System and methods for run time detection and correction of memory corruption
First Claim
Patent Images
1. A method comprising:
- detecting an application layer memory corruption of at least one portion of a control section of memory by an address table attack, wherein detecting includes;
(a) capturing a shadow copy of an address table from the control section of memory;
(b) checking contents of the address table against the captured shadow copy following execution of a function call;
(c) if the checked contents and the captured shadow copy match, checking that the executed function call is present in the address table; and
(d) declaring the application layer memory corruption based on;
(i) at least a portion of the checked contents and the captured shadow copy not matching, or (ii) the executed function call not being present in the address table; and
automatically detecting a security attack of a computer application based on the declared application layer memory corruption, and reporting the detected security attack to a user.
1 Assignment
0 Petitions
Accused Products
Abstract
A method or apparatus detects a memory corruption of at least one portion of memory during run-time and corrects the memory corruption of the at least one portion of memory by replacing the at least one portion of memory with a backup of the at least one portion of memory. In this way, memory corruption can be corrected in a timely fashion while minimizing security risks.
-
Citations
20 Claims
-
1. A method comprising:
-
detecting an application layer memory corruption of at least one portion of a control section of memory by an address table attack, wherein detecting includes; (a) capturing a shadow copy of an address table from the control section of memory; (b) checking contents of the address table against the captured shadow copy following execution of a function call; (c) if the checked contents and the captured shadow copy match, checking that the executed function call is present in the address table; and (d) declaring the application layer memory corruption based on;
(i) at least a portion of the checked contents and the captured shadow copy not matching, or (ii) the executed function call not being present in the address table; andautomatically detecting a security attack of a computer application based on the declared application layer memory corruption, and reporting the detected security attack to a user. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An apparatus comprising:
a processor configured to execute a process, the process configured to; detect an application layer memory corruption of at least one portion of a control section of memory by an address table attack, wherein detecting includes; (a) capturing a shadow copy of an address table from the control section of memory; (b) checking contents of the address table against the captured shadow copy following execution of a function call; (c) if the checked contents and the captured shadow copy match, checking that the executed function call is present in the address table; and (d) declaring the application layer memory corruption based on;
(i) at least a portion of the checked contents and the captured shadow copy not matching, or (ii) the executed function not being present in the address table; andautomatically detect a security attack of a computer application based on the declared application layer memory corruption, and report the detected security attack to a user. - View Dependent Claims (7, 8, 9, 10)
-
11. A method comprising:
-
detecting an application layer memory corruption of at least one portion of a control section of memory by a heap attack, wherein detecting includes, in a given time frame; (a) capturing a shadow copy of a checksum for heap metadata from the control section of memory; (b) calculating a current checksum for the heap metadata following execution of a heap operation; (c) checking the current checksum against the shadow copy of the checksum; and (d) declaring the application layer memory corruption based on the current checksum and the shadow copy of the checksum not matching in the given time frame; and automatically detecting a security attack of a computer application based on the declared application layer memory corruption, and reporting the detected security attack to a user. - View Dependent Claims (12, 13, 14, 15)
-
-
16. An apparatus comprising:
a processor configured to execute a process, the process configured to; detect an application layer memory corruption of at least one portion of a control section of memory by a heap attack, wherein detecting includes, in a given time frame; (a) capturing a shadow copy of a checksum for heap metadata from the control section of memory; (b) calculating a current checksum for the heap metadata following execution of a heap operation; (c) checking the current checksum against the shadow copy of the checksum; and (d) declaring the application layer memory corruption based on the current checksum and the shadow copy of the checksum not matching in the given time frame; and automatically detect a security attack of a computer application based on the declared application layer memory corruption, and report the detected security attack to a user. - View Dependent Claims (17, 18, 19, 20)
Specification