Methods, Devices, And Systems For Detecting Return-Oriented Programming Exploits

US 20130117843A1
Filed: 11/07/2011
Published: 05/09/2013
Est. Priority Date: 11/07/2011
Status: Active Grant

First Claim

Patent Images

1. A method operational in a processing circuit including cache memory, comprising:

loading at least portions of an executable code sequence in the cache memory;

performing instruction fetches of the executable code sequence from the cache memory; and

monitoring the instruction fetches relative to cache misses, where the cache misses are fetched instructions absent from the cache memory on the instruction fetch, in order to dynamically detect anomalous miss activity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, devices, and systems for detecting return-oriented programming (ROP) exploits are disclosed. A system includes a processor, a main memory, and a cache memory. A cache monitor develops an instruction loading profile by monitoring accesses to cached instructions found in the cache memory and misses to instructions not currently in the cache memory. A remedial action unit terminates execution of one or more of the valid code sequences if the instruction loading profile is indicative of execution of an ROP exploit involving one or more valid code sequences. The instruction loading profile may be a hit/miss ratio derived from monitoring cache hits relative to cache misses. The ROP exploits may include code snippets that each include an executable instruction and a return instruction from valid code sequences.

54 Citations

View as Search Results

40 Claims

1. A method operational in a processing circuit including cache memory, comprising:
- loading at least portions of an executable code sequence in the cache memory;
  
  performing instruction fetches of the executable code sequence from the cache memory; and
  
  monitoring the instruction fetches relative to cache misses, where the cache misses are fetched instructions absent from the cache memory on the instruction fetch, in order to dynamically detect anomalous miss activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - reporting the anomalous miss activity to perform a remedial action relative to the executable code sequence.
  - 3. The method of claim 2, further comprising:
    - performing the remedial action by terminating execution of the executable code sequence responsive to the reporting of the anomalous miss activity.
  - 4. The method of claim 1, wherein monitoring the instruction fetches relative to cache misses includesmonitoring that some of the instruction fetches are cache hits and the anomalous miss activity indicates a hit/miss ratio of the cache hits relative to the cache misses that is lower than a threshold selected relative to valid hit/miss ratios indicative of valid code sequences.
  - 5. The method of claim 4, wherein the valid hit/miss ratios are determined from monitoring hit/miss ratios from a plurality of the executable code sequences that are free from a return-oriented programming exploit during the monitoring.
  - 6. The method of claim 1, wherein the monitoring is suspended during a selected operational period.
  - 7. The method of claim 6, wherein the selected operational period includes a boot-up stage of a new process.
  - 8. The method of claim 1, wherein the anomalous miss activity is determined over a predefined number of preceding instructions or a predefined time period.
  - 9. The method of claim 1, further comprising:
    - determining that the anomalous miss activity is indicative of a return-oriented programming exploit.
  - 10. The method of claim 1, wherein the anomalous miss activity is determined within a predetermined operating context.

11. A processing device, comprising:
- a processing circuit configured to fetch and execute an executable code sequence;
  
  a cache memory system operably coupled to the processing circuit and including at least one cache memory;
  
  a cache monitor configured to monitor instruction fetches relative to cache misses, where the cache misses are fetched instructions absent from the cache memory on the instruction fetch, in order to dynamically detect anomalous miss activity.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The processing device of claim 11, further comprising:
    - a remedial action unit configured to terminate execution of one or more of the executable code sequences if the cache monitor reports the anomalous miss activity.
  - 13. The processing device of claim 12, wherein the cache monitor, the remedial action unit, the processing circuit, or a combination thereof is configured to:
    - monitor that some of the instruction fetches are cache hits and the anomalous miss activity indicates a hit/miss ratio of the cache hits relative to the cache misses that is lower than a threshold selected relative to valid hit/miss ratios indicative of valid code sequences.
  - 14. The processing device of claim 11, wherein the cache memory system includes a data cache and an instruction cache and the cache monitor is configured to develop an instruction loading profile from the instruction cache.
  - 15. The processing device of claim 11, wherein the cache memory system includes two or more levels of cache and the cache monitor is configured to develop an instruction loading profile for at least one of the two or more levels of cache.
  - 16. The processing device of claim 11, wherein the cache monitor is configure to suspended monitoring during a selected operational period.
  - 17. The processing device of claim 16, wherein the selected operational period includes a boot-up stage of a new process.
  - 18. The processing device of claim 16, wherein the cache monitor determines the anomalous miss activity over a predefined number of preceding instructions or a predefined time period.

