LOW-OVERHEAD DETECTION OF UNAUTHORIZED MEMORY MODIFICATION USING TRANSACTIONAL MEMORY

US 20150278123A1
Filed: 03/28/2014
Published: 10/01/2015
Est. Priority Date: 03/28/2014
Status: Abandoned Application

First Claim

Patent Images

1. A computing device for detecting unauthorized memory accesses, the computing device comprising:

a security thread dispatch module to start a security thread; and

a security thread module to;

start a transactional memory envelope within the security thread;

access a monitored memory location within the transactional memory envelope;

detect a transactional abort in response to the access of the monitored memory location;

determine whether a security event has occurred in response to detection of the transactional abort, the security event indicative of an unauthorized write to the monitored memory location that originates from outside of the transactional memory envelope; and

report the security event in response to a determination that the security event has occurred.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technologies for detecting unauthorized memory accesses include a computing device having transactional memory support. The computing device executes a transactional memory execution envelope within a security thread. Within the transactional envelope, the security thread reads one or more memory locations. The computing device detects a transactional abort originating from the transactional envelope, and determines whether a security event has occurred. A security event may include an unauthorized write to the monitored memory locations from outside the transactional envelope, including from non-transactional code. The computing device reports any security events that are detected. The computing device may execute several security threads that each monitor a different, non-overlapping memory location. The computing device may spawn a new security thread to monitor a memory location while a previous security thread is handling a transactional abort. Other embodiments are described and claimed.

22 Citations

View as Search Results

22 Claims

1. A computing device for detecting unauthorized memory accesses, the computing device comprising:
- a security thread dispatch module to start a security thread; and
  
  a security thread module to;
  
  start a transactional memory envelope within the security thread;
  
  access a monitored memory location within the transactional memory envelope;
  
  detect a transactional abort in response to the access of the monitored memory location;
  
  determine whether a security event has occurred in response to detection of the transactional abort, the security event indicative of an unauthorized write to the monitored memory location that originates from outside of the transactional memory envelope; and
  
  report the security event in response to a determination that the security event has occurred.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computing device of claim 1, wherein the monitored memory location comprises a system call table of the computing device, security software of the computing device, part of a hypervisor of the computing device, or a part of a kernel of the computing device.
  - 3. The computing device of claim 1, wherein the monitored memory location comprises a system integrity check routine of the computing device.
  - 4. The computing device of claim 1, wherein the security thread module is further to yield execution of the security thread in response to the access of the monitored memory location.
  - 5. The computing device of claim 1, wherein:
    - the security thread dispatch module is further to start a second security thread; and
      
      the security thread module is further to;
      
      start a second transactional memory envelope within the second security thread;
      
      access a second monitored memory location within the second transactional memory envelope, wherein the second monitored memory location and the monitored memory location do not overlap; and
      
      monitor for a second transactional abort by the second transactional memory envelope contemporaneously with the determination whether the security event has occurred.
  - 6. The computing device of claim 5, wherein the security thread dispatch module is further to bind the security thread and the second security thread for execution by a dedicated processor core of the computing device.
  - 7. The computing device of claim 1, wherein:
    - the security thread dispatch module is further to;
      
      start a set of security threads, wherein the set includes the security thread;
      
      monitor a performance attribute of the set of security threads; and
      
      adjust the number of security threads included in the set of security threads based on the monitored performance attribute; and
      
      the security thread module is further to;
      
      start a transactional memory envelope within each security thread of the set of security threads; and
      
      access a distinct monitored memory location within each transactional memory envelope of the set of security threads.
  - 8. The computing device of claim 7, wherein the performance attribute comprises a number of transactional aborts detected, a time spent handling transactional aborts, or a size of the distinct monitored memory location of each transactional memory envelope.
  - 9. The computing device of claim 1, wherein:
    - the security thread dispatch module is further to start a second security thread in response to the detection of the transactional abort; and
      
      the security thread module is further to (i) start a second transactional memory envelope within the second security thread, (ii) access the monitored memory location within the second transactional memory envelope, and (iii) monitor for a second transactional abort by the second transactional memory envelope contemporaneously with the determination of whether the security event has occurred.
  - 10. The computing device of claim 1, further comprising a security module to:
    - determine whether a code segment is suspicious;
      
      execute the code segment in response to the access of the monitored memory location and a determination that the code segment is not suspicious; and
      
      in response to a determination that the code segment is suspicious;
      
      wrap the code segment in a second transactional memory envelope; and
      
      execute the code segment within the second transactional memory envelope in response to the access of the monitored memory location.

