DETECTION OF CODE EXECUTION EXPLOITS

US 20100281540A1
Filed: 11/30/2009
Published: 11/04/2010
Est. Priority Date: 05/01/2009
Status: Active Grant

First Claim

Patent Images

1. A method of detecting shell code in an arbitrary file comprising:

determining where one or more candidate areas exist within an arbitrary file;

searching at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file for an instruction candidate; and

calculating for any such instruction candidate a statistical probability based on a disassembly of instructions starting at a found offset for the instruction candidate that the disassembled instructions are shellcode.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments include a method of detecting shell code in an arbitrary file comprising determining where one or more candidate areas exist within an arbitrary file, searching at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file for an instruction candidate, and calculating for any such instruction candidate a statistical probability based on a disassembly of instructions starting at a found offset for the instruction candidate that the disassembled instructions are shellcode.

77 Citations

View as Search Results

26 Claims

1. A method of detecting shell code in an arbitrary file comprising:
- determining where one or more candidate areas exist within an arbitrary file;
  
  searching at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file for an instruction candidate; and
  
  calculating for any such instruction candidate a statistical probability based on a disassembly of instructions starting at a found offset for the instruction candidate that the disassembled instructions are shellcode.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, including:
    - classifying the arbitrary file as containing shellcode if the statistical probability exceeds a probability threshold.
  - 3. The method of claim 1, wherein the instruction candidate at the found offset is a code branching instruction or a function call.
  - 4. The method of claim 1, wherein the instruction candidate at the found offset is similar to the start of a known characteristical shellcode sequence.
  - 5. The method of claim 1, wherein determining where one or more candidate areas exist within the arbitrary file includes:
    - scanning the arbitrary file looking for repetitive constructs, the repetitive construct potentially intended to overflow a buffer in a computer memory when the arbitrary file is parsed, rendered or executed.
  - 6. The method of claim 1, wherein searching at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file includes:
    - configuring a number of data blocks to be included in the at least one nearby area.
  - 7. The method of claim 1, wherein calculating for any found offset a statistical probability based on a disassembly of instructions starting at the found offset includes:
    - disassembling the instructions starting at the any found offset by following branches and method calls dynamically.
  - 8. The method of claim 1, wherein calculating for any such instruction candidate a statistical probability based on a disassembly of instructions starting at a found offset includes using a normalized form of the disassembled instructions as input to the statistical probability calculation.
  - 9. The method of claim 1, wherein calculating for any found offset a statistical probability based on a disassembly of instructions starting at the found offset includes:
    - for a given stream of instructions starting at a given one of the any found offset, mapping an instruction-to-shellcode probability to each of the instruction in the given stream of instructions; and
      
      summing the mapped instruction-to-shellcode probability for each instruction using Bayes'"'"' formula to generate an overall probability.
  - 10. The method of claim 9, including classifying the arbitrary file as containing shellcode if the overall probability exceeds a threshold value.

11. A gateway comprising:
- an anti-malware engine operable to scan an arbitrary file and to determine if any candidate areas exist within the arbitrary file;
  
  for any given candidate area located within the arbitrary file, search at least one nearby area surrounding the candidate area for any instruction candidates; and
  
  for any such instruction candidates, calculate a statistical probability based on one or more disassembled instructions starting at a found offset of the instruction candidate to determine a likelihood that the arbitrary file includes shellcode.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The gateway of claim 11, further including a configurations coupled to the anti-malware engine, the configurations operable to store one or more threshold values used by the anti-malware engine in at least one shellcode detection process.
  - 13. The gateway of claim 11, wherein the anti-malware engine is operable to output warning messages to an interface coupled to the anti-malware engine when the arbitrary file is determined to include shellcode.
  - 14. The gateway of claim 11, wherein the gateway couples at least one protected device to the Internet.
  - 15. The gateway of claim 11, wherein the anti-malware engine is operable to access known characteristical shellcode sequences stored in a database coupled to the anti-malware engine, and to scan the arbitrary file for the known characteristical shellcode sequences.
  - 16. The gateway of claim 11, wherein the anti-malware engine is operable to access known whitelisted instruction sequences and whitelisted media types stored in a database coupled to the anti-malware engine, and to bypass scanning of know code sequences that match either one of the whitelisted instruction sequences or at least one of the whitelisted media types stored in the database.

