Blocking Routine Redirection

US 20170024560A1
Filed: 07/24/2015
Published: 01/26/2017
Est. Priority Date: 07/24/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining a set of system routines;

retrieving, from a symbol table, a table entry for one routine of the set of system routines;

determining, from the table entry for the one routine, an address of the one routine;

setting the address of the one routine to an address of a routine that includes code configured to detect an attempt to perform a runtime redirection and to detect an attempt to change memory permissions; and

executing, in response to a call to the one routine, the routine that includes code configured to detect an attempt to perform a runtime redirection and to detect an attempt to change memory permissions.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein are methods, systems, and computer-readable media for blocking attempts at runtime redirection and attempts to change memory permissions during runtime. The present disclosure describes features that enable runtime detection of an attempt to redirect routines or change memory permissions, and determining whether to allow or deny the attempt. Such features may include changing memory write permissions on memory segments, such as those segments used by dynamic loaders after call associations have been saved or otherwise created. Other features may include swapping the addresses of system routines (e.g., open, read, write, close, etc.) to new routines that perform the same function as well as additional functionality configured to detect attempts to redirect or change memory permissions. Once detected by the new routine during runtime, a determination may be made to deny or allow the call based on a policy.

Citations

20 Claims

1. A method comprising:
- determining a set of system routines;
  
  retrieving, from a symbol table, a table entry for one routine of the set of system routines;
  
  determining, from the table entry for the one routine, an address of the one routine;
  
  setting the address of the one routine to an address of a routine that includes code configured to detect an attempt to perform a runtime redirection and to detect an attempt to change memory permissions; and
  
  executing, in response to a call to the one routine, the routine that includes code configured to detect an attempt to perform a runtime redirection and to detect an attempt to change memory permissions.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the set of system routines includes one or more file input/output (I/O) functions.
  - 3. The method of claim 1, wherein executing the routine that includes code configured to detect an attempt to perform a runtime redirection and to detect an attempt to change memory permissions includes:
    - determining that the call is an attempt to redirect or change memory permissions;
      
      determining whether to allow or deny the call; and
      
      based on determining to allow the call, allowing the call in accordance with a policy.
  - 4. The method of claim 1, wherein executing the routine that includes code configured to detect an attempt to perform a runtime redirection and to detect an attempt to change memory permissions includes:
    - determining that the call is an attempt to redirect or change memory permissions;
      
      determining whether to allow or deny the call; and
      
      based on determining to deny the call, denying the call in accordance with a policy.
  - 5. The method of claim 1, further comprising:
    - changing memory permissions of memory segments used by a dynamic loader to prevent writing to the memory segments.
  - 6. The method of claim 1, further comprising:
    - establishing a detection routine to be executed as pre-processing or post-processing for one or more virtual file system (VFS) operations.
  - 7. The method of claim 1, wherein setting the address of the one routine to an address of a routine that includes code configured to detect an attempt to perform a runtime redirection and to detect an attempt to change memory permissions is part of an exchange of the address of the one routine with the address of the routine that includes code configured to detect an attempt to perform a runtime redirection and to detect an attempt to change memory permissions.

8. A method, comprising:
- executing, in response to a call to a system routine or a virtual file system (VFS) operation, a routine that includes code configured to detect an attempt to perform a runtime redirection and to change memory permissions;
  
  determining whether the call is an attempt to redirect or change memory permissions;
  
  determining whether to allow or deny the call; and
  
  based on determining whether to allow or deny the call, selecting between allowing the call in accordance with a policy or denying the call in accordance with the policy.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 9. The method of claim 8, further comprising:
    - establishing mechanisms for detecting an attempt to perform a runtime redirection or change memory permissions so that the routine that includes code configured to detect an attempt to perform a runtime redirection and to change memory permissions is executed in response to any call to the system routine or the VFS operation.
  - 10. The method of claim 8, wherein establishing the mechanisms for detecting an attempt to perform a runtime redirection or change memory permissions includes exchanging or setting an address of the system routine with an address of the routine that includes code configured to detect an attempt to perform a runtime redirection and to change memory permissions.
  - 11. The method of claim 8, wherein establishing the mechanisms for detecting an attempt to perform a runtime redirection or change memory permissions includes establishing the routine that includes code configured to detect an attempt to perform a runtime redirection and to change memory permissions to be executed as pre-processing or post-processing for the VFS operation.
  - 12. The method of claim 8, wherein the system routine comprises a file input/output (I/O) routine.
  - 13. The method of claim 8, wherein the VFS operation comprises an operation of a VFS interface for a database that stores data for an application.
  - 14. The method of claim 8, wherein determining whether the call is an attempt to redirect or change memory permissions is based on one or more of the following:
    - the type of system routine, the type of VFS operation;
      
      an analysis of parameters passed to the routine that includes the code configured to detect an attempt to perform a runtime redirection or change memory permissions;
      
      or information of a program stack.
  - 15. The method of claim 8, wherein determining whether to allow or deny the call is based on one or more of the following:
    - the type of system routine, the type of VFS operation;
      
      an analysis of parameters passed to the routine that includes the code configured to detect an attempt to perform a runtime redirection or change memory permissions;
      
      information of a program stack;
      
      or an application that performed the call.
  - 16. The method of claim 8, further comprising allowing the call in accordance with the policy, wherein allowing the call in accordance with the policy includes:
    - allowing the call without modifying the call or any parameters passed to the routine that includes the code configured to detect an attempt to perform a runtime redirection or change memory permissions.
  - 17. The method of claim 8, further comprising allowing the call in accordance with the policy, wherein allowing the call in accordance with the policy includes:
    - allowing the call with at least one modification to the call or a parameter passed to the routine that includes the code configured to detect an attempt to perform a runtime redirection or change memory permissions.
  - 18. The method of claim 8, further comprising allowing the call in accordance with the policy, wherein allowing the call in accordance with the policy includes:
    - determining whether allow the call with or without modification based on one or more of the following;
      
      the type of system routine, the type of VFS operation;
      
      an analysis of parameters passed to the routine that includes the code configured to detect an attempt to perform a runtime redirection or change memory permissions;
      
      or information of a program stack.
  - 19. The method of claim 8, further comprising:
    - denying the call in accordance with the policy, wherein denying the policy in accordance with the policy includes throwing an exception or returning a false indication of success.

20. An apparatus comprising:
- one or more processors; and
  
  memory storing executable instructions configured to, when executed by the one or more processors, cause the apparatus to;
  
  execute, in response to a call to a system routine or a virtual file system (VFS) operation, a routine that includes code configured to detect an attempt to perform a runtime redirection or change memory permissions;
  
  determine whether the call is an attempt to redirect or change memory permissions;
  
  determine whether to allow or deny the call; and
  
  based on determining whether to allow or deny the call;
  
  select between allowing the call in accordance with a policy or denying the call in accordance with the policy

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Linde, David

Granted Patent

US 10,181,030 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/305   by remotely controlling dev...

G06F 21/52   during program execution, e...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 2221/033   Test or assess software

G06F 2221/2123   Dummy operation

G06F 2221/2143   Clearing memory, e.g. to pr...

Blocking Routine Redirection

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Blocking Routine Redirection

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links