Timely address space randomization
First Claim
1. In a system executing a program within a memory address space, a method comprising:
- loading a code region from a program binary to a first location within the address space;
detecting, during execution of the program, one or more output calls immediately followed by an input call (an “
output-input call pair”
) from the program; and
in response to detecting the output-input call pair from the program and before processing the input call on behalf of the program;
selecting a second location within the address space to move the code region to;
determining memory locations of one or more references to the code region;
updating the values of the references in memory based on the second location and using annotation information within the program binary; and
moving the code region to the second location within the address space;
wherein an output call comprises a function call, made by the program, that discloses contents of memory of the program to a user of the program, and wherein an input call comprises a function call, made by the program, that enables a user of the program to affect internal logic of the program.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for timely address space randomize includes loading a code region from a program binary to a first location within the address space, detecting, during execution of the program, an output-input call pair from the program and, in response to detecting the output-input call pair from the program: selecting a second location within the address space to move the code region to, determining memory locations of one or more references to the code region, updating the values of the references in memory based on the second location and using annotation information within the program binary, and moving the code region to the second location within the address space.
-
Citations
20 Claims
-
1. In a system executing a program within a memory address space, a method comprising:
-
loading a code region from a program binary to a first location within the address space; detecting, during execution of the program, one or more output calls immediately followed by an input call (an “
output-input call pair”
) from the program; andin response to detecting the output-input call pair from the program and before processing the input call on behalf of the program; selecting a second location within the address space to move the code region to; determining memory locations of one or more references to the code region; updating the values of the references in memory based on the second location and using annotation information within the program binary; and moving the code region to the second location within the address space; wherein an output call comprises a function call, made by the program, that discloses contents of memory of the program to a user of the program, and wherein an input call comprises a function call, made by the program, that enables a user of the program to affect internal logic of the program. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. In a system compiling a program and executing the program within a memory address space, a method comprising:
-
analyzing source code of the program to identify code references; compiling the source code to generate an annotated binary having a code region; loading the code region into memory at a first location; detecting, during execution of the annotated binary, one or more output calls immediately followed by an input call (an “
output-input call pair”
);in response to detecting the output-input call pair and before processing the input call on behalf of the program; selecting a second location in memory to move the code region to; determining the location of the code references in memory; updating the value of the code references in memory based on the second location using annotation information within the annotated binary; and moving the code region from the first memory location to the second memory location; wherein an output call comprises a function call, made by the program, that discloses contents of memory of the program to a user of the program, and wherein an input call comprises a function call, made by the program, that enables a user of the program to affect internal logic of the program. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A system comprising:
-
one or more processors; a volatile memory; and a non-volatile memory storing computer program code that when executed on the processor causes execution across the one or more processors of a process operable to perform the operations of; load a code region from a program binary to a first location within the address space; detect, during execution of the program, one or more output calls immediately followed by an input call (an “
output-input call pair”
) from the program;in response to detecting the output-input call pair from the program and before processing the input call on behalf of the program; select a second location within the address space to move the code region to; determine memory locations of one or more references to the code region; update the values of the references in memory based on the second location and using annotation information within the program binary; and move the code region to the second location within the address space; wherein an output call comprises a function call, made by the program, that could disclose contents of memory of the program to a user of the program, and wherein an input call comprises a function call, made by the program, that enables a user of the program to affect internal logic of the program.
-
Specification