System and method for sampling forensic data of unauthorized activities using executability states
First Claim
1. A computer implemented method of identifying unauthorized activities on a computer system, said computer system comprising:
- one or more processors; and
memory segmented into multiple pages, said memory storing one or more programs for execution by the one or more processors, said method comprising;
locating a list of target addresses;
while executing at least one of the one or more programs;
in response to detecting a request to execute an instruction located at a first address of a first page;
locating a first page table entry corresponding to the first page, the first page table entry having a first executability state; and
determining the first executability state;
when the first executability state is non-executable,identifying a first set of one or more target addresses in the list of target addresses that correspond to the first page;
identifying a second set of one or more target addresses in the list that correspond to one or more pages other than the first page;
storing one or more target addresses of the first set of target addresses in breakpoint registers of the computer system, each breakpoint register configured to store an address of a respective breakpoint in the memory;
setting the first executability state of the first page table entry as executable; and
setting the executability states of page table entries that correspond to the second set of target addresses as non-executable; and
when the first address corresponds to one of the target addresses stored in the breakpoint registers, recording forensic data associated with the request to execute the instruction located at the first address.
5 Assignments
0 Petitions
Accused Products
Abstract
A method includes receiving a list of target addresses, locating a first page table entry corresponding to the first page, and determining the first executability state. When the first executability state is non-executable, a first set of one or more target addresses that correspond to the first page, and a second set of one or more target addresses that correspond to one or more pages other than the first page are identified. One or more target addresses are stored in breakpoint registers of the computer system. The first executability state of the first page table entry is set as executable, and the executability states of page table entries that correspond to the second set of target addresses are set as non-executable. When the first address matches one of the target addresses stored in the breakpoint registers, forensic data is recorded.
75 Citations
20 Claims
-
1. A computer implemented method of identifying unauthorized activities on a computer system, said computer system comprising:
- one or more processors; and
memory segmented into multiple pages, said memory storing one or more programs for execution by the one or more processors, said method comprising;locating a list of target addresses; while executing at least one of the one or more programs; in response to detecting a request to execute an instruction located at a first address of a first page; locating a first page table entry corresponding to the first page, the first page table entry having a first executability state; and determining the first executability state;
when the first executability state is non-executable,identifying a first set of one or more target addresses in the list of target addresses that correspond to the first page; identifying a second set of one or more target addresses in the list that correspond to one or more pages other than the first page; storing one or more target addresses of the first set of target addresses in breakpoint registers of the computer system, each breakpoint register configured to store an address of a respective breakpoint in the memory; setting the first executability state of the first page table entry as executable; and setting the executability states of page table entries that correspond to the second set of target addresses as non-executable; and when the first address corresponds to one of the target addresses stored in the breakpoint registers, recording forensic data associated with the request to execute the instruction located at the first address. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- one or more processors; and
-
13. A computer implemented method of identifying unauthorized activities on a computer system, said computer system comprising:
- one or more processors; and
memory segmented into multiple pages, said memory storing one or more programs for execution by the one or more processors, said method comprising;locating a list of target addresses; while executing at least one of the one or more programs; in response to detecting a request to execute an instruction located at a first address of a first page; locating a first page table entry corresponding to the first page, the first page table entry having a first executability state; and determining the first executability state; when the first executability state is non-executable; identifying a first set of one or more target addresses in the list of target addresses that correspond to the first page; identifying a second set of one or more target addresses in the list that correspond to one or more pages other than the first page; storing one or more target addresses of the first set of target addresses in breakpoint registers of the computer system, each breakpoint register configured to store an address of a respective breakpoint in the memory, including; determining whether a number of addresses in the first set of target addresses exceeds a number of the breakpoint registers; when the number of addresses in the first set of target addresses exceeds the number of the breakpoint registers; selecting a subset of target addresses from the first set of target addresses in accordance with predefined criteria, the predefined criteria comprising at least the number of the breakpoint registers; and storing the subset of target addresses in the breakpoint registers; and
,when the number of addresses in the first set of target addresses does not exceed the number of the breakpoint registers, storing the first set of target addresses in the breakpoint registers; setting the first executability state of the first page table entry as executable; and setting the executability states of page table entries that correspond to the second set of target addresses as non-executable; and when the first address corresponds to one of the target addresses stored in the breakpoint registers, recording forensic data associated with the request to execute the instruction located at the first address. - View Dependent Claims (14)
- one or more processors; and
-
15. A computer system, comprising:
-
one or more processors; memory segmented into multiple pages, said memory storing; one or more programs for execution by the one or more processors; at least one page table comprising multiple page table entries, each page table entry (i) comprising an executability state, and (ii) corresponding to a respective page of the multiple pages; and a list of target addresses; and one or more breakpoint registers, each configured to store an address of a respective breakpoint in the memory, wherein the one or more programs include instructions for; while executing the at least one program; in response to detecting a request to execute an instruction located at a first address of a first page; locating a first page table entry associated with the first address; and determining a first executability state of the first page table entry;
when the first executability state is non-executable;identifying a first set of one or more target addresses in the list of target addresses that correspond to the first page; identifying a second set of one or more target addresses in the list that correspond to one or more pages other than the first page; storing at least some of the first set of target addresses in the breakpoint registers; setting the first executability state of the first page table entry as executable; and setting the executability states of page table entries that correspond to the second set of target addresses as non-executable; and when the first address corresponds to one of the target addresses stored in the breakpoint registers, recording forensic data associated with the request to execute an instruction located at the first address.
