RETURN ADDRESS ENCRYPTION

US 20180089427A1
Filed: 09/28/2016
Published: 03/29/2018
Est. Priority Date: 09/28/2016
Status: Active Grant

First Claim

Patent Images

1. A system for preventing malicious code execution in a processor, the system comprising:

a processor;

a memory, the memory communicatively coupled to the processor and comprising instructions, which when performed by the processor, causing the processor to perform operations comprising;

receiving a call instruction;

responsive to receiving the call instruction;

determining a return address based upon a current instruction pointer;

performing an XOR operation on the return address using a cryptographic key to create an encrypted return address; and

pushing the encrypted return address onto a stack.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed in some examples are methods, systems, and machine readable media for encrypting return addresses with a cryptographic key. The call and return operations may be changed to incorporate an XOR operation on the return address with the cryptographic key. Upon calling a function, the return address may be XORed with the key which encrypts the return address. The encrypted return address may then be placed upon the stack. Upon returning from the function, the return address may be retrieved from the stack and XORed with the cryptographic key which then decrypts the return address. The processor may then return control to the address indicated by the unencrypted return address. This method makes modifications of the return address useless as an attack vector because the result of modifying the return address will be unpredictable to the attacker as a result of the XOR operation done on the return address.

9 Citations

25 Claims

1. A system for preventing malicious code execution in a processor, the system comprising:
- a processor;
  
  a memory, the memory communicatively coupled to the processor and comprising instructions, which when performed by the processor, causing the processor to perform operations comprising;
  
  receiving a call instruction;
  
  responsive to receiving the call instruction;
  
  determining a return address based upon a current instruction pointer;
  
  performing an XOR operation on the return address using a cryptographic key to create an encrypted return address; and
  
  pushing the encrypted return address onto a stack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, the operations further comprising:
    - generating a plurality of cryptographic keys using a random number generator;
      
      storing the plurality of cryptographic keys in a segment of memory; and
      
      wherein the cryptographic key is one of the plurality of cryptographic keys.
  - 3. The system of claim 2, wherein the random number generator is a hardware random number generator;
    - andwherein a size of each of the plurality of cryptographic keys is the same as an address size utilized by the processor.
  - 4. The system of claim 1, the operations further comprising:
    - storing the address of the cryptographic key in a dedicated register as a key address pointer.
  - 5. The system of claim 4, wherein the dedicated register, after being initialized, is only accessible by call operations and return operations.
  - 6. The system of claim 4, the operations further comprising:
    - receiving a return instruction;
      
      responsive to receiving the return instruction;
      
      popping the encrypted return address off of the stack; and
      
      performing an XOR operation on the encrypted return address using the cryptographic key to obtain the return address.
  - 7. The system of claim 6, the operations further comprising:
    - moving the key address pointer to a next key in the plurality of keys prior to encrypting the return address; and
      
      moving the key address pointer to a previous key in the plurality of keys subsequent to performing an XOR operation on the encrypted return address.
  - 8. The system of claim 6, the operations further comprising:
    - moving the key address pointer to a next key in the plurality of keys subsequent to encrypting the return address; and
      
      moving the key address pointer to a previous key in the plurality of keys prior to performing an XOR operation on the encrypted return address.
  - 9. The system of claim 6, the operations further comprising:
    - responsive to performing the XOR operation on the encrypted return address using the cryptographic key to obtain the return address;
      
      generating a new cryptographic key using a random number generator; and
      
      replacing the cryptographic key with the new cryptographic key.

10. A method for preventing malicious code execution in a processor, the method comprising:
- receiving a call instruction;
  
  responsive to receiving the call instruction;
  
  determining a return address based upon a current instruction pointer;
  
  performing an XOR operation on the return address using a cryptographic key to create an encrypted return address; and
  
  pushing the encrypted return address onto a stack.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, the method further comprising:
    - generating a plurality of cryptographic keys using a random number generator;
      
      storing the plurality of cryptographic keys in a segment of memory; and
      
      wherein the cryptographic key is one of the plurality of cryptographic keys.
  - 12. The method of claim 11, wherein the random number generator is a hardware random number generator;
    - andwherein a size of each of the plurality of cryptographic keys is the same as an address size utilized by the processor.
  - 13. The method of claim 10, the method further comprising:
    - storing the address of the cryptographic key in a dedicated register as a key address pointer.
  - 14. The method of claim 13, wherein the dedicated register, after being initialized, is only accessible by call operations and return operations.
  - 15. The method of claim 13, the method further comprising:
    - receiving a return instruction;
      
      responsive to receiving the return instruction;
      
      popping the encrypted return address off of the stack; and
      
      performing an XOR operation on the encrypted return address using the cryptographic key to obtain the return address.
  - 16. The method of claim 15, the method further comprising:
    - moving the key address pointer to a next key in the plurality of keys prior to encrypting the return address; and
      
      moving the key address pointer to a previous key in the plurality of keys subsequent to performing an XOR operation on the encrypted return address.
  - 17. The method of claim 15, the method further comprising:
    - moving the key address pointer to a next key in the plurality of keys subsequent to encrypting the return address; and
      
      moving the key address pointer to a previous key in the plurality of keys prior to performing an XOR operation on the encrypted return address.
  - 18. The method of claim 15, the method further comprising:
    - responsive to performing the XOR operation on the encrypted return address using the cryptographic key to obtain the return address;
      
      generating a new cryptographic key using a random number generator; and
      
      replacing the cryptographic key with the new cryptographic key.

19. At least one machine-readable medium for preventing malicious code execution in a processor, the machine-readable medium including instructions, which when performed by a machine causes the machine to execute a malicious code execution prevention process that performs operations comprising:
- receiving a call instruction;
  
  responsive to receiving the call instruction;
  
  determining a return address based upon a current instruction pointer;
  
  performing an XOR operation on the return address using a cryptographic key to create an encrypted return address; and
  
  pushing the encrypted return address onto a stack.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The machine-readable medium of claim 19, the operations further comprising:
    - generating a plurality of cryptographic keys using a random number generator;
      
      storing the plurality of cryptographic keys in a segment of memory; and
      
      wherein the cryptographic key is one of the plurality of cryptographic keys.
  - 21. The machine-readable medium of claim 19, the operations further comprising:
    - storing the address of the cryptographic key in a dedicated register as a key address pointer.
  - 22. The machine-readable medium of claim 21, wherein the dedicated register, after being initialized, is only accessible by call operations and return operations.
  - 23. The machine-readable medium of claim 21, the operations further comprising:
    - receiving a return instruction;
      
      responsive to receiving the return instruction;
      
      popping the encrypted return address off of the stack; and
      
      performing an XOR operation on the encrypted return address using the cryptographic key to obtain the return address.
  - 24. The machine-readable medium of claim 23, the operations further comprising:
    - moving the key address pointer to a next key in the plurality of keys prior to encrypting the return address; and
      
      moving the key address pointer to a previous key in the plurality of keys subsequent to performing an XOR operation on the encrypted return address.
  - 25. The machine-readable medium of claim 23, the operations further comprising:
    - moving the key address pointer to a next key in the plurality of keys subsequent to encrypting the return address; and
      
      moving the key address pointer to a previous key in the plurality of keys prior to performing an XOR operation on the encrypted return address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Rodrigo R. Branco
Inventors
Branco, Rodrigo R.

Granted Patent

US 10,360,373 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/52   during program execution, e...

H04L 9/002   Countermeasures against att...

H04L 9/0662   with particular pseudorando...

H04L 9/14   using a plurality of keys o...

RETURN ADDRESS ENCRYPTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

9 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

RETURN ADDRESS ENCRYPTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links