METHOD AND APPARATUS FOR DETECTING INTRUSIONS IN A COMPUTER SYSTEM

US 20130160121A1
Filed: 12/20/2011
Published: 06/20/2013
Est. Priority Date: 12/20/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

calculating a first checksum from first bits representative of instructions in a block of a program concurrently with executing the instructions; and

issuing a security exception in response to determining that the first checksum differs from a second checksum calculated prior to execution of the block using second bits representative of instructions in the block when the second checksum is calculated.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a method and apparatus for detecting intrusions in a processor-based system. One embodiment of the method includes calculating a first checksum from first bits representative of instructions in a block of a program concurrently with executing the instructions. This embodiment of the method also includes issuing a security exception in response to determining that the first checksum differs from a second checksum calculated prior to execution of the block using second bits representative of instructions in the block when the second checksum is calculated.

30 Citations

View as Search Results

25 Claims

1. A method, comprising:
- calculating a first checksum from first bits representative of instructions in a block of a program concurrently with executing the instructions; and
  
  issuing a security exception in response to determining that the first checksum differs from a second checksum calculated prior to execution of the block using second bits representative of instructions in the block when the second checksum is calculated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein calculating the first checksum comprises calculating the first checksum by applying a function to bits representative of instructions in a block that begins at a label and ends with a branch instruction.
  - 3. The method of claim 2, wherein calculating the first checksum comprises calculating the first checksum by applying the function to the bits representative of each instruction in the block and bits representative of a location of each instruction within the block.
  - 4. The method of claim 3, wherein calculating the first checksum comprises initializing the first checksum using bits representative of an address of the label.
  - 5. The method of claim 1, comprising storing a value of the first checksum in a first register, storing a value of the second checksum in a second register, and comparing the value of the first checksum in the first register to the value of the second checksum in the second register.
  - 6. The method of claim 5, wherein issuing the security exception comprises issuing the security exception when the comparison of the values of the first and second checksum to the first and second registers indicates that the first checksum is different than the second checksum.
  - 7. The method of claim 5, wherein storing the value of the second checksum in the second register comprises retrieving the value of the second checksum from a table comprising entries that are indexed by addresses associated with blocks of the program, wherein each entry of the table includes a second checksum calculated using bits representative of instructions in one of the blocks in the program.
  - 8. The method of claim 1, comprising detecting and eliminating intruder code associated with the block in response to issuing the exception.

9. A method, comprising:
- generating a table comprising entries that are indexed by addresses associated with blocks of a program, wherein each entry of the table includes a checksum calculated using bits representative of instructions in the block; and
  
  comparing values of the entries in the table with checksums generated by a processor-based system concurrently with the processor-based system executing the corresponding block of the program.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, wherein generating the table comprises calculating checksums for the blocks in the program by applying a function to bits representative of instructions in the blocks, and wherein the blocks begin at a label and end with a branch instruction.
  - 11. The method of claim 10, wherein calculating the checksums comprises calculating the checksums by applying the function to the bits representative of instructions in the block and bits representative of locations of instructions within the block.
  - 12. The method of claim 11, wherein calculating the checksums comprises initializing the checksums using bits representative of an address of the label of the corresponding block.
  - 13. The method of claim 9, comprising storing a value of a first checksum from the table in a first register of a processor-based system, storing a value of a second checksum in a second register, wherein the value of the second checksum is computed by the processor-based system concurrently with executing the corresponding block, and comparing the value of the first checksum in the first register to the value of the second checksum in the second register.
  - 14. The method of claim 13, comprising issuing a security exception when the comparison of the values of the first and second checksum to the first and second registers indicates that the first checksum is different than the second checksum.
  - 15. The method of claim 13, comprising storing a copy of the table on the processor-based system.

16. An apparatus, comprising:
- means for calculating a first checksum from first bits representative of instructions in a block of a program concurrently with executing the instructions; and
  
  means for issuing a security exception in response to determining that the first checksum differs from a second checksum calculated prior to execution of the block using second bits representative of instructions in the block when the second checksum is calculated.
- View Dependent Claims (17)
- - 17. An apparatus as set forth in claim 16, further comprising:
    - means for generating a table comprising entries that are indexed by addresses associated with blocks of a program, wherein each entry of the table includes a checksum calculated using bits representative of instructions in the block; and
      
      means for comparing values of the entries in the table with checksums generated by a processor-based system concurrently with the processor-based system executing the corresponding block of the program

18. A computer readable storage medium encoded with instructions that, when executed by a processor-based system, cause the processor-based system to:
- calculate a first checksum from bits representative of instructions in a block of a program concurrently with executing the instructions; and
  
  issue a security exception in response to determining that the first checksum differs from a second checksum calculated prior to execution of the block using bits representative of instructions in the block.
- View Dependent Claims (19)
- - 19. A computer readable storage medium as set forth in claim 18 encoded with instructions that, when executed by a processor-based system, cause the processor-based system to:
    - generate a table comprising entries that are indexed by addresses associated with blocks of a program, wherein each entry of the table includes a checksum calculated using bits representative of instructions in the block; and
      
      compare values of the entries in the table with checksums generated by a processor-based system concurrently with the processor-based system executing the corresponding block of the program.

20. A processor-based system, comprising:
- at least one processor configured to calculate a first checksum from bits representative of instructions in a block of a program concurrently with executing the instructions;
  
  a first register for storing the first checksum; and
  
  a second register for storing a value of a second checksum calculated prior to execution of the block using bits representative of instructions in the block, wherein said at least one processor is configured to issue a security exception in response to determining that the first checksum is different than the second checksum.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The processor-based system of claim 20, wherein said at least one processor is configured to calculate the first checksum by applying a function to bits representative of instructions in a block that begins at a label and ends with a branch instruction.
  - 22. The processor-based system of claim 21, wherein said at least one processor is configured to calculate the first checksum by applying the function to the bits representative of each instruction in the block and bits representative of a location of each instruction within the block.
  - 23. The processor-based system of claim 22, wherein said at least one processor is configured to initialize the first checksum using bits representative of an address of the label.
  - 24. The processor-based system of claim 20, comprising at least one memory element configured to store a table comprising entries that are indexed by addresses associated with blocks of the program, wherein each entry of the table includes a second checksum calculated using bits representative of instructions in one of the blocks in the program
  - 25. The processor-based system of claim 24, wherein said at least one processor is configured to the value of the second checksum from the table and store the value of the second checksum in the second register prior to executing the corresponding block.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Advanced Micro Devices, Inc.
Original Assignee
Advanced Micro Devices, Inc.
Inventors
Yazdani, Reza

Granted Patent

US 9,141,800 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/54 by adding security routines...

G06F 21/566 Dynamic detection, i.e. det...

METHOD AND APPARATUS FOR DETECTING INTRUSIONS IN A COMPUTER SYSTEM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR DETECTING INTRUSIONS IN A COMPUTER SYSTEM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links