Mitigation of cyber attacks by pointer obfuscation
First Claim
Patent Images
1. A method for protecting a computer when loading a computer program into a memory for execution by the computer, comprising:
- before execution of the computer program by the computer, identifying a pointer, which points to a first memory address for accessing an operating system function in a data structure created for the computer program, and rewriting the identified pointer in the data structure for the computer program so that the identified pointer points to a second memory address, different from the first memory address, wherein the second memory address is defined with a permission setting which does not allow access, such that any attempt to access the second memory address will raise an exception; and
configuring the computer to transfer control to program code that determines whether an access to the second memory address during execution of the computer program is a possible unauthorized access to the functionality of the computer, when the second memory address is accessed during execution of the computer program,wherein determining whether the access to the second memory address is a possible unauthorized access comprises analyzing a source of an attempt to access the second memory address, and upon finding the source to be an authorized operation of the computer, correcting the pointer in the data structure created for the computer program to point to the first memory address, and permitting the authorized operation to resume using the first memory address.
3 Assignments
0 Petitions
Accused Products
Abstract
A method for protecting a computer includes identifying a first pointer in a data structure used by a computer program indicating a first memory address to be accessed, using the pointer, in order to invoke a functionality of the computer. The identified first pointer is replaced with a second pointer indicating a second memory address, different from the first memory address. A security program module traps attempts to access the second memory address during execution of the computer program so as to foil unauthorized access to the functionality of the computer.
-
Citations
26 Claims
-
1. A method for protecting a computer when loading a computer program into a memory for execution by the computer, comprising:
-
before execution of the computer program by the computer, identifying a pointer, which points to a first memory address for accessing an operating system function in a data structure created for the computer program, and rewriting the identified pointer in the data structure for the computer program so that the identified pointer points to a second memory address, different from the first memory address, wherein the second memory address is defined with a permission setting which does not allow access, such that any attempt to access the second memory address will raise an exception; and configuring the computer to transfer control to program code that determines whether an access to the second memory address during execution of the computer program is a possible unauthorized access to the functionality of the computer, when the second memory address is accessed during execution of the computer program, wherein determining whether the access to the second memory address is a possible unauthorized access comprises analyzing a source of an attempt to access the second memory address, and upon finding the source to be an authorized operation of the computer, correcting the pointer in the data structure created for the computer program to point to the first memory address, and permitting the authorized operation to resume using the first memory address. - View Dependent Claims (2, 3, 4, 5, 6, 25, 26)
-
-
7. Computing apparatus, comprising:
-
a memory, which is configured to store a computer program and data structures associated with the computer program; and a processor, which is coupled to the memory and is configured; before execution of the computer program by the computing apparatus, to identify a pointer, which points to a first memory address for accessing an operating system function in a data structure created for the computer program, and to rewrite the identified pointer in the data structure for the computer program so that the identified pointer points to a second memory address, different from the first memory address, wherein the second memory address is defined with a permission setting which does not allow access, such that any attempt to access the second memory address will raise an exception, and to configure the computing apparatus to transfer control to program code that determines whether an access to the second memory address during execution of the computer program is a possible unauthorized access to the functionality of the computing apparatus, when the second memory address is accessed during execution of the computer program, wherein determining whether the access to the second memory address is a possible unauthorized access comprises analyzing a source of an attempt to access the second memory address, and upon finding the source to be an authorized operation of the computer, correcting the pointer in the data structure created for the computer program to point to the first memory address, and permitting the authorized operation to resume using the first memory address. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A computer software product, comprising a non-transitory computer-readable medium in which program instructions are stored, which instructions, include:
-
a pointer handling module which when read by a computer, causes the computer to identify before execution of the computer program by the computer, a pointer, which points to a first memory address for accessing an operating system function in a data structure created for the computer program, and to rewrite the identified pointer in the data structure for the computer program so that the identified pointer points to a second memory address, different from the first memory address, wherein the second memory address is defined with a permission setting which does not allow access, such that any attempt to access the second memory address will raise an exception; and a security program module invoked when attempts to access the second memory address during execution of the computer program occur, which when invoked determines whether an access to the second memory address which invoked the security program module is a possible unauthorized access to a functionality of the computer program, when the second memory address is accessed during execution of the computer program, wherein determining whether the access to the second memory address is a possible unauthorized access comprises analyzing a source of an attempt to access the second memory address, and upon finding the source to be an authorized operation of the computer, correcting the pointer in the data structure created for the computer program to point to the first memory address, and permitting the authorized operation to resume using the first memory address. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
Specification