Mitigation of cyber attacks by pointer obfuscation

US 10,310,992 B1
Filed: 09/27/2016
Issued: 06/04/2019
Est. Priority Date: 08/23/2012
Status: Active Grant

First Claim

Patent Images

1. A method for protecting a computer when loading a computer program into a memory for execution by the computer, comprising:

before execution of the computer program by the computer, identifying a pointer, which points to a first memory address for accessing an operating system function in a data structure created for the computer program, and rewriting the identified pointer in the data structure for the computer program so that the identified pointer points to a second memory address, different from the first memory address, wherein the second memory address is defined with a permission setting which does not allow access, such that any attempt to access the second memory address will raise an exception; and

configuring the computer to transfer control to program code that determines whether an access to the second memory address during execution of the computer program is a possible unauthorized access to the functionality of the computer, when the second memory address is accessed during execution of the computer program,wherein determining whether the access to the second memory address is a possible unauthorized access comprises analyzing a source of an attempt to access the second memory address, and upon finding the source to be an authorized operation of the computer, correcting the pointer in the data structure created for the computer program to point to the first memory address, and permitting the authorized operation to resume using the first memory address.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for protecting a computer includes identifying a first pointer in a data structure used by a computer program indicating a first memory address to be accessed, using the pointer, in order to invoke a functionality of the computer. The identified first pointer is replaced with a second pointer indicating a second memory address, different from the first memory address. A security program module traps attempts to access the second memory address during execution of the computer program so as to foil unauthorized access to the functionality of the computer.

Citations

26 Claims

1. A method for protecting a computer when loading a computer program into a memory for execution by the computer, comprising:
- before execution of the computer program by the computer, identifying a pointer, which points to a first memory address for accessing an operating system function in a data structure created for the computer program, and rewriting the identified pointer in the data structure for the computer program so that the identified pointer points to a second memory address, different from the first memory address, wherein the second memory address is defined with a permission setting which does not allow access, such that any attempt to access the second memory address will raise an exception; and
  
  configuring the computer to transfer control to program code that determines whether an access to the second memory address during execution of the computer program is a possible unauthorized access to the functionality of the computer, when the second memory address is accessed during execution of the computer program,wherein determining whether the access to the second memory address is a possible unauthorized access comprises analyzing a source of an attempt to access the second memory address, and upon finding the source to be an authorized operation of the computer, correcting the pointer in the data structure created for the computer program to point to the first memory address, and permitting the authorized operation to resume using the first memory address.
- View Dependent Claims (2, 3, 4, 5, 6, 25, 26)
- - 2. The method according to claim 1, and comprising upon finding the source to be unauthorized, blocking access to the functionality.
  - 3. The method according to claim 2, and comprising issuing an alert with respect to the attempt.
  - 4. The method according to claim 1, wherein the second memory address is in a location to which access is not permitted by an operating system of the computer, such that attempts to access the second memory address cause exceptions, which result in the transfer of control during execution of the computer program.
  - 5. The method according to claim 1, wherein the first memory address is a location of a function table of the computer program.
  - 6. The method according to claim 1, wherein the program code that determines comprises a dynamic-link library (DLL), which is configured to be loaded prior to the execution of the computer program.
  - 25. The method according to claim 1, wherein identifying the pointer is performed by a module injected into a process designated to run the computer program.
  - 26. The method according to claim 25, wherein the injected module submits a request to the operating system to reserve a certain range of memory including the second memory address, with permission settings not allowing access to the range.

7. Computing apparatus, comprising:
- a memory, which is configured to store a computer program and data structures associated with the computer program; and
  
  a processor, which is coupled to the memory and is configured;
  
