Time Varying Address Space Layout Randomization

US 20170286674A1
Filed: 03/31/2016
Published: 10/05/2017
Est. Priority Date: 03/31/2016
Status: Active Grant

First Claim

Patent Images

1. A method of time varying address space layout randomization on a computing device, comprising:

launching a first plurality of versions of a system service;

assigning a random virtual address space layout to each of the first plurality of versions of the system service;

receiving a first request to execute the system service from a first application;

randomly selecting a first version of the system service from the first plurality of versions of the system service; and

executing the system service using data of the first version of the system service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments include computing devices, apparatus, and methods implemented by the apparatus for time varying address space layout randomization. The apparatus may launch first plurality of versions of a system service and assign a random virtual address space layout to each of the first plurality of versions of the system service. The apparatus may receive a first request to execute the system service from a first application. The apparatus may randomly select a first version of the system service from the first plurality of versions of the system service, and execute the system service using data of the first version of the system service.

Citations

36 Claims

1. A method of time varying address space layout randomization on a computing device, comprising:
- launching a first plurality of versions of a system service;
  
  assigning a random virtual address space layout to each of the first plurality of versions of the system service;
  
  receiving a first request to execute the system service from a first application;
  
  randomly selecting a first version of the system service from the first plurality of versions of the system service; and
  
  executing the system service using data of the first version of the system service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - receiving a second request to execute the system service from the first application;
      
      randomly selecting a second version of the system service from the first plurality of versions of the system service; and
      
      executing the system service using data of the second version of the system service.
  - 3. The method of claim 1, further comprising:
    - assigning a system service version identifier to each of the first plurality of versions of the system service, wherein the system service version identifier of each of the first plurality of versions of the system service is different;
      
      correlating the system service version identifier of each of the first plurality of versions of the system service to a system service identifier of the system service;
      
      storing the correlations of the system service version identifier of each of the first plurality of versions of the system service and the system service identifier;
      
      correlating the system service version identifier of each of the first plurality of versions of the system service with a corresponding one of the random virtual address space layout of each of the first plurality of versions of the system service; and
      
      storing the correlations of the system service version identifier of each of the first plurality of versions of the system service with a corresponding one of the random virtual address space layout of each of the first plurality of versions of the system service.
  - 4. The method of claim 3, wherein:
    - the first request to execute the system service includes the system service identifier;
      
      randomly selecting a first version of the system service from the first plurality of versions of the system service comprises randomly selecting the first version of the system service from the first plurality of versions of the system service correlated with the system service identifier;
      
      the method further comprising;
      
      providing the first application with a first system service version identifier of the first version of the system service; and
      
      receiving a request to execute the first version of the system service having the first system service version identifier from the first application.
  - 5. The method of claim 4, further comprising:
    - locating a random virtual address of the first system service version using a correlation between the first system service version identifier and the random virtual address space layout of the first system service version;
      
      translating the random virtual address of the first system service version to a physical address at which the data of the first version of the system service is stored; and
      
      retrieving the data of the first version of the system service.
  - 6. The method of claim 3, further comprising assigning a process identifier to each of the first plurality of versions of the system service,wherein the process identifier for each of the first plurality of versions of the system service is the same, andwherein assigning a random virtual address space layout to each of the first plurality of versions of the system service, assigning a system service version identifier to each of the first plurality of versions of the system service, and correlating the system service version identifier of each of the first plurality of versions of the system service to a system service identifier of the system service occurs for each of the first plurality of versions of the system service assigned the process identifier.
  - 7. The method of claim 1, further comprising:
    - receiving a request to allocate code buffer space for dynamically generated code of an execution of the first version of the system service;
      
      randomly selecting a code buffer address;
      
      determining whether a code buffer space correlated with the code buffer address is large enough and available to store the dynamically generated code; and
      
      storing the dynamically generated code at the code buffer address in response to determining that the code buffer space is large enough to store the dynamically generated code.
  - 8. The method of claim 1, further comprising:
    - receiving a second request to execute the system service from a second application;
      
      detecting the second request to execute the system service from the second application is an attack on the system service;
      
      launching a second plurality of versions of the system service;
      
      assigning a random virtual address space layout to each of the second plurality of versions of the system service, wherein the random virtual address space layout of each of the first plurality of versions of the system service and the random virtual address space layout of each of the second plurality of versions of the system service are different;
      
      randomly selecting a second version of the system service from the first plurality of versions of the system service and the second plurality of versions of the system service; and
      
