System and methods for run time detection and correction of memory corruption

US 8,510,596 B1
Filed: 07/06/2007
Issued: 08/13/2013
Est. Priority Date: 02/09/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

detecting an application layer memory corruption of at least one portion of a control section of original memory by malicious code during run-time, where the application layer memory corruption affects execution flow of an application when otherwise left uncorrected, wherein detecting includes performing at least two different invariant checks from a set of invariant checks at run-time, the set of invariant checks includes at least two of a return address integrity check, a jump address validation check, an external call validation check, a call destination/far jump validation check, an IAT integrity check, a heap integrity check and a library randomization check each invariant check including (a) capturing a state of one or more registers and at least one portion of a data segment of the control section prior to execution of a function call, (b) checking the state after the execution of the function call against the captured state and (c) declaring application layer memory corruption if the checked state and the captured state do not match; and

correcting the application layer memory corruption of the at least one portion of the control section of original memory, during run-time, by replacing the at least one portion of corrupted memory with a backup of the at least one portion of the control section of original memory to prevent the malicious code from ever executing.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method or apparatus detects a memory corruption of at least one portion of memory during run-time and corrects the memory corruption of the at least one portion of memory by replacing the at least one portion of memory with a backup of the at least one portion of memory. In this way, memory corruption can be corrected in a timely fashion while minimizing security risks.

Citations

33 Claims

1. A method comprising:
- detecting an application layer memory corruption of at least one portion of a control section of original memory by malicious code during run-time, where the application layer memory corruption affects execution flow of an application when otherwise left uncorrected, wherein detecting includes performing at least two different invariant checks from a set of invariant checks at run-time, the set of invariant checks includes at least two of a return address integrity check, a jump address validation check, an external call validation check, a call destination/far jump validation check, an IAT integrity check, a heap integrity check and a library randomization check each invariant check including (a) capturing a state of one or more registers and at least one portion of a data segment of the control section prior to execution of a function call, (b) checking the state after the execution of the function call against the captured state and (c) declaring application layer memory corruption if the checked state and the captured state do not match; and
  
  correcting the application layer memory corruption of the at least one portion of the control section of original memory, during run-time, by replacing the at least one portion of corrupted memory with a backup of the at least one portion of the control section of original memory to prevent the malicious code from ever executing.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1 wherein memory is system or process memory.
  - 3. The method of claim 1 further comprising:
    - identifying an intention to corrupt the at least one portion of the control section of original memory by a process; and
      
      intercepting the process, during run-time, to prevent corruption of the at least one portion of the control section of original memory.
  - 4. The method of claim 1 further comprising creating a backup of the at least one portion of the control section of original memory.
  - 5. The method of claim 1 wherein detecting the application layer memory corruption of the at least one portion of the control section of original memory comprises comparing a run-time signature of a program or library file with a valid signature during load-time.
  - 6. The method of claim 1 wherein the application layer memory corruption is initiated locally or remotely.
  - 7. The method of claim 1 wherein detecting the application layer memory corruption of the control section of original memory comprises comparing computer program instructions in the memory with non-corrupted computer program instructions.
  - 8. The method of claim 6 wherein the computer program instructions are machine language code.
  - 9. The method of claim 1 wherein detecting the application layer memory corruption of the control section of original memory comprises monitoring program code execution to identify an abnormality.
  - 10. The method of claim 1 wherein memory is configured for storing information for a stack, a heap, machine language instructions, for an executable or a shared library loaded at start up or run time.
  - 11. The method of claim 1 further comprising notifying a user of a security risk pertaining to program code that is permitting the memory corruption of a security risk.
  - 12. The method of claim 1 wherein detecting the application layer memory corruption of at least one portion of the control section of original memory during run-time occurs in a Smart Phone, Personal Digital Assistant (PDA), Mainframe Computer, or Personal Computer (PC).
  - 13. The method of claim 1 further comprising protecting a system from the application layer memory corruption, where the application layer memory corruption originates from vendor software operating without a corrective software patch.
  - 14. The method of claim 1 further comprising providing at least one user with one or more vendor software update patches so as to protect against application layer memory corruption.
  - 15. The method of claim 1 further comprising preparing an identifier for the application layer memory corruption.
  - 16. The method of claim 1 further comprising informing a vendor of one or more actual or potential application layer memory corruptions.
  - 17. The method of claim 1 further comprising receiving payment for the correction of the application layer memory corruption.
  - 18. The method of claim 1 wherein the control section includes any of a heap, stack, import address table and an export address table.

