Automated protection against computer exploits

US 8,990,934 B2
Filed: 10/10/2012
Issued: 03/24/2015
Est. Priority Date: 02/24/2012
Status: Active Grant

First Claim

Patent Images

1. A method for protecting against exploits in a computer system utilizing a memory access control arrangement in which at least write and execute privileges are enforced for allocated portions of memory, the method comprising:

in response to a request by a process thread running in the computer system for allocation of a first portion of memory;

(a) recording an association of the process thread and the first portion of memory; and

(b) adjusting the memory access control arrangement to establish a limited access regime in which one of the write and execute privileges is disabled;

(c) monitoring the memory access control arrangement for any exceptions occurring due to attempted writing or execution in violation of the limited access regime;

(d) in response to an occurrence of a first exception corresponding to the first portion of the memory;

determining an exception type of the first exception;

performing an initial risk assessment of the process thread and its associated memory page to determine whether the attempted writing or execution is permitted, the initial risk assessment including at least one of;

an exploit signature check, heuristic analysis of exploits, emulation analysis of exploits, statistical risk rating analysis;

in response to the initial risk assessment determining that the attempted writing or execution is permitted, performing specialized exception processing wherein;

in response to the exception type being determined as a write exception, the process thread associated with the first portion of memory in the recording is looked up, and the process thread for a presence of malicious code is analyzed;

in response to the exception type being determined as an execute exception, content of the first portion of memory is analyzed for a presence of malicious code;

(e) in response to detection of a presence of malicious code as a result of the specialized exception processing, preventing execution of the malicious code;

(f) in response to a non-detection of any presence of malicious code as a result of the analyzing, permitting the attempted writing or execution and alternating the write and execute privileges to establish a new limited access regime;

(g) monitoring the memory access control arrangement for any exceptions occurring due to attempted writing or execution in violation of the new limited access regime and repeating (a)-(f) to determine the presence of any exploits from continued execution of the process thread.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Protection of a computer system against exploits. A computer system has a memory access control arrangement in which at least write and execute privileges are enforced for allocated portions of memory. An association of the process thread and the first portion of memory is recorded. A limited access regime in which one of the write and execute privileges is disabled, is established, and is monitored for any exceptions occurring due to attempted writing or execution in violation thereof. In response to the exception being determined as a write exception, the associated process thread is looked up, and analyzed for a presence of malicious code. In response to the exception type being determined as an execute exception, the first portion of memory is analyzed for a presence of malicious code. In response to detection of a presence of malicious code, execution of the malicious code is prevented.

Citations

24 Claims

1. A method for protecting against exploits in a computer system utilizing a memory access control arrangement in which at least write and execute privileges are enforced for allocated portions of memory, the method comprising:
- in response to a request by a process thread running in the computer system for allocation of a first portion of memory;
  
  (a) recording an association of the process thread and the first portion of memory; and
  
  (b) adjusting the memory access control arrangement to establish a limited access regime in which one of the write and execute privileges is disabled;
  
  (c) monitoring the memory access control arrangement for any exceptions occurring due to attempted writing or execution in violation of the limited access regime;
  
  (d) in response to an occurrence of a first exception corresponding to the first portion of the memory;
  
  determining an exception type of the first exception;
  
  performing an initial risk assessment of the process thread and its associated memory page to determine whether the attempted writing or execution is permitted, the initial risk assessment including at least one of;
  
  an exploit signature check, heuristic analysis of exploits, emulation analysis of exploits, statistical risk rating analysis;
  
  in response to the initial risk assessment determining that the attempted writing or execution is permitted, performing specialized exception processing wherein;
  
  in response to the exception type being determined as a write exception, the process thread associated with the first portion of memory in the recording is looked up, and the process thread for a presence of malicious code is analyzed;
  
  in response to the exception type being determined as an execute exception, content of the first portion of memory is analyzed for a presence of malicious code;
  
  (e) in response to detection of a presence of malicious code as a result of the specialized exception processing, preventing execution of the malicious code;
  