17. A method of detecting shellcode in an arbitrary file comprising:
- scanning an arbitrary file to determine if any candidate areas exist within the arbitrary file;
  
  for any candidate areas found in the arbitrary file, first searching the areas surrounding the any candidate areas to determine if any function calls or any code branching instructions exist in the areas surrounding the any candidate areas; and
  
  if no function calls and no code branching instructions are found, searching the areas surrounding the any candidate areas for known characteristical shellcode sequences.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The method of claim 17, further including:
    - If no know characteristical shellcode sequences are found, for a given portion of the arbitrary file, calculating an information entropy for the given portion of the arbitrary file, and ending processing of the given portion of the arbitrary file if the calculated information entropy for the portion of the arbitrary file is either above or below a set of configured thresholds.
  - 19. The method of claim 18, wherein ending the processing of the given portion of the arbitrary file includesscanning another given portion of the arbitrary file,calculating an information entropy for the another given portion of the arbitrary file, and ending processing of the another given portion of the arbitrary file if the calculated information entropy for the another given portion of the arbitrary file is either above or below the set of configured thresholds.
  - 20. The method of claim 17, including if no known characteristical shellcode sequences are found, scanning the arbitrary file for data blocks with high information entropy compared to a threshold value.
  - 21. The method of claim 20, wherein scanning the arbitrary file includes scanning the arbitrary file for repeated constructs that include long sequences of repeated characters.
  - 22. The method of claim 20, wherein scanning for repeated constructs includes:
    - taking a first character a_Nat position N in the arbitrary file;
      
      searching for next occurrence of the first character, which is found at position M;
      
      using a sub-sequence (a_N, . . . , a_M−
      
      1) as a repetition pattern having a length L=M−
      
      N);
      
      comparing the repetition pattern to the sub-sequence (a_M, . . . , a_M+L), and if equal, advance by L bytes and continue with this comparing until the comparison fails in order to determine a number of found repetitions; and
      
      if the number of found repetitions is below a given threshold, determine that no match is found.
  - 23. The method of claim 17, wherein if any function calls or code branching instructions are found in the areas surrounding the any candidate areas,disassemble a number of instructions starting at the function call or at the code branching instruction,calculate a probability for each of the instructions disassembled;
    - sum each of the calculated probabilities using Bayers'"'"' formula to generate an overall probability; and
      
      using the overall probability, determine that the arbitrary file includes shellcode when the overall probability exceeds an threshold value.

24. A computer network comprising:
- a gateway including an anti-malware engine operable to perform the following;
  
  receiving an arbitrary file;
  
  scanning the arbitrary file for repetitive constructs that are potentially intended to overflow a buffer;
  
  determining if any function calls or any code branching instructions exist in the areas surrounding the repetitive constructs; and
  
  generating a statistical probability representing the likelihood that the arbitrary file includes shellcode by performing a statistical analysis of the instructions starting at each found offset to generate an overall shellcode probability for the instructions starting at the each found offset.
- View Dependent Claims (25, 26)
- - 25. The computer network of claim 24, further including a configurations coupled to the anti-malware engine, the configurations operable to store one or more probability threshold settings used by the anti-malware engine in determining whether a given statistical probability generated for the arbitrary file indicates that the arbitrary file includes shellcode.
  - 26. The computer network of claim 24, further including a database coupled to the gateway, the database including memory operable to store one or more known shellcode sequences and to provide the one or more known shellcode sequences to the anti-malware engine for comparison to instructions in the arbitrary file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Alme, Christoph

Granted Patent

US 8,621,626 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/563 by source code analysis

DETECTION OF CODE EXECUTION EXPLOITS

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

77 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTION OF CODE EXECUTION EXPLOITS

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

77 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links