Preventing stack buffer overflow attacks

US 20030217277A1
Filed: 05/15/2002
Published: 11/20/2003
Est. Priority Date: 05/15/2002
Status: Active Grant

First Claim

Patent Images

1. A method for preventing stack buffer overflow in a computer system, comprising steps of:

(a) prior to their execution, scanning opcodes for a trigger opcode;

(b) for each trigger opcode found, encrypting an operand associated with the trigger opcode;

(c) at execution of the trigger opcode, using the operand'"'"'s corresponding encrypted value instead of the operand'"'"'s actual value.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for preventing stack buffer overflow attacks in a computer system are disclosed. A computer system can prevent stack buffer overflow attacks by encrypting return addresses prior to pushing them onto the runtime stack. When an encrypted return address is popped off the runtime stack, the computer system decrypts the encrypted return address to determine the actual return address. A random encryption key can be used, which can be generated from the CPU'"'"'s clock cycle counter. Multitasking environments can add a seed register to the task state so that each task can use a unique seed to encrypt the return addresses.

Citations

30 Claims

1. A method for preventing stack buffer overflow in a computer system, comprising steps of:
- (a) prior to their execution, scanning opcodes for a trigger opcode;
  
  (b) for each trigger opcode found, encrypting an operand associated with the trigger opcode;
  
  (c) at execution of the trigger opcode, using the operand'"'"'s corresponding encrypted value instead of the operand'"'"'s actual value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising a step of, prior to execution, storing the operands and their corresponding encrypted values in a lookup table.
  - 3. The method of claim 1, wherein the trigger opcode comprises a function call opcode, and the operand comprises a return address.
  - 4. The method of claim 3, further comprising a step of, when the function call returns, decrypting a value off the runtime stack to determine the actual return address of the function call.
  - 5. The method of claim 1, wherein the trigger opcode comprises an opcode that cause the computer system to place a return address on the runtime stack.
  - 6. The method of claim 5, wherein the computer system comprises an X86-type CPU and the set of trigger opcode comprises a ‘
    - call’
      
      opcode.
  - 7. The method of claim 1, wherein step (b) comprises encrypting the return address using a key stored in a seed register.
  - 8. The method of claim 7, wherein the seed register is unique to a current task.
  - 9. The method of claim 1, wherein step (b) comprises using an encryption key based on a clock value.
  - 10. The method of claim 9, wherein the computer system comprises an X86-type CPU and step (b) comprises using an encryption key generated from a read time stamp counter (RDTSC).
  - 11. The method of claim 1, wherein the opcodes comprise a fixed size instruction set.
  - 12. The method of claim 1, wherein the opcodes comprise a variable-sized instruction set.

13. A computer system, comprising:
- a CPU that controls operation of the computer system based on an operating system stored in a memory, wherein the CPU scans each operation code (opcode), prior to their execution, for a trigger opcode;
  
  an encryption module that encrypts a trigger opcode'"'"'s operand before the operand is stored in a runtime memory during execution of a program; and
  
  a decryption module that decrypts the trigger opcode'"'"'s operand when the decrypted operand is read from the runtime memory during execution of the program.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The computer system of claim 13, wherein, prior to executing the trigger opcode, the CPU stores the trigger opcode'"'"'s operand and its corresponding encrypted value in a lookup table.
  - 15. The computer system of claim 13, wherein the CPU scans each opcode for any of a set of trigger opcodes comprising opcodes that cause the computer system to place a return address on the runtime stack.
  - 16. The computer system of claim 13, wherein the computer system comprises an X86-type CPU and the trigger opcode comprises a ‘
    - call’
      
      opcode.
  - 17. The computer system of claim 13, wherein the encryption and decryption modules use an encryption key stored in a seed register.
  - 18. The computer system of claim 17, wherein the seed register is unique to a current task.
  - 19. The computer system of claim 13, wherein the wherein the encryption and decryption modules use an encryption key based on a clock value.
  - 20. The computer system of claim 19, wherein the computer system comprises an X86-type CPU that uses an encryption key is generated from a read time stamp counter (RDTSC).
  - 21. The computer system of claim 13, wherein the trigger opcode comprises a function call opcode, the operand comprises a return address, and the runtime memory comprises a runtime stack.

22. A mobile terminal, comprising:
- a CPU that controls operation of the mobile terminal based on an operating system stored in a memory, wherein the CPU scans each operation code (opcode), prior to their execution, for a trigger opcode;
  
  an encryption module that encrypts a trigger opcode'"'"'s operand before the operand is stored in a runtime memory during execution of a program; and
  
  a decryption module that decrypts the trigger opcode'"'"'s operand when the decrypted operand is read from the runtime memory during execution of the program.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The mobile terminal of claim 22, wherein the mobile terminal comprises a mobile telephone.
  - 24. The mobile terminal of claim 22, wherein the operating system comprises the encryption module.
  - 25. The mobile terminal of claim 22, wherein the operating system comprises the decryption module.
  - 26. The mobile terminal of claim 22, wherein the CPU encrypts and decrypts the return address using a key stored in a seed register.
  - 27. The mobile terminal of claim 26, wherein the seed register is unique to a current task.
  - 28. The mobile terminal of claim 26, wherein the CPU uses an encryption key based on a clock value.

29. A method for preventing stack buffer overflow attacks, comprising steps of:
- (a) prefetching code to be executed on a CPU;
  
  (b) scanning the prefetched code for instances of a ‘
  
  call’
  
  operation code (opcode);
  
  (c) for each found instance of the ‘
  
  call’
  
  opcode, encrypting a return address associated with that instance;
  
  (d) storing each found instance'"'"'s return address and its corresponding encrypted value in a lookup table;
  
  (e) at execution of each instance of the ‘
  
  call’
  
  opcode, looking up its associated return address in the lookup table, and pushing the looked up return address'"'"'s encrypted value onto a runtime stack;
  
  (f) when each encrypted value is read off the runtime stack, decrypting the encrypted value to determine an execution control flow return address.
- View Dependent Claims (30)
- - 30. The method of claim 29, wherein steps (c) and (f) comprise using an encryption key unique to a current task.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Solutions and Networks US LLC (Nokia Corporation)
Original Assignee
Nokia, Inc. (Nokia Corporation)
Inventors
Narayanan, Ram Gopal Lakshmi

Granted Patent

US 7,086,088 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/187
CPC Class Codes

G06F 11/2284   by power-on test, e.g. powe...

G06F 21/52   during program execution, e...

G06F 9/3806   using address prediction, e...

Preventing stack buffer overflow attacks

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Preventing stack buffer overflow attacks

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links