Detecting a return-oriented programming exploit
First Claim
1. A method of detecting a Return-Oriented Programming exploitation of an application, the method comprising, at a computer device:
- establishing a hooking rule to hook a code location relating to an electronic file stored in a computer readable medium in the form of a memory;
in the event that a control transfer of a code location relating to the electronic file is detected, comparing a code location address with values in the stack space freed by the control transfer and, in the event that the code location address and any of the values in the freed stack match, determining that the control transfer relates to a Return-Oriented Programming exploitation.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for detecting a Return-Oriented Programming exploitation. At a computer device, a mechanism to detect a control transfer of a code location in a memory is established. This may be, for example, hooking the control transfer. The code location relates to an electronic file. In the event that a control transfer of the code location is detected, a comparison is made between a destination code location address with values in the freed stack. If the code location address matches any of the values in the freed stack, then it is determined that the control transfer of the code location relates to a Return-Oriented Programming exploitation.
-
Citations
20 Claims
-
1. A method of detecting a Return-Oriented Programming exploitation of an application, the method comprising, at a computer device:
-
establishing a hooking rule to hook a code location relating to an electronic file stored in a computer readable medium in the form of a memory; in the event that a control transfer of a code location relating to the electronic file is detected, comparing a code location address with values in the stack space freed by the control transfer and, in the event that the code location address and any of the values in the freed stack match, determining that the control transfer relates to a Return-Oriented Programming exploitation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 18)
-
-
11. A method of detecting a Return-Oriented Programming exploitation, the method comprising, at a computer device:
-
establishing a mechanism to detect a control transfer of a code location in a memory, the code location relating to an electronic file; in the event that a control transfer of the code location is detected, comparing a destination code location address with values in the freed stack and, in the event that the code location address and any of the values in the freed stack match, determining that the control transfer of the code location relates to a Return-Oriented Programming exploitation. - View Dependent Claims (12, 13)
-
-
14. A computer device comprising:
-
a computer readable medium in the form of a memory; at least one electronic file stored on the memory; a hooking function for establishing a hooking rule to hook a code location relating to the electronic file; a Return-Oriented Programming exploitation detection function for comparing a code location address with a value in the stack space freed by a control transfer and, in the event that the code location address and any of the values in the freed stack match, determining that the function relates to a Return-Oriented Programming exploitation. - View Dependent Claims (15, 16, 17, 19, 20)
-
Specification