Enforcing expected control flow in program execution
First Claim
1. A computer implemented method for enforcing control flow in an execution of a program, the method comprising the steps of:
- preventing, by a computer, jumps between code pages in the execution of a program until verified against a control flow graph by setting all code pages of the program except a code page containing an entry point to be non-executable;
causing, by a computer, an exception handler to process an exception responsive to each attempted jump between code pages, and prior to execution of a destination code page;
responsive to an exception resulting from an attempted jump between code pages in the execution of the program, processing, by a computer, the exception by referring to the control flow graph concerning the program to determine whether the attempted jump between code pages is expected according to the control flow graph; and
responsive to at least whether the attempted jump between code pages is expected according to the control flow graph, determining, by a computer, whether the program is attempting a malicious action.
2 Assignments
0 Petitions
Accused Products
Abstract
When a program is loaded for execution, all code pages of the program except the one containing the entry point are set to be non-executable. When the executing program attempts to jump between code pages, an exception is thrown. Responsive to such an exception, a control flow graph of the program is examined, to determine if the attempted jump between code pages is expected. If the attempted jump is not expected, it is determined that the program is attempting a malicious activity. If the attempted jump is expected, the code page to which the program is attempting to jump is set to be executable, and control is returned to the program such that the jump executes.
49 Citations
32 Claims
-
1. A computer implemented method for enforcing control flow in an execution of a program, the method comprising the steps of:
-
preventing, by a computer, jumps between code pages in the execution of a program until verified against a control flow graph by setting all code pages of the program except a code page containing an entry point to be non-executable; causing, by a computer, an exception handler to process an exception responsive to each attempted jump between code pages, and prior to execution of a destination code page; responsive to an exception resulting from an attempted jump between code pages in the execution of the program, processing, by a computer, the exception by referring to the control flow graph concerning the program to determine whether the attempted jump between code pages is expected according to the control flow graph; and responsive to at least whether the attempted jump between code pages is expected according to the control flow graph, determining, by a computer, whether the program is attempting a malicious action. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system for enforcing control flow in an execution of a program, the system comprising:
-
hardware implemented control flow circuitry configured to prevent jumps between code pages in the execution of a program until verified against a control flow graph by setting all code pages of the program except a code page containing an entry point to be non-executable and cause an exception handler to process an exception responsive to each attempted jump between code pages, and prior to execution of a destination code page; a set of hardware implemented registers configured to track an executable status of each code page of the program; and hardware implemented exception handling circuitry, configured to process the exception by referring to a control flow graph concerning the program responsive to an exception resulting from an attempted jump between code pages in the execution of the program and to determine whether the attempted jump between code pages is expected according to the control flow graph; wherein the exception handling circuitry is further configured, in response to determining that the attempted jump between code pages is not expected, to perform at least one additional step from a group of steps consisting of;
not permitting the attempted jump to execute, transmitting an alert to a central security service, transmitting an alert to a user, activating an anti-malware application, terminating the program, and modifying the program; andwherein the exception handling circuitry is further configured, in response to determining that the attempted jump between code pages is expected, to allow the jump to execute by setting the code page to which the program is attempting to jump to be executable and returning control to the program such that the attempted jump executes. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
-
-
23. At least one non-transitory computer readable medium storing a computer program product for enforcing control flow in an execution of a program, the computer program product comprising:
-
program code for preventing jumps between code pages in the execution of a program until verified against a control flow graph by setting all code pages of the program except a code page containing an entry point to be non-executable; program code for causing, an exception handler to process an exception responsive to each attempted jump between code pages, and prior to execution of a destination code page; program code for, responsive to an exception resulting from an attempted jump between code pages in the execution of the program, processing the exception by referring to the control flow graph concerning the program to determine whether the attempted jump between code pages is expected according to the control flow graph; program code for, responsive to determining that the attempted jump between code pages is not expected, determining that the program is attempting a malicious action; and program code for, responsive to determining that the attempted jump between code pages is expected, determining that the program is not attempting a malicious action and allowing the jump to execute. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32)
-
Specification