Method of relocating the stack in a computer system for preventing overrate by an exploit program
First Claim
1. In a computer system including an operating system executable thereon, a program executable under said operating system, a stack associated with said program, said stack composed of memory that is executable, said stack having a stack pointer associated therewith, said stack memory located at a first location in memory and having a memory return address placed thereon, a method of preventing stack override in the computer system, said method comprising the steps of:
- moving the contents of the stack to a second location in memory, said second location being a random memory address, the contents of said stack being moved intact;
modifying said stack pointer in accordance with said random memory address;
modifying the memory contents of the former stack located at said first location such that no executable code remains therein; and
wherein upon each launch of said program a new random memory address is generated and the contents of said stack moved in accordance thereto.
3 Assignments
0 Petitions
Accused Products
Abstract
A stack override prevention method provides protection against a computer attack that utilizes the technique of stack override to gain control of a computer system. The method of the protection is to permit the stack to be executable but to add functionality that blocks the possibility of passing control via stack override to code inserted into the stack by means of the exploit program. This method includes relocating the entire stack to a random memory location in memory and subsequently erasing the old stack area. By moving the entire stack associated with a process to a random location, the attacker cannot predict the address in which potentially all permitting code resides and thus cannot put the correct value in the location of the return address within the stack frame. The invention is applicable to operating systems which use the stack as means for passing control to and returning from functions and in which the stack is executable.
86 Citations
9 Claims
-
1. In a computer system including an operating system executable thereon, a program executable under said operating system, a stack associated with said program, said stack composed of memory that is executable, said stack having a stack pointer associated therewith, said stack memory located at a first location in memory and having a memory return address placed thereon, a method of preventing stack override in the computer system, said method comprising the steps of:
-
moving the contents of the stack to a second location in memory, said second location being a random memory address, the contents of said stack being moved intact; modifying said stack pointer in accordance with said random memory address; modifying the memory contents of the former stack located at said first location such that no executable code remains therein; and wherein upon each launch of said program a new random memory address is generated and the contents of said stack moved in accordance thereto. - View Dependent Claims (2)
-
-
3. In a computer system including an operating system executable thereon, a program executable under said operating system, a stack associated with said program, said stack composed of memory that is executable, said stack having a stack pointer associated therewith, said stack memory located at a first location in memory and having a memory return address placed thereon, a method of preventing stack override in the computer system, said method comprising the steps of:
-
determining the length of the stack; generating a random memory address, wherein upon each launch of said program a new random memory address is generated; allocating sufficient memory at said random memory address to hold the stack having said length; copying the contents of the stack intact to said allocated memory; modifying said stack pointer in accordance with said random memory address; and modifying the memory contents of the former stack at said first location such that no executable code remains therein. - View Dependent Claims (4)
-
-
5. In a computer system including an operating system having a kernel executable thereon, an application program executable under said operating system, a stack associated with said application program, said stack composed of memory that is executable, said stack having a stack pointer associated therewith, said stack memory located at a first location in memory and having a memory return address placed thereon, a method of preventing stack override in the computer system, said method comprising the steps of:
-
inserting a code module into the kernel portion of the operating system, said code module containing program code that functions to relocate the stack to a random location in memory, wherein upon each launch of said application program a new random location is generated by said program code; generating and adding a user exit to the computer system from within the operating system; executing said program code located within said code module which functions to relocate the stack; and wherein the stack is relocated intact. - View Dependent Claims (6, 7, 8)
-
-
9. In a computer system including an operating system executable therein, a program executable under operating system, a stack associated with said program said stack composed of memory that is executable, a method of preventing stack override in the computer system, said method comprising the steps of:
-
generating a random memory address upon the invocation of said program, wherein upon each invocation of said program a new random memory address is generated; creating the stack at said random memory address location; and utilizing the stack created at said random memory address location during the course of execution of said program.
-
Specification