      executing the system service using data of the second version of the system service.
  - 9. The method of claim 1, wherein:
    - launching a first plurality of versions of a system service comprises launching each of multiple versions of the system service of the first plurality of versions of the system service on one of a plurality of heterogeneous processor cores having different instruction set architectures;
      
      randomly selecting a first version of the system service from the first plurality of versions of the system service comprises randomly selecting a first heterogeneous processor core of the plurality of heterogeneous processor cores on which the first version of the system service is launched;
      
      executing the system service using data of the first version of the system service comprises executing the system service by the first heterogeneous processor core; and
      
      the method further comprises;
      
      transferring the first request to execute the system service from the first application to the first heterogeneous processor core;
      
      receiving an output of the execution of the system service by the first heterogeneous processor core; and
      
      returning the output to the first application.

10. A computing device, comprising:
- a launcher configured to perform operations comprising launching a first plurality of versions of a system service;
  
  a mapper communicatively connected to the launcher and configured to perform operations comprising assigning a random virtual address space layout to each of the first plurality of versions of the system service;
  
  a request coordinator communicatively connected to the launcher and configured to perform operations comprising;
  
  receiving a first request to execute the system service from a first application;
  
  randomly selecting a first version of the system service from the first plurality of versions of the system service; and
  
  a processor communicatively connected to the request coordinator and configured with executable instructions to perform operations comprising executing the system service using data of the first version of the system service.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computing device of claim 10, wherein:
    - the request coordinator is configured to perform operations further comprising;
      
      receiving a second request to execute the system service from the first application; and
      
      randomly selecting a second version of the system service from the first plurality of versions of the system service; and
      
      the processor is configured with executable instructions to perform operations further comprising executing the system service using data of the second version of the system service.
  - 12. The computing device of claim 10, wherein:
    - the launcher is configured to perform operations further comprising assigning a system service version identifier to each of the first plurality of versions of the system service, wherein the system service version identifier of each of the first plurality of versions of the system service is different;
      
      the request coordinator is configured to perform operations further comprising;
      
      correlating the system service version identifier of each of the first plurality of versions of the system service to a system service identifier of the system service; and
      
      storing the correlations of the system service version identifier of each of the first plurality of versions of the system service and the system service identifier; and
      
      the processor is configured with executable instructions to perform operations further comprising;
      
      correlating the system service version identifier of each of the first plurality of versions of the system service with a corresponding one of the random virtual address space layout of each of the first plurality of versions of the system service; and
      
      storing the correlations of the system service version identifier of each of the first plurality of versions of the system service with a corresponding one of the random virtual address space layout of each of the first plurality of versions of the system service.
  - 13. The computing device of claim 12, wherein:
    - the request coordinator is configured to perform operations such that;
      
      receiving the first request to execute the system service from the first application comprises receiving the system service identifier;
      
      randomly selecting a first version of the system service from the first plurality of versions of the system service comprises randomly selecting the first version of the system service from the first plurality of versions of the system service correlated with the system service identifier; and
      
      the processor is configured with executable instructions to perform operations further comprising;
      
      providing the first application with a first system service version identifier of the first version of the system service; and
      
      receiving a request to execute the first version of the system service having the first system service version identifier from the first application.
  - 14. The computing device of claim 13, wherein the processor is configured with executable instructions to perform operations further comprising:
    - locating a random virtual address of the first system service version using a correlation between the first system service version identifier and the random virtual address space layout of the first system service version;
      
      translating the random virtual address of the first system service version to a physical address at which the data of the first version of the system service is stored; and
      
      retrieving the data of the first version of the system service.
  - 15. The computing device of claim 12, wherein:
    - the launcher is configured to perform operations further comprising assigning a process identifier to each of the first plurality of versions of the system service, wherein the process identifier for each of the first plurality of versions of the system service is the same;
      
      the mapper is configured to perform operations such that assigning a random virtual address space layout to each of the first plurality of versions of the system service occurs for each of the first plurality of versions of the system service assigned the process identifier;
      
      the launcher is configured to perform operations such that assigning a system service version identifier to each of the first plurality of versions of the system service occurs for each of the first plurality of versions of the system service assigned the process identifier; and
      
      the processor is configured with executable instructions to perform operations such that correlating the system service version identifier of each of the first plurality of versions of the system service to a system service identifier of the system service occurs for each of the first plurality of versions of the system service assigned the process identifier.
  - 16. The computing device of claim 10, further comprising a memory allocator communicatively connected to the request coordinator and configured to perform operations comprising:
    - receiving a request to allocate code buffer space for dynamically generated code of an execution of the first version of the system service;
      
