Protection against stack buffer overrun exploitation

US 20080148399A1
Filed: 10/18/2006
Published: 06/19/2008
Est. Priority Date: 10/18/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

determining a security problem in a first computer executable code, said problem comprising a callable executable function;

operating a second computer executable code in parallel with said first computer executable code, said second computer executable code adapted to;

detect that said first computer executable code has called said callable executable function;

detect a memory location from where said callable executable function was called;

determine whether said memory location was within a set of permitted memory locations; and

halt execution if said memory location is not within said set of permitted memory locations.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Stack buffer overrun situations may be handled by a computer program that checks the memory location from where a particular function is called. As long as the return address for the function call is from a memory location of a known library that is loaded in memory, normal operation continues. If the memory location is not from a known library, the function call is suspect and execution may be terminated, since such a location may cause malicious software to be executed or abnormal program execution to happen. The memory location may also be verified by additional means, including testing whether the memory page permissions permit execution. The computer program may be a plug-in to an existing application and may also have a user-editable component. The computer program can enable a quick deployment of a temporary fix to a malicious software problem before a more permanent solution may be deployed.

40 Citations

View as Search Results

20 Claims

1. A method comprising:
- determining a security problem in a first computer executable code, said problem comprising a callable executable function;
  
  operating a second computer executable code in parallel with said first computer executable code, said second computer executable code adapted to;
  
  detect that said first computer executable code has called said callable executable function;
  
  detect a memory location from where said callable executable function was called;
  
  determine whether said memory location was within a set of permitted memory locations; and
  
  halt execution if said memory location is not within said set of permitted memory locations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein said library comprises an application programming interface.
  - 3. The method of claim 1 wherein said executable function is comprised in an operating system.
  - 4. The method of claim 1 wherein said step of halt execution is performed prior to executing said executable function.
  - 5. The method of claim 1 wherein said second computer executable code is further adapted to:
    - detect that said memory location is within an executable memory location.
  - 6. The method of claim 1 wherein said second computer executable code is a plug-in application.
  - 7. The method of claim 1 wherein said second computer executable code comprises an executable portion and a changeable portion.
  - 8. The method of claim 7 wherein said changeable portion comprises editable text strings.

9. A method comprising:
- executing a first computer executable code on a computer processor, said first computer executable code having a function call to a function located in a library module loaded into memory;
  
  executing a second computer executable code in parallel with said first computer executable code, said second computer executable code adapted to;
  
  detect that said first computer executable code has called said executable function;
  
  detect a memory location from where said executable function was called; and
  
  allow said executable function to be executed if said memory location is associated with said library.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 18, 19, 20)
- - 10. The method of claim 9 wherein said library comprises an application programming interface.
  - 11. The method of claim 9 wherein said executable function is comprised in an operating system.
  - 12. The method of claim 9 wherein said memory is volatile memory.
  - 13. The method of claim 9 wherein said second computer executable code is further adapted to:
    - detect that said memory location is within an executable memory location.
  - 14. The method of claim 9 wherein said second computer executable code is a plug-in application.
  - 15. The method of claim 9 wherein said second computer executable code comprises an executable portion and a changeable portion.
  - 16. The method of claim 15 wherein said changeable portion comprises editable text strings.
  - 18. The method of claim 9 wherein said executable function is comprised in an operating system.
  - 19. The method of claim 9 wherein said second computer executable code is further adapted to:
    - detect that said memory location is within an executable memory location.
  - 20. The method of claim 9 wherein said second computer executable code is a plug-in application.

17. A system comprising:
- a computer processor;
  
  volatile memory accessible by said computer processor;
  
  a library comprising an executable function, said library being loaded into said volatile memory;
  
  a first computer executable code comprising a call to said executable function;
  
  a second computer executable code adapted to;
  
  detect that said first computer executable code has called said executable function;
  
  detect a memory location from where said executable function was called; and
  
  allow said executable function to be executed if said memory location is associated with said library.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Winkler, Patrick

Application Number

US11/583,277
Publication Number

US 20080148399A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/52 during program execution, e...

Protection against stack buffer overrun exploitation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Protection against stack buffer overrun exploitation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links