Secure execution of a computer program using a code cache
First Claim
1. A method for securing a computing system, comprising:
- monitoring control flow transfers for a program running on said computing system; and
using a code cache to enforce a security policy on said control flow transfers.
4 Assignments
0 Petitions
Accused Products
Abstract
Hijacking of an application is prevented by monitoring control flow transfers during program execution in order to enforce a security policy. At least three basic techniques are used. The first technique, Restricted Code Origins (RCO), can restrict execution privileges on the basis of the origins of instruction executed. This distinction can ensure that malicious code masquerading as data is never executed, thwarting a large class of security attacks. The second technique, Restricted Control Transfers (RCT), can restrict control transfers based on instruction type, source, and target. The third technique, Un-Circumventable Sandboxing (UCS), guarantees that sandboxing checks around any program operation will never be bypassed.
145 Citations
38 Claims
-
1. A method for securing a computing system, comprising:
-
monitoring control flow transfers for a program running on said computing system; and
using a code cache to enforce a security policy on said control flow transfers. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method for securing a computing system, comprising:
-
accessing a first set of code for a program running on said computing system;
enforcing a security policy on one or more control flow transfers in said first set of code;
storing said first set of code in a code cache if said security policy allows said one or more control flow transfers in said first set of code;
repeating said steps of accessing, enforcing and storing for additional sets of code for said program running on said computing system; and
executing said first set of code and said additional sets of code from said code cache. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. An apparatus for securing a computing system, comprising:
-
means for monitoring control flow transfers for a program running on said computing system; and
means for using a code cache to enforce a security policy on said control flow transfers.
-
-
25. One or more processor readable storage devices having processor readable code embodied on said processor readable storage devices, said processor readable code for programming one or more processors to perform a process comprising:
-
monitoring control flow transfers for a program running on said computing system; and
using a code cache to enforce a security policy on said control flow transfers. - View Dependent Claims (26, 27, 28, 29, 30, 31)
-
-
32. An apparatus for securing a computing system, comprising:
-
a processor readable storage device, said processor readable storage device includes a code cache; and
a processor in communication with said processor readable storage device, said processor performs a method comprising monitoring control flow transfers for a program running on said computing system and using said code cache to enforce a security policy on said control flow transfers. - View Dependent Claims (33, 34, 35, 36, 37, 38)
-
Specification