System and methods for run time detection and correction of memory corruption
First Claim
Patent Images
1. A method comprising:
- detecting an application layer memory corruption of at least one portion of a control section of original memory by malicious code during run-time, where the application layer memory corruption affects execution flow of an application when otherwise left uncorrected, wherein detecting includes performing at least two different invariant checks from a set of invariant checks at run-time, the set of invariant checks includes at least two of a return address integrity check, a jump address validation check, an external call validation check, a call destination/far jump validation check, an IAT integrity check, a heap integrity check and a library randomization check each invariant check including (a) capturing a state of one or more registers and at least one portion of a data segment of the control section prior to execution of a function call, (b) checking the state after the execution of the function call against the captured state and (c) declaring application layer memory corruption if the checked state and the captured state do not match; and
correcting the application layer memory corruption of the at least one portion of the control section of original memory, during run-time, by replacing the at least one portion of corrupted memory with a backup of the at least one portion of the control section of original memory to prevent the malicious code from ever executing.
1 Assignment
0 Petitions
Accused Products
Abstract
A method or apparatus detects a memory corruption of at least one portion of memory during run-time and corrects the memory corruption of the at least one portion of memory by replacing the at least one portion of memory with a backup of the at least one portion of memory. In this way, memory corruption can be corrected in a timely fashion while minimizing security risks.
-
Citations
33 Claims
-
1. A method comprising:
-
detecting an application layer memory corruption of at least one portion of a control section of original memory by malicious code during run-time, where the application layer memory corruption affects execution flow of an application when otherwise left uncorrected, wherein detecting includes performing at least two different invariant checks from a set of invariant checks at run-time, the set of invariant checks includes at least two of a return address integrity check, a jump address validation check, an external call validation check, a call destination/far jump validation check, an IAT integrity check, a heap integrity check and a library randomization check each invariant check including (a) capturing a state of one or more registers and at least one portion of a data segment of the control section prior to execution of a function call, (b) checking the state after the execution of the function call against the captured state and (c) declaring application layer memory corruption if the checked state and the captured state do not match; and correcting the application layer memory corruption of the at least one portion of the control section of original memory, during run-time, by replacing the at least one portion of corrupted memory with a backup of the at least one portion of the control section of original memory to prevent the malicious code from ever executing. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. An apparatus comprising:
-
a processor configured to execute a process;
the process configured to detect an application layer memory corruption of at least one portion of a control section of original memory by malicious code during run-time, where the application layer memory corruption affects execution flow of an application when otherwise left uncorrected, wherein detecting includes performing at least two different invariant checks from a set of invariant checks at run-time, the set of invariant checks includes at least two of a return address integrity check, a jump address validation check, an external call validation check, a call destination/far jump validation check, an TAT integrity check, a heap integrity check and a library randomization check each invariant check including (a) capturing a state of one or more registers and at least one portion of a data segment of the control section prior to execution of a function call, (b) checking the state after the execution of the function call against the captured state and (c) declaring application layer memory corruption if the checked state and the captured state do not match; andthe process configured to correct the application layer memory corruption of the at least one portion of the control section of original memory, during run-time, by replacing the at least one portion of corrupted memory with a backup of the at least one portion of the control section of original memory to prevent the malicious code from ever executing. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
-
-
32. A system for correcting memory corruption comprising:
-
a processor configured to execute a process;
the process creates a backup of at least one portion of a control section of original memory prior to runtime; andthe process, during run-time, (i) detects an application layer memory corruption of the at least one portion of the control section of original memory by malicious code, where the application layer memory corruption affects execution flow of an application when otherwise left uncorrected, wherein detecting includes performing at least two different invariant checks from a set of invariant checks at run-time, the set of invariant checks includes at least two of a return address integrity check, a jump address validation check, an external call validation check, a call destination/far jump validation check, an TAT integrity check, a heap integrity check and a library randomization check each invariant check including (a) capturing a state of one or more registers and at least one portion of a data segment of the control section prior to execution of a function call, (b) checking the state after the execution of the function call against the captured state and (c) declaring application layer memory corruption if the checked state and the captured state do not match; and
(ii) replaces the at least one portion of corrupted memory with the backup to correct the application layer memory corruption of the at least one portion of the control section of original memory and to prevent the malicious code from ever executing. - View Dependent Claims (33)
-
Specification