×

Automated protection against computer exploits

  • US 8,990,934 B2
  • Filed: 10/10/2012
  • Issued: 03/24/2015
  • Est. Priority Date: 02/24/2012
  • Status: Active Grant
First Claim
Patent Images

1. A method for protecting against exploits in a computer system utilizing a memory access control arrangement in which at least write and execute privileges are enforced for allocated portions of memory, the method comprising:

  • in response to a request by a process thread running in the computer system for allocation of a first portion of memory;

    (a) recording an association of the process thread and the first portion of memory; and

    (b) adjusting the memory access control arrangement to establish a limited access regime in which one of the write and execute privileges is disabled;

    (c) monitoring the memory access control arrangement for any exceptions occurring due to attempted writing or execution in violation of the limited access regime;

    (d) in response to an occurrence of a first exception corresponding to the first portion of the memory;

    determining an exception type of the first exception;

    performing an initial risk assessment of the process thread and its associated memory page to determine whether the attempted writing or execution is permitted, the initial risk assessment including at least one of;

    an exploit signature check, heuristic analysis of exploits, emulation analysis of exploits, statistical risk rating analysis;

    in response to the initial risk assessment determining that the attempted writing or execution is permitted, performing specialized exception processing wherein;

    in response to the exception type being determined as a write exception, the process thread associated with the first portion of memory in the recording is looked up, and the process thread for a presence of malicious code is analyzed;

    in response to the exception type being determined as an execute exception, content of the first portion of memory is analyzed for a presence of malicious code;

    (e) in response to detection of a presence of malicious code as a result of the specialized exception processing, preventing execution of the malicious code;

    (f) in response to a non-detection of any presence of malicious code as a result of the analyzing, permitting the attempted writing or execution and alternating the write and execute privileges to establish a new limited access regime;

    (g) monitoring the memory access control arrangement for any exceptions occurring due to attempted writing or execution in violation of the new limited access regime and repeating (a)-(f) to determine the presence of any exploits from continued execution of the process thread.

View all claims
  • 2 Assignments
Timeline View
Assignment View
    ×
    ×