-
-
16. A non-transitory computer readable storage medium storing one or more programs for execution by one or more processors of a computer system having memory segmented into multiple pages, the one or more programs comprising instructions for:
-
receiving a list of target addresses; while executing at least one of the one or more programs; in response to detecting a request to execute an instruction located at a first address of a first page; locating a first page table entry corresponding to the first page, the first page table entry having a first executability state; and determining the first executability state; when the first executability state is non-executable; identifying a first set of one or more target addresses in the list of target addresses that correspond to the first page; identifying a second set of one or more target addresses in the list that correspond to one or more pages other than the first page; storing one or more target addresses of the first set of target addresses in breakpoint registers of the computer system, each breakpoint register configured to store an address of a respective breakpoint in the memory; setting the first executability state of the first page table entry as executable; and setting the executability states of page table entries that correspond to the second set of target addresses as non-executable; and when the first address corresponds to one of the target addresses stored in the breakpoint registers, recording forensic data associated with the request to execute an instruction located at the first address.
-
-
17. A computer implemented method of sampling data for identifying unauthorized activities on a computer system, the computer system having one or more processors;
- and memory segmented into multiple pages, said memory storing one or more programs, the method comprising;
running one or more virtual machines and at least one virtual machine monitor; and
at the at least one virtual machine monitor;receiving a first virtual memory address used in one of the one or more virtual machines; identifying a first page corresponding to the first virtual memory address and a first page table entry corresponding to the first page, the first page table entry having an executability state and being associated with the virtual machine monitor; setting the executability state of the first page table entry as non-executable; and in response to detecting a request to execute an instruction located at a second virtual memory address that corresponds to the first page table entry, recording forensic data associated with the request to execute the instruction located at the second virtual memory address. - View Dependent Claims (18)
- and memory segmented into multiple pages, said memory storing one or more programs, the method comprising;
-
19. A computer system, comprising:
-
one or more processors; and memory segmented into multiple pages, said memory storing; one or more virtual machines; a virtual machine monitor running the one or more virtual machines; and at least one page table comprising multiple page table entries, each page table entry (i) comprising an executability state, and (ii) corresponding to a respective page of the multiple pages; and one or more programs comprising instructions for;
at the at least one virtual machine monitor;receiving a first virtual memory address used in one of the one or more virtual machines; identifying a first page table entry corresponding to the first virtual memory address, the first page table entry having an executability state and being associated with the virtual machine monitor; setting the executability state of the first page table entry as non-executable; in response to detecting a request to execute an instruction located at a second virtual memory address that corresponds to the first page table entry, recording forensic data associated with the request to execute the instruction located at the second virtual memory address.
-
-
20. A non-transitory computer readable storage medium storing one or more programs for execution by one or more processors of a computer system having memory segmented into multiple pages, the one or more programs comprising instructions for:
-
running one or more virtual machines and at least one virtual machine monitor; and
at the at least one virtual machine monitor;receiving a first virtual memory address used in one of the one or more virtual machines; identifying a first page corresponding to the first virtual memory address and a first page table entry corresponding to the first page, the first page table entry having an executability state and being associated with the virtual machine monitor; setting the executability state of the first page table entry as non-executable; in response to detecting a request to execute an instruction located at a second virtual memory address that corresponds to the first page table entry, recording forensic data associated with the request to execute the instruction located at the second virtual memory address.
-
Specification