System and methods for run time detection and correction of memory corruption

US 10,331,888 B1
Filed: 02/20/2015
Issued: 06/25/2019
Est. Priority Date: 02/09/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

detecting an application layer memory corruption of at least one portion of a control section of memory by an address table attack, wherein detecting includes;

(a) capturing a shadow copy of an address table from the control section of memory;

(b) checking contents of the address table against the captured shadow copy following execution of a function call;

(c) if the checked contents and the captured shadow copy match, checking that the executed function call is present in the address table; and

(d) declaring the application layer memory corruption based on;

(i) at least a portion of the checked contents and the captured shadow copy not matching, or (ii) the executed function call not being present in the address table; and

automatically detecting a security attack of a computer application based on the declared application layer memory corruption, and reporting the detected security attack to a user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method or apparatus detects a memory corruption of at least one portion of memory during run-time and corrects the memory corruption of the at least one portion of memory by replacing the at least one portion of memory with a backup of the at least one portion of memory. In this way, memory corruption can be corrected in a timely fashion while minimizing security risks.

Citations

20 Claims

1. A method comprising:
- detecting an application layer memory corruption of at least one portion of a control section of memory by an address table attack, wherein detecting includes;
  
  (a) capturing a shadow copy of an address table from the control section of memory;
  
  (b) checking contents of the address table against the captured shadow copy following execution of a function call;
  
  (c) if the checked contents and the captured shadow copy match, checking that the executed function call is present in the address table; and
  
  (d) declaring the application layer memory corruption based on;
  
  (i) at least a portion of the checked contents and the captured shadow copy not matching, or (ii) the executed function call not being present in the address table; and
  
  automatically detecting a security attack of a computer application based on the declared application layer memory corruption, and reporting the detected security attack to a user.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the address table includes at least one of an import address table, an export address table, and a relocation table.
  - 3. The method of claim 1, further comprising:
    - performing randomization on libraries of the address table prior to capturing the shadow copy.
  - 4. The method of claim 3, wherein the randomization includes at least one of mangling function names of the libraries, using random permutations of functions contained within the libraries, and loading the libraries at random locations in memory.
  - 5. The method of claim 1, further comprising correcting the application layer memory corruption by replacing the at least one portion of corrupted memory with a backup of the at least one portion of the control section of memory to prevent corrupted code from ever executing.

6. An apparatus comprising:
- a processor configured to execute a process, the process configured to;
  
  detect an application layer memory corruption of at least one portion of a control section of memory by an address table attack, wherein detecting includes;
  
  (a) capturing a shadow copy of an address table from the control section of memory;
  
  (b) checking contents of the address table against the captured shadow copy following execution of a function call;
  
  (c) if the checked contents and the captured shadow copy match, checking that the executed function call is present in the address table; and
  
  (d) declaring the application layer memory corruption based on;
  
  (i) at least a portion of the checked contents and the captured shadow copy not matching, or (ii) the executed function not being present in the address table; and
  
  automatically detect a security attack of a computer application based on the declared application layer memory corruption, and report the detected security attack to a user.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The apparatus of claim 6, wherein the address table includes at least one of an import address table, an export address table, and a relocation table.
  - 8. The apparatus of claim 6, the processor further configured to:
    - perform randomization on libraries of the address table prior to capturing the shadow copy.
  - 9. The apparatus of claim 8, wherein the randomization includes at least one of mangling function names of the libraries, using random permutations of functions contained within the libraries, and loading the libraries at random locations in memory.
  - 10. The apparatus of claim 6, the processor further configured to:
    - correct the application layer memory corruption by replacing the at least one portion of corrupted memory with a backup of the at least one portion of the control section of memory to prevent corrupted code from ever executing.

11. A method comprising:
- detecting an application layer memory corruption of at least one portion of a control section of memory by a heap attack, wherein detecting includes, in a given time frame;
  
  (a) capturing a shadow copy of a checksum for heap metadata from the control section of memory;
  
  (b) calculating a current checksum for the heap metadata following execution of a heap operation;
  
  (c) checking the current checksum against the shadow copy of the checksum; and
  
  (d) declaring the application layer memory corruption based on the current checksum and the shadow copy of the checksum not matching in the given time frame; and
  
  automatically detecting a security attack of a computer application based on the declared application layer memory corruption, and reporting the detected security attack to a user.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein the heap metadata comprises a linked-list pointer.
  - 13. The method of claim 12, wherein the linked-list pointer is a forward pointer or a backward pointer in the linked-list.
  - 14. The method of claim 12, wherein the heap attack overwrites the linked-list pointer.
  - 15. The method of claim 11, further comprising correcting the application layer memory corruption by replacing the at least one portion of corrupted memory with a backup of the at least one portion of the control section of memory to prevent corrupted code from ever executing.

16. An apparatus comprising:
- a processor configured to execute a process, the process configured to;
  
  detect an application layer memory corruption of at least one portion of a control section of memory by a heap attack, wherein detecting includes, in a given time frame;
  
  (a) capturing a shadow copy of a checksum for heap metadata from the control section of memory;
  
  (b) calculating a current checksum for the heap metadata following execution of a heap operation;
  
  (c) checking the current checksum against the shadow copy of the checksum; and
  
  (d) declaring the application layer memory corruption based on the current checksum and the shadow copy of the checksum not matching in the given time frame; and
  
  automatically detect a security attack of a computer application based on the declared application layer memory corruption, and report the detected security attack to a user.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus of claim 16, wherein the heap metadata comprises a linked-list pointer.
  - 18. The apparatus of claim 17, wherein the linked-list pointer is a forward pointer or a backward pointer in the linked-list.
  - 19. The apparatus of claim 17, wherein the heap attack overwrites the linked-list pointer.
  - 20. The apparatus of claim 16, the processor further configured to:
    - correct the application layer memory corruption by replacing the at least one portion of corrupted memory with a backup of the at least one portion of the control section of memory to prevent corrupted code from ever executing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Virsec Systems, Inc.
Original Assignee
Virsec Systems, Inc.
Inventors
Gupta, Satya V., Shenoy, Prashant
Primary Examiner(s)
Truong, Loan L. T.

Application Number

US14/627,824
Time in Patent Office

1,586 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/073   in a memory management cont...

G06F 11/0751   Error or fault detection no...

G06F 11/1004   to protect a block of data ...

G06F 11/1451   by selection of backup cont...

G06F 11/1469   Backup restoration techniques

G06F 11/1666   where the redundant compone...

G06F 21/56   Computer malware detection ...

G06F 2201/86   Event-based monitoring

System and methods for run time detection and correction of memory corruption

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and methods for run time detection and correction of memory corruption

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links