Tamper response mechanism

US 7,818,799 B2
Filed: 05/30/2006
Issued: 10/19/2010
Est. Priority Date: 05/30/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

identifying, by one or more computing devices configured to respond to detected program tampering, global pointers associated with a program;

selecting, by the one or more computing devices, a particular global pointer to intentionally corrupt;

determining, by the one or more computing devices, a time to corrupt the selected global pointer; and

intentionally corrupting, by the one or more computing devices, the selected global pointer in response to detecting tampering with the program, wherein the corrupting includes setting a value of the selected global pointer to NULL or to a value outside of program address space.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A tamper response mechanism introduces a delayed failure into a program in response to detected tampering with the program. The mechanism determines a manner of responding to the detected tampering. The manner of responding may include corrupting a global pointer or using other techniques. The mechanism also determines when to respond to the tampering and implements the response at the determined time.

21 Citations

View as Search Results

18 Claims

1. A method comprising:
- identifying, by one or more computing devices configured to respond to detected program tampering, global pointers associated with a program;
  
  selecting, by the one or more computing devices, a particular global pointer to intentionally corrupt;
  
  determining, by the one or more computing devices, a time to corrupt the selected global pointer; and
  
  intentionally corrupting, by the one or more computing devices, the selected global pointer in response to detecting tampering with the program, wherein the corrupting includes setting a value of the selected global pointer to NULL or to a value outside of program address space.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A method as recited in claim 1 wherein identifying global pointers includes parsing the program to locate global pointers.
  - 3. A method as recited in claim 1 further comprising analyzing trace pointers to determine when the identified global pointers are used.
  - 4. A method as recited in claim 1 further comprising analyzing trace pointers to determine the frequency with which the identified global pointers are used.
  - 5. A method as recited in claim 1 wherein selecting a particular global pointer to intentionally corrupt includes selecting a global pointer that is used frequently by the program.
  - 6. A method as recited in claim 1 further comprising selecting a second global pointer to intentionally corrupt.
  - 7. A method as recited in claim 1 further comprising:
    - selecting a second global pointer to intentionally corrupt;
      
      determining a time to corrupt the second global pointer; and
      
      intentionally corrupting the second global pointer at the determined time.
  - 8. A method as recited in claim 1 wherein the time to corrupt the selected global pointer is associated with a future event.
  - 9. A method as recited in claim 1 wherein the time to corrupt the selected global pointer is associated with calling a particular function.
  - 10. A method as recited in claim 1 wherein intentionally corrupting the selected global pointer causes the program operation to terminate at a future time.
  - 11. A method as recited in claim 1 wherein intentionally corrupting the selected global pointer causes the program performance to degrade over time until the program becomes unusable.

12. A method comprising:
- determining, by one or more computing devices configured to detect program tampering, a manner of responding to detected tampering with a program, wherein the manner of responding causes-the program to terminate normal operation;
  
  determining, by the one or more computing devices, when to respond to the detected tampering, wherein the response occurs at a future time; and
  
  upon detection of tampering with the program, implementing, by the one or more computing devices, the response at the determined time, wherein the manner of responding includes setting an array index to fall beyond the array'"'"'s limits.
- View Dependent Claims (13, 14, 15, 16)
- - 13. A method as recited in claim 12 wherein the manner of responding includes corrupting a pointer in the program.
  - 14. A method as recited in claim 12 wherein the manner of responding includes changing a program setting to produce an infinite loop.
  - 15. A method as recited in claim 12 wherein the manner of responding includes corrupting at least one object field.
  - 16. A method as recited in claim 12 wherein the manner of responding includes creating at least one indirection pointer in the program.

17. A method of responding to detection of tampering with a program, the method comprising:
- detecting, by one or more computing devices configured to detect program tampering, locations where global variables are used in the program;
  
  generating, by the one or more computing devices, a global call graph associated with the program;
  
  generating, by the one or more computing devices, a dynamic trace associated with the program, wherein the dynamic trace identifies entering and exiting functions in the program;
  
  selecting, by the one or more computing devices, global variables and corruption sites based on the global variables, the global call graph, and the dynamic trace; and
  
  corrupting, by the one or more computing devices, the selected global variables at the corruption sites by adding random offsets to the global variables.
- View Dependent Claims (18)
- - 18. A method as recited in claim 17 wherein corrupting the selected global variables includes placing corrupted global variables into selected program functions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Tan, Gang, Chen, Yuqun
Primary Examiner(s)
COLIN, CARL G

Application Number

US11/420,987
Publication Number

US 20070283433A1
Time in Patent Office

1,603 Days
Field of Search

726/22, 726/21, 726/31, 713/190
US Class Current

726/22
CPC Class Codes

G06F 21/554 involving event detection a...

Tamper response mechanism

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Tamper response mechanism

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links