Automated protection against computer exploits
First Claim
1. A method for protecting against exploits in a computer system utilizing a memory access control arrangement in which at least write and execute privileges are enforced for allocated portions of memory, the method comprising:
- in response to a request by a process thread running in the computer system for allocation of a first portion of memory;
(a) recording an association of the process thread and the first portion of memory; and
(b) adjusting the memory access control arrangement to establish a limited access regime in which one of the write and execute privileges is disabled;
(c) monitoring the memory access control arrangement for any exceptions occurring due to attempted writing or execution in violation of the limited access regime;
(d) in response to an occurrence of a first exception corresponding to the first portion of the memory;
determining an exception type of the first exception;
performing an initial risk assessment of the process thread and its associated memory page to determine whether the attempted writing or execution is permitted, the initial risk assessment including at least one of;
an exploit signature check, heuristic analysis of exploits, emulation analysis of exploits, statistical risk rating analysis;
in response to the initial risk assessment determining that the attempted writing or execution is permitted, performing specialized exception processing wherein;
in response to the exception type being determined as a write exception, the process thread associated with the first portion of memory in the recording is looked up, and the process thread for a presence of malicious code is analyzed;
in response to the exception type being determined as an execute exception, content of the first portion of memory is analyzed for a presence of malicious code;
(e) in response to detection of a presence of malicious code as a result of the specialized exception processing, preventing execution of the malicious code;
(f) in response to a non-detection of any presence of malicious code as a result of the analyzing, permitting the attempted writing or execution and alternating the write and execute privileges to establish a new limited access regime;
(g) monitoring the memory access control arrangement for any exceptions occurring due to attempted writing or execution in violation of the new limited access regime and repeating (a)-(f) to determine the presence of any exploits from continued execution of the process thread.
2 Assignments
0 Petitions
Accused Products
Abstract
Protection of a computer system against exploits. A computer system has a memory access control arrangement in which at least write and execute privileges are enforced for allocated portions of memory. An association of the process thread and the first portion of memory is recorded. A limited access regime in which one of the write and execute privileges is disabled, is established, and is monitored for any exceptions occurring due to attempted writing or execution in violation thereof. In response to the exception being determined as a write exception, the associated process thread is looked up, and analyzed for a presence of malicious code. In response to the exception type being determined as an execute exception, the first portion of memory is analyzed for a presence of malicious code. In response to detection of a presence of malicious code, execution of the malicious code is prevented.
-
Citations
24 Claims
-
1. A method for protecting against exploits in a computer system utilizing a memory access control arrangement in which at least write and execute privileges are enforced for allocated portions of memory, the method comprising:
in response to a request by a process thread running in the computer system for allocation of a first portion of memory; (a) recording an association of the process thread and the first portion of memory; and (b) adjusting the memory access control arrangement to establish a limited access regime in which one of the write and execute privileges is disabled; (c) monitoring the memory access control arrangement for any exceptions occurring due to attempted writing or execution in violation of the limited access regime; (d) in response to an occurrence of a first exception corresponding to the first portion of the memory; determining an exception type of the first exception; performing an initial risk assessment of the process thread and its associated memory page to determine whether the attempted writing or execution is permitted, the initial risk assessment including at least one of;
an exploit signature check, heuristic analysis of exploits, emulation analysis of exploits, statistical risk rating analysis;in response to the initial risk assessment determining that the attempted writing or execution is permitted, performing specialized exception processing wherein; in response to the exception type being determined as a write exception, the process thread associated with the first portion of memory in the recording is looked up, and the process thread for a presence of malicious code is analyzed; in response to the exception type being determined as an execute exception, content of the first portion of memory is analyzed for a presence of malicious code; (e) in response to detection of a presence of malicious code as a result of the specialized exception processing, preventing execution of the malicious code; (f) in response to a non-detection of any presence of malicious code as a result of the analyzing, permitting the attempted writing or execution and alternating the write and execute privileges to establish a new limited access regime; (g) monitoring the memory access control arrangement for any exceptions occurring due to attempted writing or execution in violation of the new limited access regime and repeating (a)-(f) to determine the presence of any exploits from continued execution of the process thread. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