19. A processing device, comprising:
- means for loading at least portions of an executable code sequence in a cache memory;
  
  means for performing instruction fetches of the executable code sequence from the cache memory; and
  
  means for monitoring the instruction fetches relative to cache misses, where the cache misses are fetched instructions absent from the cache memory on the instruction fetch, in order to dynamically detect anomalous miss activity.
- View Dependent Claims (20, 21, 22)
- - 20. The processing device of claim 19, further comprising:
    - means for reporting the anomalous miss activity to perform a remedial action relative to the executable code sequence; and
      
      means for performing the remedial action by terminating execution of the executable code sequence responsive to the reporting of the anomalous miss activity.
  - 21. The processing device of claim 19, further comprising:
    - means for determining the anomalous miss activity over a predefined number of preceding instructions or a predefined time period.
  - 22. The processing device of claim 19, further comprising:
    - means for determining that the anomalous miss activity is indicative of a return-oriented programming exploit.

23. A machine-readable medium having instructions stored thereon, which when executed by a processing circuit cause the processing circuit to:
- load at least portions of an executable code sequence in a cache memory;
  
  perform instruction fetches of the executable code sequence from the cache memory; and
  
  monitor the instruction fetches, relative to cache misses, where the cache misses are fetched instructions absent from the cache memory on the instruction fetch, in order to dynamically detect anomalous miss activity.
- View Dependent Claims (24)
- - 24. The machine-readable medium of claim 23, wherein the instructions further cause the processing circuit to:
    - monitor that some of the instruction fetches are cache hits and the anomalous miss activity indicates a hit/miss ratio of the cache hits relative to the cache misses that is lower than a threshold selected relative to valid hit/miss ratios indicative of valid code sequences.

25. A method, comprising:
- executing an unintended sequence of code snippets in a processing circuit, each code snippet including at least one executable instruction including a control transfer instruction, wherein one or more of the code snippets includes a modified control transfer instruction different from an originally intended control transfer instruction and at least one code snippet of the plurality is a non-cached code snippet not found in a cache memory; and
  
  developing an instruction loading profile by monitoring instruction fetches relative to cache misses, where the cache misses are fetched instructions absent from the cache memory on the instruction fetch.
- View Dependent Claims (26, 27, 28, 29)
- - 26. The method of claim 25, further comprising:
    - terminating execution of at least one code snippet of the unintended sequence if the instruction loading profile is indicative of execution of some of the code snippets of the unintended sequence.
  - 27. The method of claim 25, wherein executing the unintended sequence of code snippets includes utilizing a multi-level cache as the cache memory and cached instructions are instructions in a cache level closer to the processing circuit and non-cached instructions are instructions in a main memory or a cache level farther from the processing circuit.
  - 28. The method of claim 25, further comprising:
    - developing the instruction loading profile as a hit/miss ratio of fetches of cached instructions relative to non-cached instructions that is lower than a threshold selected relative to valid hit/miss ratios indicative of valid code sequences.
  - 29. The method of claim 28, further comprising:
    - determining the valid hit/miss ratios from monitoring hit/miss ratios from a plurality of executable code sequences known to be free from a return-oriented programming exploit during the monitoring.

