Systems and methods for preventing exploitation of byte sequences that violate compiler-generated alignment
First Claim
1. A computer-implemented method for preventing exploitation of byte sequences that violate compiler-generated instruction alignment, the method comprising:
- identifying instantiation of a process;
identifying an address space associated with the process;
identifying, within the address space associated with the process, at least one control-transfer instruction capable of directing control flow of the process;
determining that at least one byte that precedes the control-transfer instruction is capable of resulting in an out-of-alignment instruction that, when executed contrary to a compiler-generated instruction alignment for the process, results in at least one valid instruction;
preventing the control-transfer instruction from being executed contrary to the compiler-generated instruction alignment for the process by;
identifying an intended instruction within the process that contains the control-transfer instruction;
replacing the intended instruction with a hook that redirects control flow to a security patch that executes the intended instruction and then returns control flow back to the process;
upon replacing the intended instruction with the hook, allowing the process to execute.
2 Assignments
0 Petitions
Accused Products
Abstract
An exemplary method for preventing exploitation of byte sequences that violate compiler-generated instruction alignment may comprise: 1) identifying instantiation of a process, 2) identifying an address space associated with the process, 3) identifying, within the address space associated with the process, at least one control-transfer instruction, 4) determining that at least one byte preceding the control-transfer instruction is capable of resulting in an out-of-alignment instruction, and then 5) preventing the control-transfer instruction from being executed. In one example, the system may prevent the control-transfer instruction from being executed by inserting a hook in place of the intended instruction that executes the intended instruction and then returns control flow back to the instantiated process. Corresponding systems and computer-readable media are also disclosed.
39 Citations
18 Claims
-
1. A computer-implemented method for preventing exploitation of byte sequences that violate compiler-generated instruction alignment, the method comprising:
-
identifying instantiation of a process; identifying an address space associated with the process; identifying, within the address space associated with the process, at least one control-transfer instruction capable of directing control flow of the process; determining that at least one byte that precedes the control-transfer instruction is capable of resulting in an out-of-alignment instruction that, when executed contrary to a compiler-generated instruction alignment for the process, results in at least one valid instruction; preventing the control-transfer instruction from being executed contrary to the compiler-generated instruction alignment for the process by; identifying an intended instruction within the process that contains the control-transfer instruction; replacing the intended instruction with a hook that redirects control flow to a security patch that executes the intended instruction and then returns control flow back to the process; upon replacing the intended instruction with the hook, allowing the process to execute. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for preventing exploitation of byte sequences that violate compiler-generated instruction alignment, the system comprising:
-
a process-analysis module programmed to; identify instantiation of a process; identify an address space associated with the process; identify, within the address space associated with the process, at least one control-transfer instruction capable of directing control flow of the process; determine that at least one byte that precedes the control-transfer instruction is capable of resulting in an out-of-alignment instruction that, when executed contrary to a compiler-generated instruction alignment for the process, results in at least one valid instruction; a security module programmed to prevent the control-transfer instruction from being executed contrary to the compiler-generated instruction alignment for the process by; identifying an intended instruction within the process that contains the control-transfer instruction; replacing the intended instruction with a hook that redirects control flow to a security patch that executes the intended instruction and then returns control flow back to the process; upon replacing the intended instruction with the hook, allowing the process to execute; at least one processor configured to execute the process-analysis module and the security module. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory computer-readable medium that, when executed by a computing device, causes the computing device to:
-
identify instantiation of a process; identify an address space associated with the process; identify, within the address space associated with the process, at least one control-transfer instruction capable of directing control flow of the process; determine that at least one byte that precedes the control-transfer instruction is capable of resulting in an out-of-alignment instruction that, when executed contrary to a compiler-generated instruction alignment for the process, results in at least one valid instruction; prevent the control-transfer instruction from being executed contrary to the compiler-generated instruction alignment for the process by; identifying an intended instruction within the process that contains the control-transfer instruction; replacing the intended instruction with a hook that redirects control flow to a security patch that executes the intended instruction and then returns control flow back to the process; upon replacing the intended instruction with the hook, allow the process to execute.
-
Specification