions to determine the current data type of global variables and stacked-based variables.
  - 10. The method of claim 8 further comprising:
    - tracking the location of one or more dynamically allocated references to the code region, wherein updating the values of the references in memory comprises using the tracked location of the one or more dynamically allocated references.
  - 11. The method of claim 1 further comprising, in response to detecting the output-input call pair from the program:
    - updating one or more references to signal handlers defined within the code region.

12. In a system compiling a program and executing the program within a memory address space, a method comprising:
- analyzing source code of the program to identify code references;
  
  compiling the source code to generate an annotated binary having a code region;
  
  loading the code region into memory at a first location;
  
  detecting, during execution of the annotated binary, one or more output calls immediately followed by an input call (an “
  
  output-input call pair”
  
  );
  
  in response to detecting the output-input call pair and before processing the input call on behalf of the program;
  
  selecting a second location in memory to move the code region to;
  
  determining the location of the code references in memory;
  
  updating the value of the code references in memory based on the second location using annotation information within the annotated binary; and
  
  moving the code region from the first memory location to the second memory location;
  
  wherein an output call comprises a function call, made by the program, that discloses contents of memory of the program to a user of the program, and wherein an input call comprises a function call, made by the program, that enables a user of the program to affect internal logic of the program.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method of claim 12 wherein compiling the source code to generate an annotated binary having a code region comprises generating an annotated binary having information about the location of global code reference variables and stack-based code references.
  - 14. The method of claim 12 wherein analyzing source code to identify code references comprises identifying global code references, stack-based code references, and dynamically allocated code references.
  - 15. The method of claim 14 wherein identifying dynamically allocated code references comprises identifying dynamic allocations statements using the sizeof( ) operator on a data type associated with code references.
  - 16. The method of claim 12 wherein compiling the source code to generate an annotated binary comprises generating Position Independent Executable/Code (PIE/PIC).
  - 17. The method of claim 12 wherein compiling the source code to generate an annotated binary comprises treating references to objects within a program data region as externally visible global references residing in different compilation units.
  - 18. The method of claim 17 wherein the annotated binary includes a Global Offset Table (GOT) through which the references to objects within a program data region are routed.
  - 19. The method of claim 12 wherein compiling the source code to generate an annotated binary comprises generating a tagged union wherever a union with a code reference is encountered in the source code.

20. A system comprising:
- one or more processors;
  
  a volatile memory; and
  
  a non-volatile memory storing computer program code that when executed on the processor causes execution across the one or more processors of a process operable to perform the operations of;
  
  load a code region from a program binary to a first location within the address space;
  
  detect, during execution of the program, one or more output calls immediately followed by an input call (an “
  
  output-input call pair”
  
  ) from the program;
  
  in response to detecting the output-input call pair from the program and before processing the input call on behalf of the program;
  
  select a second location within the address space to move the code region to;
  
  determine memory locations of one or more references to the code region;
  
  update the values of the references in memory based on the second location and using annotation information within the program binary; and
  
  move the code region to the second location within the address space;
  
  wherein an output call comprises a function call, made by the program, that could disclose contents of memory of the program to a user of the program, and wherein an input call comprises a function call, made by the program, that enables a user of the program to affect internal logic of the program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Massachusetts Institute of Technology
Original Assignee
Massachusetts Institute of Technology
Inventors
Okhravi, Hamed, Hobson, Thomas R., Bigelow, David O., Rudd, Robert, Streilein, William W.
Primary Examiner(s)
Rivera, Anibal

Application Number

US15/234,028
Publication Number

US 20180046585A1
Time in Patent Office

1,027 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/023   Free address space management

G06F 12/1408   by using cryptography for d...

G06F 16/245   Query processing

G06F 21/125   by manipulating the program...

G06F 21/52   during program execution, e...

G06F 21/54   by adding security routines...

G06F 21/577   Assessing vulnerabilities a...

G06F 2212/1052   Security improvement

Timely address space randomization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Timely address space randomization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links