Attack Protection For Valid Gadget Control Transfers

US 20170329961A1
Filed: 07/25/2017
Published: 11/16/2017
Est. Priority Date: 10/20/2014
Status: Active Grant

First Claim

Patent Images

1. At least one computer readable medium including instructions that when executed enable a system to:

during execution of a process on a processor of the system and prior to a call to a function, store a first value in a first register of a plurality of registers of the processor;

responsive to a control transfer termination (CTT) instruction encountered after a control transfer operation that returns from the function, determine whether a current value of the first register equals the first value; and

if so, continue execution of the process, and otherwise raise a violation.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a processor comprises: a first register to store a first bound value for a stack to be stored in a memory; a second register to store a second bound value for the stack; a checker logic to determine, prior to an exit point at a conclusion of a function to be executed on the processor, whether a value of a stack pointer is within a range between the first bound value and the second bound value; and a logic to prevent a return to a caller of the function if the stack pointer value is not within the range. Other embodiments are described and claimed.

25 Citations

View as Search Results

20 Claims

1. At least one computer readable medium including instructions that when executed enable a system to:
- during execution of a process on a processor of the system and prior to a call to a function, store a first value in a first register of a plurality of registers of the processor;
  
  responsive to a control transfer termination (CTT) instruction encountered after a control transfer operation that returns from the function, determine whether a current value of the first register equals the first value; and
  
  if so, continue execution of the process, and otherwise raise a violation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The at least one computer readable medium of claim 1, further comprising instructions that when executed enable the system to, during execution of the function, store the first value of the first register to a storage, use the first register to store a first function value and, prior to a termination of the function, to restore the first value from the storage to the first register, the first value comprising a random value.
  - 3. The at least one computer readable medium of claim 1, wherein to raise the violation comprises a fault to indicate presence of a malware attack in which the function is at least one of improperly entered or improperly exited.
  - 4. The at least one computer readable medium of claim 1, further comprising instructions that when executed enable the system, responsive to the violation, to perform one or more of termination of the process, shutdown of the system, and shutdown of a guest that caused the violation.
  - 5. The at least one computer readable medium of claim 1, wherein the processor comprises an interlock register, the interlock register corresponding to the first register.
  - 6. The at least one computer readable medium of claim 1, wherein to raise the violation comprises insertion of a CTT fault micro-operation into a pipeline of the processor.
  - 7. The at least one computer readable medium of claim 1, further comprising instructions that when executed enable the system to save a value of the first register to a stack before the call to the function.
  - 8. The at least one computer readable medium of claim 7, further comprising instructions that when executed enable the system to restore the value of the first register from the stack to the first register upon the continued process execution.
  - 9. The at least one computer readable medium of claim 1, further comprising instructions that when executed enable the system to set a page to an execute only status, the page including the instructions to store the random value in the first register via immediate parameters.
  - 10. The at least one computer readable medium of claim 9, further comprising instructions that when executed enable the system to update an extended page table entry associated with the page to the execute only status, wherein an entry associated with the page in a first page table is set to a read execute status.

11. A method comprising:
- associated with a control transfer termination instruction, copying a return address of a function executed on a processor of a system and called during execution of a program to a top entry of a shadow stack of a memory, the return address further stored in a stack of the memory;
  
  at a conclusion of the function, comparing the return address stored in the stack to a value stored in the top entry of the shadow stack; and
  
  if the return address stored in the stack matches the value stored in the top entry of the shadow stack, returning to a caller of the function, and otherwise terminating the program.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, further comprising copying the return address to the top entry of the shadow stack at an entry point to the function.
  - 13. The method of claim 11, further comprising removing the value stored in the top entry from the shadow stack at the conclusion of the function.
  - 14. The method of claim 11, wherein the shadow stack comprises a software managed stack.
  - 15. The method of claim 14, further comprising maintaining the shadow stack in one or more pages of a memory, the one or more pages having a non-read-writable status and only accessible to a trusted code agent that manages the software managed stack.

16. An apparatus comprising:
- a decode circuit to decode instructions;
  
  an execution circuit to execute at least some of the decoded instructions;
  
  a first hardware stack to store return addresses;
  
  a second hardware stack comprising a shadow stack to store return addresses; and
  
  a control transfer termination (CTT) logic to determine, prior to a conclusion of a function, whether a first return address stored in the first hardware stack matches a first value stored in a first entry of the second hardware stack, and if the first return address matches the first value, return to a caller of the function via the first return address, and otherwise terminate the program.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus of claim 16, wherein the CTT logic is, in response to identification of a control transfer termination instruction that follows an indirect control transfer instruction to the function, to copy the first return address to the first entry of the second hardware stack.
  - 18. The apparatus of claim 16, wherein the CTT logic is to remove the first value from the first entry of the second hardware stack at the conclusion of the function.
  - 19. The apparatus of claim 16, wherein the second hardware stack comprises a software managed stack.
  - 20. The apparatus of claim 16, wherein the second hardware stack is to be maintained in one or more pages of a memory, the one or more pages having a non-read-writable status and only accessible to a trusted code agent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Shanbhogue, Vedvyas, Sahita, Ravi L., Bulygin, Yuriy, Li, Xiaoning, Brandt, Jason W.

Granted Patent

US 10,445,494 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 9/30021   Compare instructions, e.g. ...

G06F 9/30054   Unconditional branch instru...

G06F 9/30076   to perform miscellaneous co...

G06F 9/30134   Register stacks; shift regi...

G06F 9/3861   Recovery, e.g. branch miss-...

G06F 9/4484   Executing subprograms

Attack Protection For Valid Gadget Control Transfers

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

25 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Attack Protection For Valid Gadget Control Transfers

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links