30. A processing device, comprising:
- a processing circuit configured to fetch and execute executable code sequences, the executable code sequences including an unintended sequence of code snippets, each code snippet including at least one executable instruction including a control transfer instruction, wherein one or more of the code snippets includes a modified control transfer instruction different from an originally intended control transfer instruction;
  
  a cache memory system operably coupled to the processing circuit and including at least one cache memory wherein at least one code snippet of the unintended sequence is a non-cached code snippet not found in the cache memory; and
  
  a cache monitor configured to develop an instruction loading profile by monitoring the instruction fetches relative to cache misses, where the cache misses are fetched instructions absent from the cache memory on the instruction fetch.
- View Dependent Claims (31, 32, 33, 34, 35)
- - 31. The processing device of claim 30, wherein the cache memory system includes a data cache and an instruction cache and the cache monitor is for developing the instruction loading profile from the instruction cache.
  - 32. The processing device of claim 30, wherein the cache memory system includes two or more levels of cache and the cache monitor is for developing the instruction loading profile for at least one of the two or more levels of cache.
  - 33. The processing device of claim 30, further comprising:
    - a remedial action unit configured for performing remedial actions relative to the executable code sequences if the instruction loading profile is indicative the unintended sequence of code snippets, wherein the cache monitor, the remedial action unit, the processing circuit, or a combination thereof is configured to develop the instruction loading profile as a hit/miss ratio of fetches of cached instructions relative to non-cached instructions that is lower than a threshold selected relative to valid hit/miss ratios indicative of valid code sequences.
  - 34. The processing device of claim 33, wherein the cache monitor, the remedial action unit, the processing circuit, or a combination thereof is configured to determine the valid hit/miss ratios from monitoring the hit/miss ratios from a plurality of executable code sequences known to be free from a return-oriented programming exploit during the monitoring.
  - 35. The processing device of claim 30, wherein the cache monitor is configure to suspended monitoring during a selected operational period.

36. A processing device, comprising:
- means for executing an unintended sequence of code snippets in a processing circuit, each code snippet including at least one executable instruction including a control transfer instruction, wherein one or more of the code snippets includes a modified control transfer instruction different from an originally intended control transfer instruction and at least one code snippet of the plurality is a non-cached code snippet not found in a cache memory; and
  
  means for developing an instruction loading profile by monitoring instruction fetches relative to cache misses, where the cache misses are fetched instructions absent from the cache memory on the instruction fetch.
- View Dependent Claims (37, 38)
- - 37. The processing device of claim 36, further comprising:
    - means for terminating execution of at least one code snippet of the unintended sequence if the instruction loading profile is indicative of execution of some of the code snippets of the unintended sequence.
  - 38. The processing device of claim 36, further comprising:
    - means for developing the instruction loading profile as a hit/miss ratio of fetches of cached instructions relative to non-cached instructions that is lower than a threshold selected relative to valid hit/miss ratios indicative of valid code sequences.

39. A machine-readable medium having instructions stored thereon, which when executed by a processing circuit cause the processing circuit to:
- execute an unintended sequence of code snippets, each code snippet including at least one executable instruction including a control transfer instruction, wherein one or more of the code snippets includes a modified control transfer instruction different from an originally intended control transfer instruction and at least one code snippet of the plurality is a non-cached code snippet not found in a cache memory; and
  
  develop an instruction loading profile by monitoring instruction fetches relative to cache misses, where the cache misses are fetched instructions absent from the cache memory on the instruction fetch.
- View Dependent Claims (40)
- - 40. The machine-readable medium of claim 39, wherein the instructions further cause the processing circuit to terminate execution of at least one code snippet of the unintended sequence if the instruction loading profile is indicative of execution of some of the code snippets of the unintended sequence.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Rosenberg, Brian M., Ge, Renwei, Rose, Gregory G., Palanigounder, Anand, Gantman, Alex, Balakrishan, Arun, KOMAROMY, Daniel

Granted Patent

US 8,839,429 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 11/3037   where the computing system ...

G06F 11/3466   Performance evaluation by t...

G06F 12/0811   with multilevel cache hiera...

G06F 12/0848   Partitioned cache, e.g. sep...

G06F 12/0875   with dedicated cache, e.g. ...

G06F 12/14   Protection against unauthor...

G06F 21/52   during program execution, e...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2212/452   Instruction code

Methods, Devices, And Systems For Detecting Return-Oriented Programming Exploits

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

54 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, Devices, And Systems For Detecting Return-Oriented Programming Exploits

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links