  before execution of the computer program by the computing apparatus, to identify a pointer, which points to a first memory address for accessing an operating system function in a data structure created for the computer program, and to rewrite the identified pointer in the data structure for the computer program so that the identified pointer points to a second memory address, different from the first memory address, wherein the second memory address is defined with a permission setting which does not allow access, such that any attempt to access the second memory address will raise an exception, andto configure the computing apparatus to transfer control to program code that determines whether an access to the second memory address during execution of the computer program is a possible unauthorized access to the functionality of the computing apparatus, when the second memory address is accessed during execution of the computer program,wherein determining whether the access to the second memory address is a possible unauthorized access comprises analyzing a source of an attempt to access the second memory address, and upon finding the source to be an authorized operation of the computer, correcting the pointer in the data structure created for the computer program to point to the first memory address, and permitting the authorized operation to resume using the first memory address.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus according to claim 7, wherein the program code that determines whether an access to the second memory address is a possible unauthorized access causes the processor upon finding the source to be unauthorized, to block access to the functionality.
  - 9. The apparatus according to claim 8, wherein the program code that determines whether an access to the second memory address is a possible unauthorized access causes the processor to issue an alert with respect to the attempt.
  - 10. The apparatus according to claim 7, wherein the processor is configured to assign the second memory address to be in a location to which access is not permitted by the computing apparatus, such that the attempts to access the second memory address cause exceptions, which result in the transfer of control during execution of the computer program.
  - 11. The apparatus according to claim 7, wherein the first memory address is a location of a function table of the computer program.
  - 12. The apparatus according to claim 7, wherein the program code that determines whether an access to the second memory address is a possible unauthorized access comprises a dynamic-link library (DLL), and wherein the processor configured to load the DLL into the memory when the computer program is loaded into the memory, prior to the execution of the computer program.

13. A computer software product, comprising a non-transitory computer-readable medium in which program instructions are stored, which instructions, include:
- a pointer handling module which when read by a computer, causes the computer to identify before execution of the computer program by the computer, a pointer, which points to a first memory address for accessing an operating system function in a data structure created for the computer program, and to rewrite the identified pointer in the data structure for the computer program so that the identified pointer points to a second memory address, different from the first memory address, wherein the second memory address is defined with a permission setting which does not allow access, such that any attempt to access the second memory address will raise an exception; and
  
  a security program module invoked when attempts to access the second memory address during execution of the computer program occur, which when invoked determines whether an access to the second memory address which invoked the security program module is a possible unauthorized access to a functionality of the computer program, when the second memory address is accessed during execution of the computer program,wherein determining whether the access to the second memory address is a possible unauthorized access comprises analyzing a source of an attempt to access the second memory address, and upon finding the source to be an authorized operation of the computer, correcting the pointer in the data structure created for the computer program to point to the first memory address, and permitting the authorized operation to resume using the first memory address.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The product according to claim 13, wherein the instructions cause the computer upon finding the source to be unauthorized, to block access to the functionality.
  - 15. The product according to claim 14, wherein the instructions cause the computer to issue an alert with respect to the attempt.
  - 16. The product according to claim 13, wherein the instructions cause the computer to assign the second memory address to be in a location to which access is not permitted by the computer, such that the attempts to access the second memory address cause exceptions, which invoke an exception handler module that calls the security program module.
  - 17. The product according to claim 14, wherein the first memory address is a location of a function table of the computer program.
  - 18. The product according to claim 14, wherein the security program module comprises a dynamic-link library (DLL), which is configured to be loaded prior to the execution of the computer program.
  - 19. The product according to claim 13, wherein the pointer handling module is included in a program module loaded to the memory with the computer program.
  - 20. The product according to claim 19, wherein a classification of the computer program loaded into the memory is determined and the pointer handling module is included with the loaded computer program if the process is classified as potentially vulnerable.
  - 21. The product according to claim 19, wherein the pointer handling module is included in a dynamic-link library (DLL) loaded to the memory with the process.
  - 22. The product according to claim 13, wherein the pointer handling module additionally requests allocation of a memory range to include the second memory address.
  - 23. The product according to claim 22, wherein the allocation request of the pointer handling module for the memory range to include the second memory address is provided to an operating system of the computer as a request of the computer program.
  - 24. The product according to claim 23, wherein the pointer handling module does not request that the memory range be committed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Badishi, Gal, Davidi, Netanel
Primary Examiner(s)
Tsai, Sheng Jen

Application Number

US15/276,807
Time in Patent Office

980 Days
Field of Search

711163
US Class Current
CPC Class Codes

G06F 12/1433   for a module or a part of a...

G06F 12/1458   by checking the subject acc...

G06F 12/1483   using an access-table, e.g....

G06F 2212/1052   Security improvement

G06F 9/44521   Dynamic linking or loading;...

Mitigation of cyber attacks by pointer obfuscation

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Mitigation of cyber attacks by pointer obfuscation

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links