Blocking Routine Redirection
First Claim
1. A method comprising:
- determining a set of system routines;
retrieving, from a symbol table, a table entry for one routine of the set of system routines;
determining, from the table entry for the one routine, an address of the one routine;
setting the address of the one routine to an address of a routine that includes code configured to detect an attempt to perform a runtime redirection and to detect an attempt to change memory permissions; and
executing, in response to a call to the one routine, the routine that includes code configured to detect an attempt to perform a runtime redirection and to detect an attempt to change memory permissions.
8 Assignments
0 Petitions
Accused Products
Abstract
Disclosed herein are methods, systems, and computer-readable media for blocking attempts at runtime redirection and attempts to change memory permissions during runtime. The present disclosure describes features that enable runtime detection of an attempt to redirect routines or change memory permissions, and determining whether to allow or deny the attempt. Such features may include changing memory write permissions on memory segments, such as those segments used by dynamic loaders after call associations have been saved or otherwise created. Other features may include swapping the addresses of system routines (e.g., open, read, write, close, etc.) to new routines that perform the same function as well as additional functionality configured to detect attempts to redirect or change memory permissions. Once detected by the new routine during runtime, a determination may be made to deny or allow the call based on a policy.
-
Citations
20 Claims
-
1. A method comprising:
-
determining a set of system routines; retrieving, from a symbol table, a table entry for one routine of the set of system routines; determining, from the table entry for the one routine, an address of the one routine; setting the address of the one routine to an address of a routine that includes code configured to detect an attempt to perform a runtime redirection and to detect an attempt to change memory permissions; and executing, in response to a call to the one routine, the routine that includes code configured to detect an attempt to perform a runtime redirection and to detect an attempt to change memory permissions. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method, comprising:
-
executing, in response to a call to a system routine or a virtual file system (VFS) operation, a routine that includes code configured to detect an attempt to perform a runtime redirection and to change memory permissions; determining whether the call is an attempt to redirect or change memory permissions; determining whether to allow or deny the call; and based on determining whether to allow or deny the call, selecting between allowing the call in accordance with a policy or denying the call in accordance with the policy. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. An apparatus comprising:
-
one or more processors; and memory storing executable instructions configured to, when executed by the one or more processors, cause the apparatus to; execute, in response to a call to a system routine or a virtual file system (VFS) operation, a routine that includes code configured to detect an attempt to perform a runtime redirection or change memory permissions; determine whether the call is an attempt to redirect or change memory permissions; determine whether to allow or deny the call; and based on determining whether to allow or deny the call;
select between allowing the call in accordance with a policy or denying the call in accordance with the policy
-
Specification