12. In a computer system having a memory access control arrangement configured to enforce at least write and execute privileges for allocated portions of memory, a protection system for protecting against exploits, the system comprising:
-
a malware analysis module configured to detect malicious code of an exploit; and an interceptor module configured to detect a request by a process thread running in the computer system for allocation of a first portion of memory, the interceptor module further configured to; (a) record an association of the process thread and the first portion of memory; (b) adjust memory access control arrangement to establish a limited access regime in which one of the write and execute privileges is disabled; (c) monitor the memory access control arrangement for any exceptions occurring due to attempted writing or execution in violation of the limited access regime; (d) in response to an occurrence of a first exception corresponding to the first portion of the memory; determine an exception type of the first exception; perform an initial risk assessment of the process thread and its associated memory page to determine whether the attempted writing or execution is permitted, the initial risk assessment including at least one of;
an exploit signature check, heuristic analysis of exploits, emulation analysis of exploits, statistical risk rating analysis;in response to the initial risk assessment determining that the attempted writing or execution is permitted, perform specialized exception processing wherein; in response to the exception type being determined as a write exception, the process thread associated with the first portion of memory in the recording is looked up, and the process thread for a presence of malicious code is analyzed; in response to the exception type being determined as an execute exception, content of the first portion of memory is analyzed for a presence of malicious code; wherein the malware analysis module is configured to; (e) in response to detection of a presence of malicious code as a result of the specialized exception processing, prevent execution of the malicious code; (f) in response to a non-detection of any presence of malicious code as a result of the analyzing, permit the attempted writing or execution and alternating the write and execute privileges to establish a new limited access regime; (g) monitor the memory access control arrangement for any exceptions occurring due to attempted writing or execution in violation of the new limited access regime and perform (a)-(f) to determine the presence of any exploits from continued execution of the process thread. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A non-transitory computer-readable storage medium comprising instructions that, when executed in a computer system having a memory access control arrangement in which at least write and execute privileges are enforced for allocated portions of memory, cause the computer system to:
- protect itself against exploits such that;
in response to a request by a process thread running in the computer system for allocation of a first portion of memory; (a) an association of the process thread and the first portion of memory is recorded; (b) memory access control arrangement is adjusted to establish a limited access regime in which one of the write and execute privileges is disabled; (c) the memory access control arrangement is monitored for any exceptions occurring due to attempted writing or execution in violation of the limited access regime; (d) in response to an occurrence of a first exception corresponding to the first portion of the memory; an exception type of the first exception is determined; an initial risk assessment of the process thread and its associated memory page is performed to determine whether the attempted writing or execution is permitted, the initial risk assessment including at least one of;
an exploit signature check, heuristic analysis of exploits, emulation analysis of exploits, statistical risk rating analysis;in response to the initial risk assessment determining that the attempted writing or execution is permitted, specialized exception processing is performed wherein; in response to the exception type being determined as a write exception, the process thread associated with the first portion of memory in the recording is looked up, and the process thread for a presence of malicious code is analyzed; in response to the exception type being determined as an execute exception, content of the first portion of memory I is analyzed for a presence of malicious code; (e) in response to detection of a presence of malicious code as a result of the specialized exception processing, execution of the malicious code is prevented; (f) in response to a non-detection of any presence of malicious code as a result of the analyzing, the attempted writing or execution is permitted and the write and execute privileges are alternated to establish a new limited access regime; (g) the memory access control arrangement is monitored for any exceptions occurring due to attempted writing or execution in violation of the new limited access regime and (a)-(f) are performed to determine the presence of any exploits from continued execution of the process thread.
- protect itself against exploits such that;
Specification