APPARATUS AND METHOD FOR PREVENTING VIRUS CODE EXECUTION

US 20100257608A1
Filed: 03/31/2010
Published: 10/07/2010
Est. Priority Date: 04/07/2009
Status: Active Grant

First Claim

Patent Images

1. An apparatus for preventing virus code execution, the apparatus comprising:

a code converter configured to convert code of a kernel module or an application program into an interrupt instruction, in response to execution of the kernel module or the application program being detected;

a code check unit configured to determine, in response to an exception being generated by execution of the interrupt instruction, whether buffer overflow occurs; and

a virus detection engine configured to perform virus inspection on a program execution region moved by the buffer overflow.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method for preventing virus code execution through buffer overflow management are provided. When buffer overflow occurs during execution of a kernel module or application program, the apparatus and method may perform virus inspection on a program execution region moved by the buffer overflow.

Citations

10 Claims

1. An apparatus for preventing virus code execution, the apparatus comprising:
- a code converter configured to convert code of a kernel module or an application program into an interrupt instruction, in response to execution of the kernel module or the application program being detected;
  
  a code check unit configured to determine, in response to an exception being generated by execution of the interrupt instruction, whether buffer overflow occurs; and
  
  a virus detection engine configured to perform virus inspection on a program execution region moved by the buffer overflow.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The apparatus of claim 1, wherein the virus detection engine is configured to be installed in at least one virtual machine in which the kernel module or the application program is executed.
  - 3. The apparatus of claim 2, further comprising a plurality of virus detection engines and a virus detection engine connector configured to connect the plurality of virus detection engines and transfer the codes of the kernel module or the application program to the plurality of virus detection engines.
  - 4. The apparatus of claim 1, further comprising a code reservoir configured to store the codes of the kernel module or the application program and converted codes of the kernel module or the application program.
  - 5. The apparatus of claim 1, further comprising a code emulator configured to execute, if a virus is not detected by the virus detection engine, the codes of the kernel module or the application program.

6. A method for preventing virus code execution, the method comprising:
- detecting execution of a kernel module or an application program;
  
  converting a code of the kernel module or the application program into an interrupt instruction;
  
  in response to an execution of the interrupt instruction generating an exception, determining whether buffer overflow occurs; and
  
  in response to determining that buffer overflow occurs, performing virus inspection on a program execution region moved by the buffer overflow.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6, wherein the converting code comprises:
    - scanning an instruction included in the code of the kernel module or the application program;
      
      determining whether the instruction is an instruction for modifying a program counter, or for a branching or jumping instruction for modifying a flow of program execution;
      
      in response to determining that the instruction is for modifying the program counter, or for a branching or jumping instruction for modifying the flow of program execution, the converting further comprises determining whether a region where the kernel module or the application program is executed is a memory region which has not been set to execute only or read/execute; and
      
      in response to determining that the memory region has not been set to execute only or read/execute, the converting further comprises converting the code of the kernel module or the application program into the interrupt instruction.
  - 8. The method of claim 6, wherein the determination on whether buffer overflow occurs comprises:
    - fetching an original instruction stored at an address where an interrupt occurs and analyzing an address value which the program counter tries to acquire;
      
      determining whether a memory region comprising an address which the program counter tries to acquire is a memory region which has been set to execute only or read/execute;
      
      in response to determining that the memory region has not been set to execute only or read/execute, the determination further comprises determining whether buffer overflow occurs in a corresponding page;
      
      checking a cache to determine whether a corresponding code has previously been executed and whether virus inspection has previously been performed on the corresponding code; and
      
      in response to no history related to previous virus inspection being found in the cache, the determination further comprises requesting virus inspection on the memory region comprising the address which the program counter tries to acquire.
  - 9. The method of claim 6, wherein, if it is determined that no buffer overflow occurs, the method further comprises calling a code emulator to execute an original instruction before being replaced with the interrupt instruction.
  - 10. The method of claim 8, further comprising storing, in a cache, a result of virus inspection performed on a region to which the program counter moves, terminating an interrupt routine, and executing a next instruction following the interrupt.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung Electronics Co. Ltd.
Original Assignee
Samsung Electronics Co. Ltd.
Inventors
JEONG, Bok-deuk, Suh, Sang-bum, Lee, Sung-min

Granted Patent

US 8,516,589 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

APPARATUS AND METHOD FOR PREVENTING VIRUS CODE EXECUTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

APPARATUS AND METHOD FOR PREVENTING VIRUS CODE EXECUTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links