      randomly selecting a code buffer address;
      
      determining whether a code buffer space correlated with the code buffer address is large enough and available to store the dynamically generated code; and
      
      storing the dynamically generated code at the code buffer address in response to determining that the code buffer space is large enough to store the dynamically generated code.
  - 17. The computing device of claim 10, wherein:
    - the request coordinator is configured to perform operations further comprising;
      
      receiving a second request to execute the system service from a second application;
      
      detecting the second request to execute the system service from the second application is an attack on the system service;
      
      the launcher is configured to perform operations further comprising launching a second plurality of versions of the system service;
      
      the mapper is configured to perform operations further comprising assigning a random virtual address space layout to each of the second plurality of versions of the system service, wherein the random virtual address space layout of each of the first plurality of versions of the system service and the random virtual address space layout of each of the second plurality of versions of the system service are different;
      
      the request coordinator is configured to perform operations further comprising randomly selecting a second version of the system service from the first plurality of versions of the system service and the second plurality of versions of the system service; and
      
      the processor is configured with executable instructions to perform operations further comprising executing the system service using data of the second version of the system service.
  - 18. The computing device of claim 10, wherein:
    - the launcher is configured to perform operations such that launching a first plurality of versions of a system service comprises launching each of multiple versions of the system service of the first plurality of versions of the system service on one of a plurality of heterogeneous processor cores having different instruction set architectures;
      
      the request coordinator is configured to perform operations such that randomly selecting a first version of the system service from the first plurality of versions of the system service comprises randomly selecting a first heterogeneous processor core of the plurality of heterogeneous processor cores on which the first version of the system service is launched;
      
      the processor is the first heterogeneous processor core and is configured with executable instructions to perform operations such that executing the system service using data of the first version of the system service comprises executing the system service by the first heterogeneous processor core; and
      
      the request coordinator is configured to perform operations further comprising;
      
      transferring the first request to execute the system service from the first application to the first heterogeneous processor core;
      
      receiving an output of the execution of the system service by the first heterogeneous processor core; and
      
      returning the output to the first application.

19. A computing device, comprising:
- means for launching a first plurality of versions of a system service;
  
  means for assigning a random virtual address space layout to each of the first plurality of versions of the system service;
  
  means for receiving a first request to execute the system service from a first application;
  
  means for randomly selecting a first version of the system service from the first plurality of versions of the system service; and
  
  means for executing the system service using data of the first version of the system service.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The computing device of claim 19, further comprising:
    - means for receiving a second request to execute the system service from the first application;
      
      means for randomly selecting a second version of the system service from the first plurality of versions of the system service; and
      
      means for executing the system service using data of the second version of the system service.
  - 21. The computing device of claim 19, further comprising:
    - means for assigning a system service version identifier to each of the first plurality of versions of the system service, wherein the system service version identifier of each of the first plurality of versions of the system service is different;
      
      means for correlating the system service version identifier of each of the first plurality of versions of the system service to a system service identifier of the system service;
      
      means for storing the correlations of the system service version identifier of each of the first plurality of versions of the system service and the system service identifier;
      
      means for correlating the system service version identifier of each of the first plurality of versions of the system service with a corresponding one of the random virtual address space layout of each of the first plurality of versions of the system service; and
      
      means for storing the correlations of the system service version identifier of each of the first plurality of versions of the system service with a corresponding one of the random virtual address space layout of each of the first plurality of versions of the system service.
  - 22. The computing device of claim 21, wherein:
    - the first request to execute the system service includes the system service identifier; and
      
      means for randomly selecting a first version of the system service from the first plurality of versions of the system service comprises means for randomly selecting the first version of the system service from the first plurality of versions of the system service correlated with the system service identifier,the computing device further comprising;
      
      means for providing the first application with a first system service version identifier of the first version of the system service; and
      
      means for receiving a request to execute the first version of the system service having the first system service version identifier from the first application.
  - 23. The computing device of claim 22, further comprising:
    - means for locating a random virtual address of the first system service version using a correlation between the first system service version identifier and the random virtual address space layout of the first system service version;
      
      means for translating the random virtual address of the first system service version to a physical address at which the data of the first version of the system service is stored; and
      
