System and methods for run time detection and correction of memory corruption

US 8,966,312 B1
Filed: 08/09/2013
Issued: 02/24/2015
Est. Priority Date: 02/09/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

detecting an application layer memory corruption of at least one portion of a control section of original memory by malicious code during run-time, where the application layer memory corruption affects execution flow of an application when otherwise left uncorrected, wherein detecting includes performing at least two different invariant checks at run-time, each invariant check including (a) capturing a state of one or more registers and at least one portion of a data segment of the control section prior to execution of a function call, (b) checking the state after the execution of the function call against the captured state and (c) declaring application layer memory corruption if the checked state and the captured state do not match; and

reporting the application layer memory corruption to a user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method or apparatus detects a memory corruption of at least one portion of memory during run-time and corrects the memory corruption of the at least one portion of memory by replacing the at least one portion of memory with a backup of the at least one portion of memory. In this way, memory corruption can be corrected in a timely fashion while minimizing security risks.

Citations

16 Claims

1. A method comprising:
- detecting an application layer memory corruption of at least one portion of a control section of original memory by malicious code during run-time, where the application layer memory corruption affects execution flow of an application when otherwise left uncorrected, wherein detecting includes performing at least two different invariant checks at run-time, each invariant check including (a) capturing a state of one or more registers and at least one portion of a data segment of the control section prior to execution of a function call, (b) checking the state after the execution of the function call against the captured state and (c) declaring application layer memory corruption if the checked state and the captured state do not match; and
  
  reporting the application layer memory corruption to a user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising:
    - identifying an intention to corrupt the at least one portion of the control section of original memory by a process; and
      
      intercepting the process, during run-time, to prevent corruption of the at least one portion of the control section of original memory.
  - 3. The method of claim 1 further comprising creating a backup of the at least one portion of the control section of original memory.
  - 4. The method of claim 1 wherein detecting the application layer memory corruption of the at least one portion of the control section of original memory comprises comparing a run-time signature of a program or library file with a valid signature during load-time.
  - 5. The method of claim 1 wherein detecting the application layer memory corruption of the control section of original memory comprises comparing computer program instructions in the memory with non-corrupted computer program instructions.
  - 6. The method of claim 1 wherein detecting the application layer memory corruption of the control section of original memory comprises monitoring program code execution to identify an abnormality.
  - 7. The method of claim 1 further comprising notifying a user of a security risk pertaining to program code that is permitting the memory corruption of a security risk.
  - 8. The method of claim 1 further comprising correcting the application layer memory corruption of the at least one portion of the control section of original memory, during run-time, by replacing the at least one portion of corrupted memory with a backup of the at least one portion of the control section of original memory to prevent the malicious code from ever executing.

9. An apparatus comprising:
- a processor configured to execute a process;
  
  the process configured to detect an application layer memory corruption of at least one portion of a control section of original memory by malicious code during run-time, where the application layer memory corruption affects execution flow of an application when otherwise left uncorrected, wherein detecting includes performing at least two different invariant checks from a set of invariant checks at run-time, each invariant check including (a) capturing a state of one or more registers and at least one portion of a data segment of the control section prior to execution of a function call, (b) checking the state after the execution of the function call against the captured state and (c) declaring application layer memory corruption if the checked state and the captured state do not match; and
  
  the process configured to report the application layer memory corruption to a user, a log file, a recovery software module or a combination thereof.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus of claim 9 wherein the process is further configured to:
    - identify an intention to corrupt the at least one portion of the control section of original memory by the process; and
      
      intercept the process, during run-time, to prevent corruption of the at least one portion of the control section of original memory.
  - 11. The apparatus of claim 9 wherein the process is further configured to create a backup of the at least one portion of the control section of original memory.
  - 12. The apparatus of claim 9 wherein the process is further configured to compare a run-time signature of a program or library file with a valid signature during load-time.
  - 13. The apparatus of claim 9 wherein the process is further configured to compare computer program instructions in the memory with non-corrupted computer program instructions.
  - 14. The apparatus of claim 9 wherein the process is further configured to monitor program code execution to identify an abnormality.
  - 15. The apparatus of claim 9 wherein the process is further configured to notify a user of a security risk pertaining to program code that is permitting the application layer memory corruption.
  - 16. The apparatus of claim 9 wherein the process is further configured to correct the application layer memory corruption of the at least one portion of the control section of original memory, during run-time, by replacing the at least one portion of corrupted memory with a backup of the at least one portion of the control section of original memory to prevent the malicious code from ever executing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Virsec Systems, Inc.
Original Assignee
Virsec Systems, Inc.
Inventors
Gupta, Satya V., Shenoy, Prashant
Primary Examiner(s)
Truong, Loan L. T.

Application Number

US13/963,365
Time in Patent Office

564 Days
Field of Search

714/15, 714/25, 714/42, 714/21, 717/138
US Class Current

714/15
CPC Class Codes

G06F 11/073   in a memory management cont...

G06F 11/0751   Error or fault detection no...

G06F 11/1004   to protect a block of data ...

G06F 11/1451   by selection of backup cont...

G06F 11/1469   Backup restoration techniques

G06F 11/1666   where the redundant compone...

G06F 21/56   Computer malware detection ...

G06F 2201/86   Event-based monitoring

System and methods for run time detection and correction of memory corruption

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System and methods for run time detection and correction of memory corruption

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links