Method for detecting buffer overflow for computer security
First Claim
Patent Images
1. Method for detecting buffer overflow weakness exploitation, comprising the steps of:
- determining at least one threshold parameter, each said at least one threshold parameter being respective to a buffer overflow weakness exploitation event, analyzing a code to be executed, thereby producing at least one validation value, comparing said at least one validation value to the respective ones of said at least one threshold parameters, and determining a buffer overflow weakness exploitation attempt, when at least one of said at least one validation value exceeds the respective one of said at least one threshold parameters.
11 Assignments
0 Petitions
Accused Products
Abstract
Method for detecting buffer overflow weakness exploitation, including the steps of determining a plurality of threshold parameters, each respective to a buffer overflow weakness exploitation event, analyzing a code to be executed, thereby producing a plurality of validation values, comparing said validation values to the respective ones of the threshold parameters, and determining a buffer overflow weakness exploitation attempt, when at least one of the validation values exceeds the respective one of the threshold parameters.
170 Citations
7 Claims
-
1. Method for detecting buffer overflow weakness exploitation, comprising the steps of:
-
determining at least one threshold parameter, each said at least one threshold parameter being respective to a buffer overflow weakness exploitation event, analyzing a code to be executed, thereby producing at least one validation value, comparing said at least one validation value to the respective ones of said at least one threshold parameters, and determining a buffer overflow weakness exploitation attempt, when at least one of said at least one validation value exceeds the respective one of said at least one threshold parameters. - View Dependent Claims (2, 3, 4, 5, 6, 7)
scanning said code thereby detecting jump instructions and target addresses, associating said jump instructions with said target addresses, determining jump instructions which are not associated with any of said target addresses as invalid jump instructions, and determining one of said at least one validation value as a function of the number of said invalid jump instructions.
-
-
3. The method according to claim 2, wherein said step of analyzing further comprises the steps of:
-
sequentially analyzing the instructions of said code;
determining the first instruction of said code as the beginning of a first block;
determining each detected jump instruction as an end of a block;
determining an instruction which follows each said detected jump instructions as a beginning of a block;
determining the jump address of each said detected jump instructions as a beginning of a block;
determining an instruction which precedes each said detected jump target address as an end of a block;
determining the last instruction of said code as the end of a last block;
detecting a system call instruction between each said beginning of a block and the first following end of a block; and
determining one of said at least one validation value as a function of the number of detected system call instructions and the number of said beginnings of a block.
-
-
4. The method according to claim 1, wherein said step of analyzing comprises the steps of:
-
sequentially analyzing the instructions of said code;
determining the first instruction of said code as the beginning of a first block;
determining each detected jump instruction as an end of a block;
determining an instruction which follows each said detected jump instructions as a beginning of a block;
determining the jump address of each said detected jump instructions as a beginning of a block;
determining an instruction which precedes each said detected jump target as an end of a block;
determining the last instruction of said code as the end of a last block;
detecting a system call instruction between each said beginning of a block and the first following end of a block; and
determining one of said at least one validation value as a function of the number of detected system call instructions and the number of said beginnings of a block.
-
-
5. The method according to claim 4, wherein said step of analyzing further comprises the steps of:
-
scanning said code thereby detecting jump instructions and target addresses, associating said jump instructions with said target addresses, determining jump instructions which are not associated with any of said target addresses as invalid jump instructions, and determining one of said at least one validation value as a function of the number of said invalid jump instructions.
-
-
6. The method according to claim 1, further comprising the step of producing an alert when determining said buffer overflow weakness exploitation attempt.
-
7. The method according to claim 1, wherein said step of analyzing comprises analyzing a code to be passed to a parameter as a function.
Specification