Detection of exploitative program code

US 10,685,110 B2
Filed: 12/29/2017
Issued: 06/16/2020
Est. Priority Date: 12/29/2017
Status: Active Grant

First Claim

Patent Images

1. A method for detecting potentially exploitative code, the method comprising:

running potentially exploitative code as a child process, the potentially exploitative code associated with a set of program code;

receiving computer information that is associated with the set of program code, the computer information including data and information associated with internal structures associated with the set of program code;

analyzing the data and the information associated with the internal structures associated with the set of program code as the potentially exploitative code is run as the child process;

identifying that the data and the information associated with the internal structures is consistent with suspicious activity based on identifying that a region of memory allocated for storing non-executable program data has been associated with an executable function; and

classifying the computer information as being suspicious based on the identification that the region of memory allocated for storing the non-executable program data has been associated with the executable function.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure is directed to monitoring internal process memory of a computer at a time with program code executes. Methods and apparatus consistent with the present disclosure monitor the operation of program code with the intent of detecting whether received program inputs may exploit vulnerabilities that may exist in the program code at runtime. By detecting suspicious activity or malicious code that may affect internal process memory at run-time, methods and apparatus described herein identify suspected malware based on suspicious actions performed as program code executes. Runtime exploit detection may detect certain anomalous activities or chain of events in a potentially vulnerable application during execution. These events may be detected using instrumentation code when a regular code execution path of an application is deviated from.

Citations

20 Claims

1. A method for detecting potentially exploitative code, the method comprising:
- running potentially exploitative code as a child process, the potentially exploitative code associated with a set of program code;
  
  receiving computer information that is associated with the set of program code, the computer information including data and information associated with internal structures associated with the set of program code;
  
  analyzing the data and the information associated with the internal structures associated with the set of program code as the potentially exploitative code is run as the child process;
  
  identifying that the data and the information associated with the internal structures is consistent with suspicious activity based on identifying that a region of memory allocated for storing non-executable program data has been associated with an executable function; and
  
  classifying the computer information as being suspicious based on the identification that the region of memory allocated for storing the non-executable program data has been associated with the executable function.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the analysis of the data and the information associated with the internal structures identifies that at least one of machine code, assembly language code, or shellcode are about to be executed or are being executed.
  - 3. The method of claim 1, wherein the analysis of the data and the information associated with the internal structures includes identifying a stack pointer is no longer within an expected stack memory region.
  - 4. The method of claim 3, further comprising identifying a correct expected stack pointer location is via analysis of variables in a thread environment block and comparing the correct expected stack pointer location with an actual value of the stack pointer.
  - 5. The method of claim 1, wherein the analysis of the data and the information associated with the internal structures includes:
    - identifying a condition of a stack pointer that is associated with an expected stack memory region of a computer stack, andidentifying that the condition of the stack pointer includes at least one variable of a local function that is not in an expected location of the computer stack.
  - 6. The method of claim 1, wherein the analysis of the data and the information associated with the internal structures includes:
    - identifying that a heap portion of a memory associated with the child process has become executable, andthe identification that the heap portion of the memory associated with the child process becoming executable is indicative of the suspicious activity.
  - 7. The method of claim 1, wherein:
    - the analysis of the data and the information associated with the internal structures includes identifying that a stack portion of a memory associated with a thread within the child process has become executable, andthe identification that the stack portion of the memory associated with the thread within the child process becoming executable is indicative of the suspicious activity.
  - 8. The method of claim 1, wherein:
    - the analysis of the data and the information associated with the internal structures includes identifying that code instructions traverse a linked list data structure, andthe identification that the code instructions traverse the linked list data structure is indicative of the suspicious activity is based on the child process loading executable images within a Process Environmental Block (PEB).
  - 9. The method of claim 1, further comprising classifying the set of program code as suspicious based on the computer information being classified as being suspicious.
  - 10. The method of claim 9, further comprising quarantining the set of program code based on the set of program code being classified as being suspicious.
  - 11. The method of claim 1, wherein the computer information is classified as suspicious based on an operating system function being accessed from virtual memory.
  - 12. The method of claim 1, wherein the computer information is classified as suspicious based on executable code being included in a temporary directory and based on the executable code being executed from the temporary directory.
  - 13. The method of claim 1, wherein the computer information is classified as suspicious based on at least one of invocation of a command interpreter or a script in a context of the child process.
  - 14. The method of claim 1, wherein the executable function is associated with a set of JAVA programming code, and further comprising identifying that a state of a domain policy that is associated with the set of JAVA programming code has been changed, wherein the computer information is classified as suspicious further based on the changed state of the domain policy.
  - 15. The method of claim 14, wherein the domain policy is related to disabling functionality of an access manager.
  - 16. The method of claim 15, wherein disabling the access manager allows child processes to be created.

17. A non-transitory computer readable storage medium having embodied thereon a program executable by a processor for implementing a method for detecting potentially exploitative code, the method comprising:
- running potentially exploitative code as a child process, the potentially exploitative code associated with a set of program code;
  
  receiving computer information that is associated with the set of program code, the computer information including data and information associated with internal structures associated with the set of program code;
  
  analyzing the data and the information associated with the internal structures associated with the set of program code as the potentially exploitative code is run as the child process;
  
  identifying that the data and the information associated with the internal structures is consistent with suspicious activity based on identifying that a region of memory allocated for storing non-executable program data has been associated with an executable function; and
  
  classifying the computer information as being suspicious based on the identification that the region of memory allocated for storing the non-executable program data has been associated with the executable function.
- View Dependent Claims (18, 19)
- - 18. The non-transitory computer readable storage medium of claim 17, wherein the analysis of the data and the information associated with the internal structures identifies that at least one of machine code, assembly language code, or shellcode are about to be executed or are being executed.
  - 19. The non-transitory computer readable storage medium of claim 17, wherein the analysis of the data and the information associated with the internal structures includes identifying a stack pointer is no longer within an expected stack memory region.

20. An apparatus for detecting potentially exploitative code, the apparatus comprising:
- a memory; and
  
  a processor executing instructions out of the memory to;
  
  run potentially exploitative code as a child process, the potentially exploitative code associated with a set of program code,receive computer information that is associated with the set of program code, the computer information including data and information associated with internal structures associated with the set of program code,analyze the data and the information associated with the internal structures associated with the set of program code as the potentially exploitative code is run as the child process,identify that the data and the information associated with the internal structures is consistent with suspicious activity based on identifying that a region of memory allocated for storing non-executable program data has been associated with a executable function, andclassify the computer information as being suspicious based on the identification that the region of memory allocated for storing the non-executable program data has been associated with the executable function.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SonicWALL, Inc. (SonicWall Holdings Ltd.)
Original Assignee
SonicWALL, Inc. (SonicWall Holdings Ltd.)
Inventors
Das, Soumyadipta, Ganachari, Sai Sravan Kumar, He, Yao, Dubrovsky, Aleksandr
Primary Examiner(s)
Cribbs, Malcolm

Application Number

US15/858,785
Publication Number

US 20190205537A1
Time in Patent Office

900 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/563   by source code analysis

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

Detection of exploitative program code

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of exploitative program code

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links