Method to detect forgery and exploits using last branch recording registers
First Claim
1. A non-transitory storage medium having stored thereon logic, the logic being executable by one or more processors to perform operations including:
- intercepting an attempted execution of an instruction resulting from processing of the object within a virtual machine, the instruction located on a page in memory that is accessed by the virtual machine;
responsive to determining the page includes instructions corresponding to a function call of a predefined set of function calls, (i) inserting a first transition event into the memory at a starting address location of the function call of the predefined set of function calls, and (ii) setting a permission of the page to be execute only; and
responsive to a triggering of the first transition event, (1) halting, by a virtual machine monitor, the processing of the object, and (2) analyzing, by logic within the virtual machine monitor, content of one or more last branch records associated with the virtual machine to determine whether the processing of the object displays characteristics of a return-oriented programming attack, wherein the analyzing includes;
(i) parsing the one or more last branch records associated with the virtual machine, and(ii) responsive to detecting a return instruction as a branching instruction and determining an instruction immediately preceding a location branched to by the return instruction is not a call instruction type, determining the processing of the object displays characteristics of the return-oriented programming attack.
5 Assignments
0 Petitions
Accused Products
Abstract
A method for detecting a ROP attack comprising processing of an object within a virtual machine managed by a virtual machine monitor (VMM), intercepting an attempted execution by the object of an instruction, the instruction stored on a page in memory that is accessed by the virtual machine, responsive to determining the page includes instructions corresponding to one of a predefined set of function calls, (i) inserting a first transition event into the memory at a starting address location of a function call, and (ii) setting a permission of the page to be execute only, and responsive to triggering the first transition event, halting, by the VMM, the processing of the object and analyzing, by logic within the VMM, content of last branch records associated with the virtual machine to determine whether the processing of the object displays characteristics of a ROP attack is shown.
73 Citations
26 Claims
-
1. A non-transitory storage medium having stored thereon logic, the logic being executable by one or more processors to perform operations including:
-
intercepting an attempted execution of an instruction resulting from processing of the object within a virtual machine, the instruction located on a page in memory that is accessed by the virtual machine; responsive to determining the page includes instructions corresponding to a function call of a predefined set of function calls, (i) inserting a first transition event into the memory at a starting address location of the function call of the predefined set of function calls, and (ii) setting a permission of the page to be execute only; and responsive to a triggering of the first transition event, (1) halting, by a virtual machine monitor, the processing of the object, and (2) analyzing, by logic within the virtual machine monitor, content of one or more last branch records associated with the virtual machine to determine whether the processing of the object displays characteristics of a return-oriented programming attack, wherein the analyzing includes; (i) parsing the one or more last branch records associated with the virtual machine, and (ii) responsive to detecting a return instruction as a branching instruction and determining an instruction immediately preceding a location branched to by the return instruction is not a call instruction type, determining the processing of the object displays characteristics of the return-oriented programming attack. - View Dependent Claims (2, 3, 4, 5, 20)
-
-
6. An electronic device comprising:
-
one or more processors; a storage device for storing one or more instructions, the one or more instructions being executable by the one or more processors to perform operations including; processing of an object within a virtual machine managed by a virtual machine monitor, intercepting an initial attempted execution of an instruction resulting from the processing the object, the instruction located on a page in memory associated with the virtual machine; responsive to determining the page includes instructions corresponding to a function call of a predefined set of function calls, (i) inserting a first transition event into the memory associated with the virtual machine at a location on the page of a first instruction of the instructions corresponding to the function call of the predefined set of function calls, and (ii) setting a permission of the page to be execute only, and responsive to a triggering of the first transition event, (1) halting, by the virtual machine monitor, the processing of the object, and (2) analyzing, by logic within the virtual machine monitor, content of one or more last branch records associated with the virtual machine to determine whether the processing of the object displays characteristics of a return-oriented programming attack, wherein the analyzing includes; (i) parsing the content of the one or more last branch records associated with the virtual machine, and (ii) responsive to detecting a return instruction as a branching instruction and determining an instruction immediately preceding a location branched to by the return instruction is not a call instruction type, determining the processing of the object displays characteristics of the return-oriented programming attack. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method for detecting a return-oriented programming attack comprising:
-
processing of an object within a virtual machine managed by a virtual machine monitor; intercepting an initial attempted execution of an instruction resulting from the processing of the object, the instruction located on a page in memory associated with the virtual machine; responsive to determining the page includes instructions corresponding to a function call of a predefined set of function calls, (i) inserting a first transition event into the memory associated with the virtual machine at a location on the page of a first instruction of the instructions corresponding to the function call of the predefined set of function calls, and (ii) setting a permission of the page to be execute only; and responsive to a triggering of the first transition event, (1) halting, by the virtual machine monitor, the processing of the object, and (2) analyzing, by logic within the virtual machine monitor, content of one or more last branch records associated with the virtual machine to determine whether the processing of the object displays characteristics of a return-oriented programming attack, wherein the analyzing includes; (i) parsing the one or more last branch records associated with the virtual machine, and (ii) responsive to detecting a return instruction as a branching instruction and determining an instruction immediately preceding a location branched to by the return instruction is not a call instruction type, determining the processing of the object displays characteristics of the return-oriented programming attack. - View Dependent Claims (12, 13, 14)
-
-
15. A method for detecting a return-oriented programming attack comprising:
-
processing of an object within a virtual machine managed by a virtual machine monitor; managing, by the virtual machine monitor, insertion of a transition event on an instruction located on a page in memory utilized by the virtual machine; managing, by the virtual machine monitor, permissions of the page in memory according to the insertion of the transition event or a removal of the transition event in the instruction; and responsive to a triggering of the transition event, analyzing, by logic within the virtual machine monitor, content of one or more last branch records associated with the virtual machine to determine whether the processing of the object displays characteristics of a return-oriented programming attack, wherein the analyzing includes; (i) parsing the content of the one or more last branch records associated with the virtual machine, and (ii) responsive to detecting a return instruction as a branching instruction and determining an instruction immediately preceding a location branched to by the return instruction is not a call instruction type, determining the processing of the object displays characteristics of the return-oriented programming attack. - View Dependent Claims (16, 17, 18, 19)
-
-
21. A method for detecting a return-oriented programming attack, comprising:
-
processing of an object within a virtual machine, the virtual machine being managed by a virtual machine monitor; managing, by the virtual machine monitor, insertion of a transition event on a function of interest located on a page in memory utilized by the virtual machine; managing, by the virtual machine monitor, permissions of the page in memory according to the insertion of the transition event or a removal of the transition event in the instruction; and responsive to a triggering of the transition event, analyzing, by logic within the virtual machine monitor, recorded data associated with the virtual machine to determine whether the processing of the object displays characteristics of a return-oriented programming attack, wherein the analyzing includes;
(i) parsing the content of the one or more last branch records associated with the virtual machine, and (ii) responsive to detecting a return instruction as a branching instruction and determining an instruction immediately preceding a location branched to by the return instruction is not a call instruction type, determining the processing of the object displays characteristics of the return-oriented programming attack. - View Dependent Claims (22, 23, 24, 25, 26)
-
Specification