Protection against stack buffer overrun exploitation
First Claim
1. A method comprising:
- determining a security problem in a first computer executable code, said problem comprising a callable executable function;
operating a second computer executable code in parallel with said first computer executable code, said second computer executable code adapted to;
detect that said first computer executable code has called said callable executable function;
detect a memory location from where said callable executable function was called;
determine whether said memory location was within a set of permitted memory locations; and
halt execution if said memory location is not within said set of permitted memory locations.
2 Assignments
0 Petitions
Accused Products
Abstract
Stack buffer overrun situations may be handled by a computer program that checks the memory location from where a particular function is called. As long as the return address for the function call is from a memory location of a known library that is loaded in memory, normal operation continues. If the memory location is not from a known library, the function call is suspect and execution may be terminated, since such a location may cause malicious software to be executed or abnormal program execution to happen. The memory location may also be verified by additional means, including testing whether the memory page permissions permit execution. The computer program may be a plug-in to an existing application and may also have a user-editable component. The computer program can enable a quick deployment of a temporary fix to a malicious software problem before a more permanent solution may be deployed.
40 Citations
20 Claims
-
1. A method comprising:
-
determining a security problem in a first computer executable code, said problem comprising a callable executable function; operating a second computer executable code in parallel with said first computer executable code, said second computer executable code adapted to; detect that said first computer executable code has called said callable executable function; detect a memory location from where said callable executable function was called; determine whether said memory location was within a set of permitted memory locations; and halt execution if said memory location is not within said set of permitted memory locations. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method comprising:
-
executing a first computer executable code on a computer processor, said first computer executable code having a function call to a function located in a library module loaded into memory; executing a second computer executable code in parallel with said first computer executable code, said second computer executable code adapted to; detect that said first computer executable code has called said executable function; detect a memory location from where said executable function was called; and allow said executable function to be executed if said memory location is associated with said library. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 18, 19, 20)
-
-
17. A system comprising:
-
a computer processor; volatile memory accessible by said computer processor; a library comprising an executable function, said library being loaded into said volatile memory; a first computer executable code comprising a call to said executable function; a second computer executable code adapted to; detect that said first computer executable code has called said executable function; detect a memory location from where said executable function was called; and allow said executable function to be executed if said memory location is associated with said library.
-
Specification