  (f) in response to a non-detection of any presence of malicious code as a result of the analyzing, permitting the attempted writing or execution and alternating the write and execute privileges to establish a new limited access regime;
  
  (g) monitoring the memory access control arrangement for any exceptions occurring due to attempted writing or execution in violation of the new limited access regime and repeating (a)-(f) to determine the presence of any exploits from continued execution of the process thread.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - in response to a non-detection of any presence of malicious code as a result of the analyzing, adjusting the data execution prevention privileges to permit only a privilege corresponding to the determined exception type.
  - 3. The method of claim 1, wherein recording the association of the process thread and the first portion of memory includes creating an entry in a memory operations database.
  - 4. The method of claim 3, wherein the entry in the memory operations database includes a thread identifier of the thread and an address of the first portion of memory.
  - 5. The method of claim 3, wherein the entry in the memory operations database includes a portion of a page table entry corresponding to the first portion of memory.
  - 6. The method of claim 1, wherein recording the association of the process thread and the first portion of memory is performed only in response to a request for allocation of the first portion of memory having both, write privileges, and execution privileges.
  - 7. The method of claim 1, wherein adjusting the data execution prevention privileges to establish a limited access regime includes initially enabling the write privileges while disabling the execute privileges.
  - 8. The method of claim 1, wherein the first portion of memory includes a memory page.
  - 9. The method of claim 1, wherein the analysis of either the contents of the first portion of memory, or the process thread, is initiated in response to a single exception.
  - 10. The method of claim 1, further comprising:
    - in response to the exception type being determined as a write exception, looking up a plurality of process threads that are associated with the first portion of memory in the recording, and analyzing each of the plurality of process threads for a presence of malicious code.
  - 11. The method of claim 1, wherein preventing execution of the malicious code includes termination of the process thread associated with the first portion of memory.

12. In a computer system having a memory access control arrangement configured to enforce at least write and execute privileges for allocated portions of memory, a protection system for protecting against exploits, the system comprising:
- a malware analysis module configured to detect malicious code of an exploit; and
  
  an interceptor module configured to detect a request by a process thread running in the computer system for allocation of a first portion of memory, the interceptor module further configured to;
  
  (a) record an association of the process thread and the first portion of memory;
  
  (b) adjust memory access control arrangement to establish a limited access regime in which one of the write and execute privileges is disabled;
  
  (c) monitor the memory access control arrangement for any exceptions occurring due to attempted writing or execution in violation of the limited access regime;
  
  (d) in response to an occurrence of a first exception corresponding to the first portion of the memory;
  
  determine an exception type of the first exception;
  
  perform an initial risk assessment of the process thread and its associated memory page to determine whether the attempted writing or execution is permitted, the initial risk assessment including at least one of;
  
  an exploit signature check, heuristic analysis of exploits, emulation analysis of exploits, statistical risk rating analysis;
  
  in response to the initial risk assessment determining that the attempted writing or execution is permitted, perform specialized exception processing wherein;
  
  in response to the exception type being determined as a write exception, the process thread associated with the first portion of memory in the recording is looked up, and the process thread for a presence of malicious code is analyzed;
  
  in response to the exception type being determined as an execute exception, content of the first portion of memory is analyzed for a presence of malicious code;
  
  wherein the malware analysis module is configured to;
  
  (e) in response to detection of a presence of malicious code as a result of the specialized exception processing, prevent execution of the malicious code;
  
  (f) in response to a non-detection of any presence of malicious code as a result of the analyzing, permit the attempted writing or execution and alternating the write and execute privileges to establish a new limited access regime;
  