11. A method for detecting unauthorized memory accesses, the method comprising:
- starting, by a computing device, a security thread;
  
  starting, by the computing device, a transactional memory envelope within the security thread;
  
  accessing, by the computing device, a monitored memory location within the transactional memory envelope;
  
  detecting, by the computing device, a transactional abort in response to accessing the monitored memory location;
  
  determining, by the computing device, whether a security event has occurred in response to detecting the transactional abort, the security event indicative of an unauthorized write to the monitored memory location originating from outside of the transactional memory envelope; and
  
  reporting, by the computing device, the security event in response to determining the security event has occurred.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11, further comprising yielding, by the computing device, execution of the security thread in response to accessing the monitored memory location.
  - 13. The method of claim 11, further comprising:
    - starting, by the computing device, a second security thread;
      
      starting, by the computing device, a second transactional memory envelope within the second security thread;
      
      accessing, by the computing device, a second monitored memory location within the second transactional memory envelope, wherein the second monitored memory location and the monitored memory location do not overlap; and
      
      monitoring, by the computing device, for a second transactional abort by the second transactional memory envelope while determining whether the security event has occurred.
  - 14. The method of claim 11, further comprising:
    - starting, by the computing device, a set of security threads, wherein the set includes the security thread,starting, by the computing device, a transactional memory envelope within each security thread of the set of security threads;
      
      accessing, by the computing device, a distinct monitored memory location within each transactional memory envelope of the set of security threads;
      
      monitoring, by the computing device, a performance attribute of the set of security threads; and
      
      adjusting, by the computing device, the number of security threads included in the set of security threads based on the monitored performance attribute.
  - 15. The method of claim 11, further comprising:
    - starting, by a computing device, a second security thread in response to detecting the transactional abort;
      
      starting, by the computing device, a second transactional memory envelope within second security thread;
      
      accessing, by the computing device, the monitored memory location within the second transactional memory envelope; and
      
      monitoring, by the computing device, for a second transactional abort by the second transactional memory envelope while determining whether the security event has occurred.
  - 16. The method of claim 11, further comprising:
    - determining, by the computing device, whether a code segment is suspicious;
      
      executing, by the computing device, the code segment in response to accessing the monitored memory location and determining the code segment is not suspicious; and
      
      in response to determining the code segment is suspicious;
      
      wrapping, by the computing device, the code segment in a second transactional memory envelope; and
      
      executing, by the computing device, the code segment within the second transactional memory envelope in response to accessing the monitored memory location.

17. One or more computer-readable storage media comprising a plurality of instructions that in response to being executed cause a computing device to:
- start a security thread;
  
  start a transactional memory envelope within the security thread;
  
  access a monitored memory location within the transactional memory envelope;
  
  detect a transactional abort in response to accessing the monitored memory location;
  
  determine whether a security event has occurred in response to detecting the transactional abort, the security event indicative of an unauthorized write to the monitored memory location originating from outside of the transactional memory envelope; and
  
  report the security event in response to determining the security event has occurred.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The one or more computer-readable storage media of claim 17, further comprising a plurality of instructions that in response to being executed cause the computing device to yield execution of the security thread in response to accessing the monitored memory location.
  - 19. The one or more computer-readable storage media of claim 17, further comprising a plurality of instructions that in response to being executed cause the computing device to:
    - start a second security thread;
      
      start a second transactional memory envelope within the second security thread;
      
      access a second monitored memory location within the second transactional memory envelope, wherein the second monitored memory location and the monitored memory location do not overlap; and
      
      monitor for a second transactional abort by the second transactional memory envelope while determining whether the security event has occurred.
  - 20. The one or more computer-readable storage media of claim 17, further comprising a plurality of instructions that in response to being executed cause the computing device to:
    - start a set of security threads, wherein the set includes the security thread,start a transactional memory envelope within each security thread of the set of security threads;
      
      access a distinct monitored memory location within each transactional memory envelope of the set of security threads;
      
      monitor a performance attribute of the set of security threads; and
      
      adjust the number of security threads included in the set of security threads based on the monitored performance attribute.
  - 21. The one or more computer-readable storage media of claim 17, further comprising a plurality of instructions that in response to being executed cause the computing device to:
    - start a second security thread in response to detecting the transactional abort;
      
      start a second transactional memory envelope within second security thread;
      
      access the monitored memory location within the second transactional memory envelope; and
      
      monitor for a second transactional abort by the second transactional memory envelope while determining whether the security event has occurred.
  - 22. The one or more computer-readable storage media of claim 17, further comprising a plurality of instructions that in response to being executed cause the computing device to:
    - determine whether a code segment is suspicious;
      
      execute the code segment in response to accessing the monitored memory location and determining the code segment is not suspicious; and
      
      in response to determining the code segment is suspicious;
      
      wrap the code segment in a second transactional memory envelope; and
      
      execute the code segment within the second transactional memory envelope in response to accessing the monitored memory location.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Nayshtut, Alex, Muttik, Igor, Dementiev, Roman

Application Number

US14/228,842
Publication Number

US 20150278123A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 12/1441   for a range

G06F 21/00   Security arrangements for p...

G06F 21/52   during program execution, e...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2212/1016   Performance improvement

G06F 2212/1052   Security improvement

G06F 9/467   Transactional memory G06F9/...

G06F 9/48   Program initiating; Program...

LOW-OVERHEAD DETECTION OF UNAUTHORIZED MEMORY MODIFICATION USING TRANSACTIONAL MEMORY

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

LOW-OVERHEAD DETECTION OF UNAUTHORIZED MEMORY MODIFICATION USING TRANSACTIONAL MEMORY

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links