Systems and methods for preventing subversion of address space layout randomization (ASLR)

US 8,171,256 B1
Filed: 12/22/2008
Issued: 05/01/2012
Est. Priority Date: 12/22/2008
Status: Active Grant

First Claim

Patent Images

1. A method for preventing subversion of address space layout randomization (ASLR) in a computing device, the method comprising:

intercepting an unverified module attempting to load into an address space of memory of the computing device;

analyzing attributes associated with the unverified module;

determining, based on the analyzed attributes, whether a probability exists that the unverified module will be loaded into a number of address spaces that exceeds a threshold; and

preventing the unverified module from loading into the address space if the probability exists that the unverified module will be loaded into a number of address spaces that exceeds the threshold.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for preventing subversion of address space layout randomization (ASLR) in a computing device is described. An unverified module attempting to load into an address space of memory of the computing device is intercepted. Attributes associated with the unverified module are analyzed. A determination is made, based on the analyzed attributes, whether a probability exists that the unverified module will be loaded into a number of address spaces that exceeds a threshold. The unverified module is prevented from loading into the address space if the probability exists that the unverified module will be loaded into a number of address spaces that exceeds the threshold.

Citations

20 Claims

1. A method for preventing subversion of address space layout randomization (ASLR) in a computing device, the method comprising:
- intercepting an unverified module attempting to load into an address space of memory of the computing device;
  
  analyzing attributes associated with the unverified module;
  
  determining, based on the analyzed attributes, whether a probability exists that the unverified module will be loaded into a number of address spaces that exceeds a threshold; and
  
  preventing the unverified module from loading into the address space if the probability exists that the unverified module will be loaded into a number of address spaces that exceeds the threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising verifying the module and allowing the verified module to load into the address space if the probability does not exist that the module will be loaded into a number of address spaces that exceeds the threshold.
  - 3. The method of claim 2, further comprising loading the verified module into a randomly assigned address space according to ASLR.
  - 4. The method of claim 1, wherein analyzing attributes associated with the unverified module comprises analyzing the size of the unverified module in a header to determine if the size of the unverified module is correctly represented in the header.
  - 5. The method of claim 4, wherein the probability exists that the unverified module will be loaded into a number of address spaces that exceeds the threshold if the size of the unverified module in the header does not correctly represent the size of the module.
  - 6. The method of claim 1, wherein analyzing attributes associated with the unverified module comprises analyzing the contents of the unverified module to determine whether the contents are resource-only data.
  - 7. The method of claim 6, wherein the probability exists that the unverified module will be loaded into a number of address spaces that exceeds the threshold if the contents of the unverified module are resource-only data.
  - 8. The method of claim 1, wherein analyzing attributes associated with the unverified module comprises analyzing portable executable (PE) sections of the module to determine whether an entry point module includes valid instructions.
  - 9. The method of claim 8, wherein the probability exists that the unverified module will be loaded into a number of address spaces that exceeds the threshold if the portable executable (PE) sections of the module include an entry point module that does not contain valid instructions.
  - 10. The method of claim 1, wherein analyzing attributes associated with the unverified module comprises analyzing sections within the unverified module to determine if the sections comprise repetitive bytes.
  - 11. The method of claim 10, wherein the probability exists that the unverified module will be loaded into a number of address spaces that exceeds the threshold if the sections within the unverified module comprise repetitive bytes.
  - 12. The method of claim 1, wherein the unverified module comprises a dynamic linked library (DLL) module.

13. A computer system that is configured to prevent subversion of address space layout randomization (ASLR), the computer system comprising:
- a processor;
  
  memory in electronic communication with the processor; and
  
  a security extension module, the module configured to;
  
  intercept an unverified module attempting to load into an address space of memory of the computing device;
  
  analyze attributes associated with the unverified module;
  
  determine, based on the analyzed attributes, whether a probability exists that the unverified module will be loaded into a number of address spaces that exceeds a threshold; and
  
  prevent the unverified module from loading into the address space if the probability exists that the unverified module will be loaded into a number of address spaces that exceeds the threshold.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The computer system of claim 13, wherein the security extension module is further configured to analyze the size of the unverified module in a header to determine if the size of the unverified module is correctly represented in the header.
  - 15. The computer system of claim 13, wherein the security extension module is further configured to analyze the contents of the unverified module to determine whether the contents are resource-only data.
  - 16. The computer system of claim 13, wherein the security extension module is further configured to analyze portable executable (PE) sections of the module to determine whether an entry point module includes valid instructions.
  - 17. The computer system of claim 13, wherein the rights-management module is further configured to analyze sections within the unverified module to determine if the sections comprise repetitive bytes.
  - 18. The computer system of claim 13, wherein the probability exists that the unverified module will be loaded into a number of address spaces that exceeds the threshold if the size of the unverified module in the header does not correctly represent the size of the module, the contents of the unverified module are resource-only data, the portable executable (PE) sections of the module include an entry point module that does not contain valid instructions, or the sections within the unverified module comprise repetitive bytes.
  - 19. The computer system of claim 13, wherein the unverified module comprises a dynamic linked library (DLL) module.

20. A computer-program product for preventing subversion of address space layout randomization (ASLR), the computer-program product comprising a non-transitory computer-readable storage medium having instructions thereon, the instructions comprising:
- code programmed to intercept an unverified module attempting to load into an address space of memory of the computing device;
  
  code programmed to analyze attributes associated with the unverified module;
  
  code programmed to determine, based on the analyzed attributes, whether a probability exists that the unverified module will be loaded into a number of address spaces that exceeds a threshold; and
  
  code programmed to prevent the unverified module from loading into the address space if the probability exists that the unverified module will be loaded into a number of address spaces that exceeds the threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sobel, William E., McCorkendale, Bruce, Satish, Sourabh
Primary Examiner(s)
Ellis, Kevin
Assistant Examiner(s)
Namazi, Mehdi

Application Number

US12/340,968
Time in Patent Office

1,226 Days
Field of Search

711/E12.091, 711/200, 711/163, 726/22, 726/23, 726/24, 726/25
US Class Current

711/209
CPC Class Codes

G06F 21/52 during program execution, e...

Systems and methods for preventing subversion of address space layout randomization (ASLR)

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for preventing subversion of address space layout randomization (ASLR)

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links