  (g) monitor the memory access control arrangement for any exceptions occurring due to attempted writing or execution in violation of the new limited access regime and perform (a)-(f) to determine the presence of any exploits from continued execution of the process thread.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 13. The system of claim 12, wherein the interceptor module is further configured to adjust the data execution prevention privileges to permit only a privilege corresponding to the determined exception type in response to a non-detection of any presence of malicious code by the malware analysis module.
  - 14. The system of claim 12, wherein the interceptor module is further configured to record the association of the process thread and the first portion of memory as part of an entry in a memory operations database.
  - 15. The system of claim 14, wherein the entry in the memory operations database includes a thread identifier of the thread and an address of the first portion of memory.
  - 16. The system of claim 14, wherein the entry in the memory operations database includes a portion of a page table entry corresponding to the first portion of memory.
  - 17. The system of claim 12, wherein the interceptor module is further configured to record the association of the process thread and the first portion of memory only in response to a request for allocation of the first portion of memory having both, write privileges, and execution privileges.
  - 18. The system of claim 12, wherein the interceptor module is further configured to initially enable the write privileges while disabling the execute privileges in adjusting the data execution prevention privileges to establish a limited access regime.
  - 19. The system of claim 12, wherein the first portion of memory includes a memory page.
  - 20. The system of claim 12, wherein the interceptor module is configured to initiate analysis by the malware analysis module of either the contents of the first portion of memory, or the process thread, in response to a single exception.
  - 21. The system of claim 12, wherein the interceptor module is further configured to look up a plurality of process threads that are associated with the first portion of memory in response to the exception type being determined as a write exception, and causing the malware analysis module to analyze each of the plurality of process threads for a presence of malicious code.
  - 22. The system of claim 12, wherein the interceptor module is part of a driver of an operating system of the computer system.
  - 23. The system of claim 12, wherein the interceptor module is part of a memory dispatcher of an operating system of the computer system.

24. A non-transitory computer-readable storage medium comprising instructions that, when executed in a computer system having a memory access control arrangement in which at least write and execute privileges are enforced for allocated portions of memory, cause the computer system to:
- protect itself against exploits such that;
  
  in response to a request by a process thread running in the computer system for allocation of a first portion of memory;
  
  (a) an association of the process thread and the first portion of memory is recorded;
  
  (b) memory access control arrangement is adjusted to establish a limited access regime in which one of the write and execute privileges is disabled;
  
  (c) the memory access control arrangement is monitored for any exceptions occurring due to attempted writing or execution in violation of the limited access regime;
  
  (d) in response to an occurrence of a first exception corresponding to the first portion of the memory;
  
  an exception type of the first exception is determined;
  
  an initial risk assessment of the process thread and its associated memory page is performed to determine whether the attempted writing or execution is permitted, the initial risk assessment including at least one of;
  
  an exploit signature check, heuristic analysis of exploits, emulation analysis of exploits, statistical risk rating analysis;
  
  in response to the initial risk assessment determining that the attempted writing or execution is permitted, specialized exception processing is performed wherein;
  
  in response to the exception type being determined as a write exception, the process thread associated with the first portion of memory in the recording is looked up, and the process thread for a presence of malicious code is analyzed;
  
  in response to the exception type being determined as an execute exception, content of the first portion of memory I is analyzed for a presence of malicious code;
  
  (e) in response to detection of a presence of malicious code as a result of the specialized exception processing, execution of the malicious code is prevented;
  
  (f) in response to a non-detection of any presence of malicious code as a result of the analyzing, the attempted writing or execution is permitted and the write and execute privileges are alternated to establish a new limited access regime;
  
  (g) the memory access control arrangement is monitored for any exceptions occurring due to attempted writing or execution in violation of the new limited access regime and (a)-(f) are performed to determine the presence of any exploits from continued execution of the process thread.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lab A.O. Kaspersky
Original Assignee
Kaspersky Lab ZAO
Inventors
Pavlyushchik, Mikhail A.
Primary Examiner(s)
CHAO, MICHAEL W

Application Number

US13/648,863
Publication Number

US 20130227680A1
Time in Patent Office

895 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/554   involving event detection a...

G06F 21/78   to assure secure storage of...

Automated protection against computer exploits

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Automated protection against computer exploits

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links