METHODS, DEVICES, AND SYSTEMS FOR DETECTING RETURN ORIENTED PROGRAMMING EXPLOITS
First Claim
1. A method, comprising:
- executing an unintended sequence of code snippets in a processing circuit, each code snippet including at least one executable instruction including a control transfer instruction, wherein one or more of the code snippets includes a modified control transfer instruction different from an originally intended control transfer instruction and at least one code snippet of the plurality is a non-cached code snippet not found in a cache memory; and
developing an instruction loading profile by monitoring instruction fetches relative to cache misses, where the cache misses are fetched instructions absent from the cache memory on the instruction fetch.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, devices, and systems for detecting return-oriented programming (ROP) exploits are disclosed. A system includes a processor, a main memory, and a cache memory. A cache monitor develops an instruction loading profile by monitoring accesses to cached instructions found in the cache memory and misses to instructions not currently in the cache memory. A remedial action unit terminates execution of one or more of the valid code sequences if the instruction loading profile is indicative of execution of an ROP exploit involving one or more valid code sequences. The instruction loading profile may be a hit/miss ratio derived from monitoring cache hits relative to cache misses. The ROP exploits may include code snippets that each include an executable instruction and a return instruction from valid code sequences.
17 Citations
16 Claims
-
1. A method, comprising:
-
executing an unintended sequence of code snippets in a processing circuit, each code snippet including at least one executable instruction including a control transfer instruction, wherein one or more of the code snippets includes a modified control transfer instruction different from an originally intended control transfer instruction and at least one code snippet of the plurality is a non-cached code snippet not found in a cache memory; and developing an instruction loading profile by monitoring instruction fetches relative to cache misses, where the cache misses are fetched instructions absent from the cache memory on the instruction fetch. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A processing device, comprising:
-
a processing circuit configured to fetch and execute executable code sequences, the executable code sequences including an unintended sequence of code snippets, each code snippet including at least one executable instruction including a control transfer instruction, wherein one or more of the code snippets includes a modified control transfer instruction different from an originally intended control transfer instruction; a cache memory system operably coupled to the processing circuit and including at least one cache memory wherein at least one code snippet of the unintended sequence is a non-cached code snippet not found in the cache memory; and a cache monitor configured to develop an instruction loading profile by monitoring the instruction fetches relative to cache misses, where the cache misses are fetched instructions absent from the cache memory on the instruction fetch. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. A processing device, comprising:
-
means for executing an unintended sequence of code snippets in a processing circuit, each code snippet including at least one executable instruction including a control transfer instruction, wherein one or more of the code snippets includes a modified control transfer instruction different from an originally intended control transfer instruction and at least one code snippet of the plurality is a non-cached code snippet not found in a cache memory; and means for developing an instruction loading profile by monitoring instruction fetches relative to cache misses, where the cache misses are fetched instructions absent from the cache memory on the instruction fetch. - View Dependent Claims (13, 14)
-
-
15. A machine-readable medium having instructions stored thereon, which when executed by a processing circuit cause the processing circuit to:
-
execute an unintended sequence of code snippets, each code snippet including at least one executable instruction including a control transfer instruction, wherein one or more of the code snippets includes a modified control transfer instruction different from an originally intended control transfer instruction and at least one code snippet of the plurality is a non-cached code snippet not found in a cache memory; and develop an instruction loading profile by monitoring instruction fetches relative to cache misses, where the cache misses are fetched instructions absent from the cache memory on the instruction fetch. - View Dependent Claims (16)
-
Specification