Detection of malicious system calls

US 8,561,198 B2
Filed: 05/07/2010
Issued: 10/15/2013
Est. Priority Date: 05/07/2010
Status: Active Grant

First Claim

Patent Images

1. A method performed by a data processing apparatus, the method comprising:

monitoring a function vulnerable to a buffer overflow attack;

receiving a call to the function, the call associated with a call stack, the call stack including one or more base pointers, and a destination buffer associated with the function;

identifying a particular one of the one or more base pointers as pointing to a first memory address greater than an address of the destination buffer;

determining that the first address is a critical memory address based at least in part on identifying that the first memory address is greater than the address of the destination buffer;

performing a comparison of expected contents of a first memory location identified by the first address with observed contents of the first memory location following an execution of the function based on the received call, wherein the comparison is performed based at least in part on determining that the first memory address is a critical memory address; and

determining whether the received call corresponds to a potential buffer overflow attack based at least in part on the comparison.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for detecting malicious system calls. In one aspect, a method includes monitoring a function vulnerable to a buffer overflow attack; receiving a call to the function, the call associated with a call stack, the call stack including one or more base pointers, and a destination buffer associated with the function; identifying a first critical memory address vulnerable to the buffer overflow attack comprising: determining the first critical memory address based on a base pointer of the one or more base pointers, wherein the base pointer address is greater than an address of the destination buffer; identifying a first address based on the base pointer of the one or more base pointers; and determining that the first address is a critical memory address in response to the first memory address is greater than the address of the destination buffer.

Citations

13 Claims

1. A method performed by a data processing apparatus, the method comprising:
- monitoring a function vulnerable to a buffer overflow attack;
  
  receiving a call to the function, the call associated with a call stack, the call stack including one or more base pointers, and a destination buffer associated with the function;
  
  identifying a particular one of the one or more base pointers as pointing to a first memory address greater than an address of the destination buffer;
  
  determining that the first address is a critical memory address based at least in part on identifying that the first memory address is greater than the address of the destination buffer;
  
  performing a comparison of expected contents of a first memory location identified by the first address with observed contents of the first memory location following an execution of the function based on the received call, wherein the comparison is performed based at least in part on determining that the first memory address is a critical memory address; and
  
  determining whether the received call corresponds to a potential buffer overflow attack based at least in part on the comparison.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising masking the contents of the first memory location based at least in part on determining that the first memory address is a critical memory address.
  - 3. The method of claim 2, wherein masking the contents of the first address includes:
    - copying the contents, wherein the contents have a first value;
      
      encrypting the contents to generate an encrypted version of the contents having a second value; and
      
      storing the second value at the critical first memory location;
      
      wherein the encrypted version of the contents is compared with the observed contents.
  - 4. The method of claim 3, wherein encrypting the contents includes performing an exclusive or operation on the first value and a random number.
  - 5. The method of claim 1, wherein determining that the first address is a critical memory address further comprises:
    - navigating a structured exception handler chain associated with the thread, the structured exception handler chain including at least one of exception handler node;
      
      identifying a second memory address of a structure exception handler node of the at least one exception handler node where the memory address of the structured exception handler node is greater than the memory address of the destination buffer;
      
      determining the critical memory address is the smaller of the first memory address and the second memory address.
  - 6. The method of claim 5 further comprising:
    - identifying a source buffer associated with the call, the source buffer storing a source value;
      
      determining a memory size, the memory size equal to an amount of memory between the memory address of the destination buffer and the critical memory address;
      
      determining a second memory size, the second memory size measuring a size of the source value;
      
      determining a critical memory location identified by the critical memory address will be affected by a buffer overflow in response to determining the size of the source value exceeds the size of the memory.

7. A computer storage device encoded with a computer program, the program comprising instructions that when executed by data processing apparatus cause the data processing apparatus to perform operations comprising:
- monitoring a function vulnerable to a buffer overflow attack;
  
  receiving a call to the function, the call associated with a call stack, the call stack including one or more base pointers, and a destination buffer associated with the function;
  
  identifying a particular one of the one or more base pointers as pointing to a first memory address greater than an address of the destination buffer;
  
  determining that the first address is a critical memory address based at least in part on identifying that the first memory address is greater than the address of the destination buffer;
  
  performing a comparison of expected contents of a first memory location identified by the first address with observed contents of the first memory location following an execution of the function based on the received call, wherein the comparison is performed based at least in part on determining that the first memory address is a critical memory address; and
  
  determining whether the received call corresponds to a potential buffer overflow attack based at least in part on the comparison.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The device of claim 7, further comprising masking the contents of the first memory location based at least in part on determining that the first memory address is a critical memory address.
  - 9. The device of claim 8, wherein the program further comprises instructions that when executed by data processing apparatus cause the data processing apparatus to perform operations comprising:
    - copying the contents, wherein the contents have a first value;
      
      encrypting the contents to generate an encrypted version of the contents having a second value; and
      
      storing the second value at the critical first memory location;
      
      wherein the encrypted version of the contents is compared with the observed contents.
  - 10. The device of claim 9, wherein encrypting the contents includes performing an exclusive or operation on the first value and a random number.
  - 11. The device of claim 7, wherein determining that the first address is a critical memory address further comprises:
    - navigating a structured exception handler chain associated with the thread, the structured exception handler chain including at least one of exception handler node;
      
      identifying a second memory address of a structure exception handler node of the at least one exception handler node where the memory address of the structured exception handler node is greater than the memory address of the destination buffer;
      
      determining the critical memory address is the smaller of the first memory address and the second memory address.
  - 12. The device of claim 11 wherein the program further comprises instructions that when executed by data processing apparatus cause the data processing apparatus to perform operations comprising:
    - identifying a source buffer associated with the call, the source buffer storing a source value;
      
      determining a memory size, the memory size equal to an amount of memory between the memory address of the destination buffer and the critical memory address;
      
      determining a second memory size, the second memory size measuring a size of the source value;
      
      determining a critical memory location identified by the critical memory address will be affected by a buffer overflow in response to determining the size of the source value exceeds the size of the memory.

13. A system comprising:
- one or more computers; and
  
  ;
  
  a computer-readable medium coupled to the one or more computers having instructions stored thereon which, when executed by the one or more computers, cause the one or more computers to perform operations comprising;
  
  monitoring a function vulnerable to a buffer overflow attack;
  
  receiving a call to the function, the call associated with a call stack, the call stack including one or more base pointers, and a destination buffer associated with the function;
  
  identifying a particular one of the one or more base pointers as pointing to a first memory address greater than an address of the destination buffer;
  
  determining that the first address is a critical memory address based at least in part on identifying that the first memory address is greater than the address of the destination buffer;
  
  performing a comparison of expected contents of a first memory location identified by the first address with observed contents of the first memory location following an execution of the function based on the received call, wherein the comparison is performed based at least in part on determining that the first memory address is a critical memory address; and
  
  determining whether the received call corresponds to a potential buffer overflow attack based at least in part on the comparison.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Singh, Baibhav, Kashyap, Rahul
Primary Examiner(s)
PEARSON, DAVID J

Application Number

US12/775,773
Publication Number

US 20110277035A1
Time in Patent Office

1,257 Days
Field of Search

None
US Class Current

726/25
CPC Class Codes

G06F 21/52 during program execution, e...

Detection of malicious system calls

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of malicious system calls

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links