METHOD AND SYSTEM FOR HARDWARE BASED PROGRAM FLOW MONITOR FOR EMBEDDED SOFTWARE
First Claim
1. A method for malware detection, wherein the method comprises:
- utilizing a hardware based program flow monitor (PFM) for embedded software that employs a static analysis of program code;
marrying the program code to addresses, while considering which central processing unit (CPU) is executing the program code;
capturing an expected control flow of the program code, and storing the control flow as physical address pairs of leaders and followers (LEAD-FOLL pair) in a Metadata Store (MDS) within the PFM;
monitoring control flow at runtime by the PFM;
comparing runtime control flow with the expected control flow; and
wherein the method further comprises the following steps;
a) receiving a series of instruction addresses fetched by a central processing unit (CPU) into a logic unit (LU) within the PFM;
b) latching by the LU of each of the series of instruction addresses placed on an address bus by the CPU on completion of a read operation, and storing the latched address in a register file (RF);
c) storing at PFM power up the first address the CPU fetches to a first location in the RF, the highest program address referenced by a Metadata Store (MDS) into a second location in the RF, and latching the next instruction address fetched by the CPU into a third location in the RF;
d) performing a lookup of the address contained in the first location in the MDS;
e) generating an alarm if the address in the first location is greater than the address stored in the second location;
f) generating an alarm if the address in the first location is not found in the MDS;
g) generating an alarm if the address in the first location is found in the MDS, but the address in the third location is not listed as a valid follower;
h) copying the address in the third location to the first location if the LEAD-FOLL pair is found in the MDS;
i) latching by the LU of the next instruction address fetched by the CPU and storing it in the third location;
j) repeating steps d-j, until the program code has been fully executed by the PFM.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for malware detection, wherein the method includes: utilizing a hardware based program flow monitor (PFM) for embedded software that employs a static analysis of program code; marrying the program code to addresses, while considering which central processing unit (CPU) is executing the program code; capturing an expected control flow of the program code, and storing the control flow as physical address pairs of leaders and followers (LEAD-FOLL pair) in a Metadata Store (MDS) within the PFM; monitoring control flow at runtime by the PFM; and comparing runtime control flow with the expected control flow
30 Citations
13 Claims
-
1. A method for malware detection, wherein the method comprises:
-
utilizing a hardware based program flow monitor (PFM) for embedded software that employs a static analysis of program code; marrying the program code to addresses, while considering which central processing unit (CPU) is executing the program code; capturing an expected control flow of the program code, and storing the control flow as physical address pairs of leaders and followers (LEAD-FOLL pair) in a Metadata Store (MDS) within the PFM; monitoring control flow at runtime by the PFM; comparing runtime control flow with the expected control flow; and
wherein the method further comprises the following steps;a) receiving a series of instruction addresses fetched by a central processing unit (CPU) into a logic unit (LU) within the PFM; b) latching by the LU of each of the series of instruction addresses placed on an address bus by the CPU on completion of a read operation, and storing the latched address in a register file (RF); c) storing at PFM power up the first address the CPU fetches to a first location in the RF, the highest program address referenced by a Metadata Store (MDS) into a second location in the RF, and latching the next instruction address fetched by the CPU into a third location in the RF; d) performing a lookup of the address contained in the first location in the MDS; e) generating an alarm if the address in the first location is greater than the address stored in the second location; f) generating an alarm if the address in the first location is not found in the MDS; g) generating an alarm if the address in the first location is found in the MDS, but the address in the third location is not listed as a valid follower; h) copying the address in the third location to the first location if the LEAD-FOLL pair is found in the MDS; i) latching by the LU of the next instruction address fetched by the CPU and storing it in the third location; j) repeating steps d-j, until the program code has been fully executed by the PFM. - View Dependent Claims (2, 3)
-
-
4. An article comprising machine-readable storage media containing instructions that when executed by a processor enable the processor to provide malware detection, wherein the instructions comprise:
-
utilizing a hardware based program flow monitor (PFM) for embedded software that employs a static analysis of program code; marrying the program code to addresses, while considering which central processing unit (CPU) is executing the program code; capturing an expected control flow of the program code, and storing the control flow as physical address pairs of leaders and followers (LEAD-FOLL pair) in a Metadata Store (MDS) within the PFM; monitoring control flow at runtime by the PFM; and comparing runtime control flow with the expected control flow. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
-
-
5. A system for malware detection, the system comprising:
-
a hardware based program flow monitor (PFM) for embedded software that employs a static analysis of program code; and wherein the PFM further comprises; a logic unit (LU); a metadata store (MDS); and a register file (RF).
-
Specification