      means for retrieving the data of the first version of the system service.
  - 24. The computing device of claim 21, further comprising means for assigning a process identifier to each of the first plurality of versions of the system service, wherein the process identifier for each of the first plurality of versions of the system service is the same,wherein:
    - means for assigning a random virtual address space layout to each of the first plurality of versions of the system service comprises means for assigning the random virtual address space layout to each of the first plurality of versions of the system service for each of the first plurality of versions of the system service assigned the process identifier;
      
      means for assigning a system service version identifier to each of the first plurality of versions of the system service comprises means for assigning the system service version identifier to each of the first plurality of versions of the system service for each of the first plurality of versions of the system service assigned the process identifier; and
      
      means for correlating the system service version identifier of each of the first plurality of versions of the system service to the system service identifier of a system service comprises means for correlating the system service version identifier of each of the first plurality of versions of the system service to the system service identifier of the system service for each of the first plurality of versions of the system service assigned the process identifier.
  - 25. The computing device of claim 19, further comprising:
    - means for receiving a request to allocate code buffer space for dynamically generated code of an execution of the first version of the system service;
      
      means for randomly selecting a code buffer address;
      
      means for determining whether a code buffer space correlated with the code buffer address is large enough and available to store the dynamically generated code; and
      
      means for storing the dynamically generated code at the code buffer address in response to determining that the code buffer space is large enough to store the dynamically generated code.
  - 26. The computing device of claim 19, further comprising:
    - means for receiving a second request to execute the system service from a second application;
      
      means for detecting the second request to execute the system service from the second application is an attack on the system service;
      
      means for launching a second plurality of versions of the system service;
      
      means for assigning a random virtual address space layout to each of the second plurality of versions of the system service, wherein the random virtual address space layout of each of the first plurality of versions of the system service and the random virtual address space layout of each of the second plurality of versions of the system service are different;
      
      means for randomly selecting a second version of the system service from the first plurality of versions of the system service and the second plurality of versions of the system service; and
      
      means for executing the system service using data of the second version of the system service.
  - 27. The computing device of claim 19, wherein:
    - means for launching a first plurality of versions of a system service comprises means for launching each of multiple versions of the system service of the first plurality of versions of the system service on one of a plurality of heterogeneous processor cores having different instruction set architectures;
      
      means for randomly selecting a first version of the system service from the first plurality of versions of the system service comprises means for randomly selecting a first heterogeneous processor core of the plurality of heterogeneous processor cores on which the first version of the system service is launched;
      
      means for executing the system service using data of the first version of the system service comprises means for executing the system service by the first heterogeneous processor core; and
      
      the computing device further comprises;
      
      means for transferring the first request to execute the system service from the first application to the first heterogeneous processor core;
      
      means for receiving an output of the execution of the system service by the first heterogeneous processor core; and
      
      means for returning the output to the first application.

28. A non-transitory processor-readable storage medium having stored thereon processor-executable instructions configured to cause a processor of a computing device to perform operations comprising:
- launching a first plurality of versions of a system service;
  
  assigning a random virtual address space layout to each of the first plurality of versions of the system service;
  
  receiving a first request to execute the system service from a first application;
  
  randomly selecting a first version of the system service from the first plurality of versions of the system service; and
  
  executing the system service using data of the first version of the system service.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36)
- - 29. The non-transitory processor-readable storage medium of claim 28, wherein the stored processor-executable instructions are configured to cause the processor to perform operations further comprising:
    - receiving a second request to execute the system service from the first application;
      
      randomly selecting a second version of the system service from the first plurality of versions of the system service; and
      
      executing the system service using data of the second version of the system service.
  - 30. The non-transitory processor-readable storage medium of claim 28, wherein the stored processor-executable instructions are configured to cause the processor to perform operations further comprising:
    - assigning a system service version identifier to each of the first plurality of versions of the system service, wherein the system service version identifier of each of the first plurality of versions of the system service is different;
      
      correlating the system service version identifier of each of the first plurality of versions of the system service to a system service identifier of the system service;
      
      storing the correlations of the system service version identifier of each of the first plurality of versions of the system service and the system service identifier;
      
      correlating the system service version identifier of each of the first plurality of versions of the system service with a corresponding one of the random virtual address space layout of each of the first plurality of versions of the system service; and
      
      storing the correlations of the system service version identifier of each of the first plurality of versions of the system service with a corresponding one of the random virtual address space layout of each of the first plurality of versions of the system service.
  - 31. The non-transitory processor-readable storage medium of claim 30, wherein:
    - the first request to execute the system service includes the system service identifier;
      
