Computer System Security
First Claim
1. A computer-implemented method, comprising:
- identifying a plurality of software modules in a computing system in response to a process event;
determining a thread start address for a first thread corresponding to the process event;
determining whether the first thread is associated with one or more software modules of the plurality based on the thread start address; and
generating a security event if the first thread is not associated with the one or more software modules.
0 Assignments
0 Petitions
Accused Products
Abstract
A security system monitors a computer system for process events to perform verification related to the event. A thread related to an event is identified and a set of software modules of the computer system are enumerated. The thread is verified by determining whether the thread corresponds to one of the software modules. Code related to the thread is verified by loading code segments from storage into memory and comparing newly loaded code with original code segments in memory. The stack is verified by determining whether the thread matches one or more stack addresses of the stack. The execution path related to the event is verified by comparison to a set of predefined execution paths. If any of the security verifications fail, a security event is generated such as by blocking execution of code related to the event.
-
Citations
34 Claims
-
1. A computer-implemented method, comprising:
-
identifying a plurality of software modules in a computing system in response to a process event; determining a thread start address for a first thread corresponding to the process event; determining whether the first thread is associated with one or more software modules of the plurality based on the thread start address; and generating a security event if the first thread is not associated with the one or more software modules. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer-implemented method, comprising:
-
in response to a process event, determining in a memory a first base address of a first code segment; loading in the first memory at a second base address a second code segment corresponding to the first code segment; modifying the second code segment based on the first base address; comparing the second code segment to the first code segment after modifying the second code segment; and generating a security event if the first code segment does not match the second code segment. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A computer-implemented method, comprising:
-
in response to an event notification associated with a first thread, determining a thread start address for the first thread; determining one or more stack addresses allocated for the first thread by an operating system; determining whether the thread start address is within the one or more stack addresses allocated for the first thread; and generating a security event if the thread start address is not within the one or more stack addresses allocated for the first thread. - View Dependent Claims (20, 21, 22, 23)
-
-
24. A computer-implemented method, comprising:
-
in response to a process event associated with a first thread, determining a thread start address for the first thread; determining a first execution path of the first thread based on the thread start address; comparing the first execution path with a plurality of predefined execution paths for an application associated with the first thread; and generating a security event if the first execution path does not match at least one of the predefined execution paths for the application. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31)
-
-
32. An apparatus, comprising:
-
a central processing unit; a memory coupled to the central processing unit, the memory configured to store a plurality of processes for execution by the central processing unit; and a security circuit coupled to the memory and the central processing unit, the security circuit is configured to access a plurality of instructions associated with a first process and compare an execution path associated with the plurality of instructions with a plurality of predefined executions paths for the first process, the security circuit is configured to block execution of the plurality of instructions in response to the execution path not matching at least one of the predefined execution paths. - View Dependent Claims (33, 34)
-
Specification