19. An apparatus comprising:
- a processor configured to execute a process;
  
  the process configured to detect an application layer memory corruption of at least one portion of a control section of original memory by malicious code during run-time, where the application layer memory corruption affects execution flow of an application when otherwise left uncorrected, wherein detecting includes performing at least two different invariant checks from a set of invariant checks at run-time, the set of invariant checks includes at least two of a return address integrity check, a jump address validation check, an external call validation check, a call destination/far jump validation check, an TAT integrity check, a heap integrity check and a library randomization check each invariant check including (a) capturing a state of one or more registers and at least one portion of a data segment of the control section prior to execution of a function call, (b) checking the state after the execution of the function call against the captured state and (c) declaring application layer memory corruption if the checked state and the captured state do not match; and
  
  the process configured to correct the application layer memory corruption of the at least one portion of the control section of original memory, during run-time, by replacing the at least one portion of corrupted memory with a backup of the at least one portion of the control section of original memory to prevent the malicious code from ever executing.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 20. The apparatus of claim 19 wherein memory is system or process memory.
  - 21. The apparatus of claim 19 wherein the process is further configured to:
    - identify an intention to corrupt the at least one portion of the control section of original memory by the process; and
      
      intercept the process, during run-time, to prevent corruption of the at least one portion of the control section of original memory.
  - 22. The apparatus of claim 19 wherein the process is further configured to create a backup of the at least one portion of the control section of original memory.
  - 23. The apparatus of claim 19 wherein the process is further configured to compare a run-time signature of a program or library file with a valid signature during load-time.
  - 24. The apparatus of claim 19 wherein the application layer memory corruption is initiated locally or remotely.
  - 25. The apparatus of claim 19 wherein the process is further configured to compare computer program instructions in the memory with non-corrupted computer program instructions.
  - 26. The apparatus of claim 25 wherein the computer program instructions are machine language code.
  - 27. The apparatus of claim 19 wherein the process is further configured to monitor program code execution to identify an abnormality.
  - 28. The apparatus of claim 19 wherein the memory stores information for a stack, a heap, machine language instructions, for an executable or a shared library loaded at start up or run time.
  - 29. The apparatus of claim 19 wherein the process is further configured to notify a user of a security risk pertaining to program code that is permitting the application layer memory corruption.
  - 30. The apparatus of claim 19 wherein the process operates during run-time in a Smart Phone, Personal Digital Assistant (PDA), Mainframe Computer, or Personal Computer (PC).
  - 31. The apparatus of claim 19 wherein the control section includes any of a heap, stack, import address table and an export address table.

32. A system for correcting memory corruption comprising:
- a processor configured to execute a process;
  
  the process creates a backup of at least one portion of a control section of original memory prior to runtime; and
  
  the process, during run-time, (i) detects an application layer memory corruption of the at least one portion of the control section of original memory by malicious code, where the application layer memory corruption affects execution flow of an application when otherwise left uncorrected, wherein detecting includes performing at least two different invariant checks from a set of invariant checks at run-time, the set of invariant checks includes at least two of a return address integrity check, a jump address validation check, an external call validation check, a call destination/far jump validation check, an TAT integrity check, a heap integrity check and a library randomization check each invariant check including (a) capturing a state of one or more registers and at least one portion of a data segment of the control section prior to execution of a function call, (b) checking the state after the execution of the function call against the captured state and (c) declaring application layer memory corruption if the checked state and the captured state do not match; and
  
  (ii) replaces the at least one portion of corrupted memory with the backup to correct the application layer memory corruption of the at least one portion of the control section of original memory and to prevent the malicious code from ever executing.
- View Dependent Claims (33)
- - 33. The system of claim 32 wherein the control section includes any of a heap, stack, import address table and an export address table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Virsec Systems, Inc.
Original Assignee
Virsec Systems, Inc.
Inventors
Gupta, Satya V., Shenoy, Prashant
Primary Examiner(s)
TRUONG, LOAN

Application Number

US11/825,657
Time in Patent Office

2,230 Days
Field of Search

714/5, 714/42, 714/5.11, 714/15, 714/21, 717/138
US Class Current

714/15
CPC Class Codes

G06F 11/073   in a memory management cont...

G06F 11/0751   Error or fault detection no...

G06F 11/1004   to protect a block of data ...

G06F 11/1451   by selection of backup cont...

G06F 11/1469   Backup restoration techniques

G06F 11/1666   where the redundant compone...

G06F 21/56   Computer malware detection ...

G06F 2201/86   Event-based monitoring

System and methods for run time detection and correction of memory corruption

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

System and methods for run time detection and correction of memory corruption

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links