      the stored processor-executable instructions are configured to cause the processor to perform operations such that randomly selecting a first version of the system service from the first plurality of versions of the system service comprises randomly selecting the first version of the system service from the first plurality of versions of the system service correlated with the system service identifier; and
      
      the stored processor-executable instructions are configured to cause the processor to perform operations further comprising;
      
      providing the first application with a first system service version identifier of the first version of the system service; and
      
      receiving a request to execute the first version of the system service having the first system service version identifier from the first application.
  - 32. The non-transitory processor-readable storage medium of claim 31, wherein the stored processor-executable instructions are configured to cause the processor to perform operations further comprising:
    - locating a random virtual address of the first system service version using a correlation between the first system service version identifier and the random virtual address space layout of the first system service version;
      
      translating the random virtual address of the first system service version to a physical address at which the data of the first version of the system service is stored; and
      
      retrieving the data of the first version of the system service.
  - 33. The non-transitory processor-readable storage medium of claim 30, wherein the stored processor-executable instructions are configured to cause the processor to perform operations further comprising assigning a process identifier to each of the first plurality of versions of the system service, wherein the process identifier for each of the first plurality of versions of the system service is the same, andwherein the stored processor-executable instructions are configured to cause the processor to perform operations such that assigning a random virtual address space layout to each of the first plurality of versions of the system service, assigning a system service version identifier to each of the first plurality of versions of the system service, and correlating the system service version identifier of each of the first plurality of versions of the system service to a system service identifier of the system service occurs for each of the first plurality of versions of the system service assigned the process identifier.
  - 34. The non-transitory processor-readable storage medium of claim 28, wherein the stored processor-executable instructions are configured to cause the processor to perform operations further comprising:
    - receiving a request to allocate code buffer space for dynamically generated code of an execution of the first version of the system service;
      
      randomly selecting a code buffer address;
      
      determining whether a code buffer space correlated with the code buffer address is large enough and available to store the dynamically generated code; and
      
      storing the dynamically generated code at the code buffer address in response to determining that the code buffer space is large enough to store the dynamically generated code.
  - 35. The non-transitory processor-readable storage medium of claim 28, wherein the stored processor-executable instructions are configured to cause the processor to perform operations further comprising:
    - receiving a second request to execute the system service from a second application;
      
      detecting the second request to execute the system service from the second application is an attack on the system service;
      
      launching a second plurality of versions of the system service;
      
      assigning a random virtual address space layout to each of the second plurality of versions of the system service, wherein the random virtual address space layout of each of the first plurality of versions of the system service and the random virtual address space layout of each of the second plurality of versions of the system service are different;
      
      randomly selecting a second version of the system service from the first plurality of versions of the system service and the second plurality of versions of the system service; and
      
      executing the system service using data of the second version of the system service.
  - 36. The non-transitory processor-readable storage medium of claim 28, wherein the stored processor-executable instructions are configured to cause the processor to perform operations such that:
    - launching a first plurality of versions of a system service comprises launching each of multiple versions of the system service of the first plurality of versions of the system service on one of a plurality of heterogeneous processor cores having different instruction set architectures;
      
      randomly selecting a first version of the system service from the first plurality of versions of the system service comprises randomly selecting a first heterogeneous processor core of the plurality of heterogeneous processor cores on which the first version of the system service is launched; and
      
      executing the system service using data of the first version of the system service comprises executing the system service by the first heterogeneous processor core, andwherein the stored processor-executable instructions are configured to cause the processor to perform operations further comprising;
      
      transferring the first request to execute the system service from the first application to the first heterogeneous processor core;
      
      receiving an output of the execution of the system service by the first heterogeneous processor core; and
      
      returning the output to the first application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Gathala, Sudha Anil Kumar, Cascaval, Gheorghe Calin, Gupta, Rajarshi

Granted Patent

US 10,013,554 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/1009   using page tables, e.g. pag...

G06F 16/1727   Details of free space manag...

G06F 16/188   Virtual file systems

G06F 21/52   during program execution, e...

G06F 21/554   involving event detection a...

G06F 3/0623   in relation to content

G06F 3/0631   by allocating resources to ...

G06F 3/0653   Monitoring storage devices ...

G06F 3/0683   Plurality of storage devices

Time Varying Address Space Layout Randomization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Time Varying Address Space Layout Randomization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links