Kernel mode overflow attack prevention system and method

US 7,437,759 B1
Filed: 02/17/2004
Issued: 10/14/2008
Est. Priority Date: 02/17/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

hooking a critical operating system function;

stalling a call to the critical operating system function originating from a call module;

determining a location of the call module in a kernel address space of a memory;

determining whether the location is in a driver area of the kernel address space of the memory;

determining that said call module is not in said driver area during said determining;

taking protective action to protect a computer system;

providing a notification that said protective action has been taken,wherein the call module is malicious code that has been injected into a kernel stack/heap through a malicious kernel mode buffer overflow attack.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes hooking a critical operating system function, stalling a call to the critical operating system function originating from a call module, determining a location of the call module in a kernel address space of a memory, and determining whether the location is in a driver area of the kernel address space. Upon a determination that the call module is not in the driver area, the method further includes taking protective action to protect a host computer system. In this event, it is highly likely that the call module is malicious code that has been injected into the kernel stack/heap through a malicious kernel mode buffer overflow attack. By taking protective action, exploitation, damage or destruction of the host computer system is prevented.

Citations

16 Claims

1. A method comprising:
- hooking a critical operating system function;
  
  stalling a call to the critical operating system function originating from a call module;
  
  determining a location of the call module in a kernel address space of a memory;
  
  determining whether the location is in a driver area of the kernel address space of the memory;
  
  determining that said call module is not in said driver area during said determining;
  
  taking protective action to protect a computer system;
  
  providing a notification that said protective action has been taken,wherein the call module is malicious code that has been injected into a kernel stack/heap through a malicious kernel mode buffer overflow attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 further comprising terminating said call.
  - 3. The method of claim 1 further comprising terminating a parent application comprising said call module.
  - 4. The method of claim 1 further comprising determining whether said call module is a known false positive.
  - 5. The method of claim 1 further comprising determining that said call module is in said driver area during said determining.
  - 6. The method of claim 1 further comprising stalling said call.
  - 7. The method of claim 6 further comprising:
    - determining that said call module is in said driver area during said determining; and
      
      allowing said call to proceed.
  - 8. The method of claim 1 further comprising determining if a last mode of operation is a kernel mode.
  - 9. The method of claim 1 further comprising disabling loading and unloading of drivers into said kernel address space.
  - 10. The method of claim 9, further comprising, subsequent to said determining whether the location is in a driver area of the kernel address space of the memory, enabling loading and unloading of said drivers into said kernel address space.
  - 11. The method of claim 1 wherein said driver area is static.
  - 12. The method of claim 1 wherein said driver area is dynamic.
  - 13. The method of claim 12 further comprising keeping said driver area updated as drivers are loaded and unloaded from said kernel address space.

14. A method comprising:
- hooking driver load and unload functions;
  
  obtaining loaded driver information;
  
  determining a driver area in a kernel address space of a memory;
  
  determining whether a driver has been loaded into or unloaded from said kernel address space, wherein upon a determination that said driver has been loaded into or unloaded from said kernel address space,updating said driver area;
  
  stalling a call to a critical operating system function originating from a call module;
  
  determining whether said call module is in said driver area;
  
  determining that said call module is in said driver area; and
  
  allowing said call to proceed.
- View Dependent Claims (15)
- - 15. The method of claim 14 wherein said driver area is dynamic.

16. A computer-program product comprising a tangible computer readable storage medium containing computer code comprising:
- a malicious code blocking application for hooking a critical operating system function;
  
  said malicious code blocking application for stalling a call to the critical operating system function originating from a call module;
  
  said malicious code blocking application for determining a location of the call module in a kernel address space of a memory;
  
  said malicious code blocking application further for determining whether the location is in a driver area of the kernel address space of the memory;
  
  said malicious code blocking application for determining that said call module is not in said driver area during said determining;
  
  said malicious code blocking application for taking protective action to protect a computer system;
  
  said malicious code blocking application for providing a notification that said protective action has been taken;
  
  wherein the call module is malicious code that has been injected into a kernel stack/heap through a malicious kernel mode buffer overflow attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Szor, Peter
Primary Examiner(s)
Nguyen; Van H

Application Number

US10/781,207
Time in Patent Office

1,701 Days
Field of Search

726 22- 25, 713/164, 713/191, 713/188, 713/190, 713/324, 713/165, 713/167, 710/74, 710/107, 709/216, 709/217
US Class Current

726/22
CPC Class Codes

G06F 21/52 during program execution, e...

Kernel mode overflow attack prevention system and method

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Kernel mode overflow attack prevention system and method

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links