Detection of malicious system calls
First Claim
1. A method performed by a data processing apparatus, the method comprising:
- monitoring a function vulnerable to a buffer overflow attack;
receiving a call to the function, the call associated with a call stack, the call stack including one or more base pointers, and a destination buffer associated with the function;
identifying a particular one of the one or more base pointers as pointing to a first memory address greater than an address of the destination buffer;
determining that the first address is a critical memory address based at least in part on identifying that the first memory address is greater than the address of the destination buffer;
performing a comparison of expected contents of a first memory location identified by the first address with observed contents of the first memory location following an execution of the function based on the received call, wherein the comparison is performed based at least in part on determining that the first memory address is a critical memory address; and
determining whether the received call corresponds to a potential buffer overflow attack based at least in part on the comparison.
10 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for detecting malicious system calls. In one aspect, a method includes monitoring a function vulnerable to a buffer overflow attack; receiving a call to the function, the call associated with a call stack, the call stack including one or more base pointers, and a destination buffer associated with the function; identifying a first critical memory address vulnerable to the buffer overflow attack comprising: determining the first critical memory address based on a base pointer of the one or more base pointers, wherein the base pointer address is greater than an address of the destination buffer; identifying a first address based on the base pointer of the one or more base pointers; and determining that the first address is a critical memory address in response to the first memory address is greater than the address of the destination buffer.
-
Citations
13 Claims
-
1. A method performed by a data processing apparatus, the method comprising:
-
monitoring a function vulnerable to a buffer overflow attack; receiving a call to the function, the call associated with a call stack, the call stack including one or more base pointers, and a destination buffer associated with the function; identifying a particular one of the one or more base pointers as pointing to a first memory address greater than an address of the destination buffer; determining that the first address is a critical memory address based at least in part on identifying that the first memory address is greater than the address of the destination buffer; performing a comparison of expected contents of a first memory location identified by the first address with observed contents of the first memory location following an execution of the function based on the received call, wherein the comparison is performed based at least in part on determining that the first memory address is a critical memory address; and determining whether the received call corresponds to a potential buffer overflow attack based at least in part on the comparison. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer storage device encoded with a computer program, the program comprising instructions that when executed by data processing apparatus cause the data processing apparatus to perform operations comprising:
-
monitoring a function vulnerable to a buffer overflow attack; receiving a call to the function, the call associated with a call stack, the call stack including one or more base pointers, and a destination buffer associated with the function; identifying a particular one of the one or more base pointers as pointing to a first memory address greater than an address of the destination buffer; determining that the first address is a critical memory address based at least in part on identifying that the first memory address is greater than the address of the destination buffer; performing a comparison of expected contents of a first memory location identified by the first address with observed contents of the first memory location following an execution of the function based on the received call, wherein the comparison is performed based at least in part on determining that the first memory address is a critical memory address; and determining whether the received call corresponds to a potential buffer overflow attack based at least in part on the comparison. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A system comprising:
-
one or more computers; and
;a computer-readable medium coupled to the one or more computers having instructions stored thereon which, when executed by the one or more computers, cause the one or more computers to perform operations comprising; monitoring a function vulnerable to a buffer overflow attack; receiving a call to the function, the call associated with a call stack, the call stack including one or more base pointers, and a destination buffer associated with the function; identifying a particular one of the one or more base pointers as pointing to a first memory address greater than an address of the destination buffer; determining that the first address is a critical memory address based at least in part on identifying that the first memory address is greater than the address of the destination buffer; performing a comparison of expected contents of a first memory location identified by the first address with observed contents of the first memory location following an execution of the function based on the received call, wherein the comparison is performed based at least in part on determining that the first memory address is a critical memory address; and determining whether the received call corresponds to a potential buffer overflow attack based at least in part on the comparison.
-
Specification