Methods, systems, and computer readable media for detecting injected machine code

US 9,305,165 B2
Filed: 05/07/2012
Issued: 04/05/2016
Est. Priority Date: 05/06/2011
Status: Expired due to Fees

First Claim

Patent Images

1. A method for detecting injected machine code, the method comprising:

extracting data content from a buffer;

providing an operating system kernel configured to detect injected machine code;

executing, using the operating system kernel, the data content on a physical processor;

monitoring, using the operating system kernel, the execution of the data content to determine whether the data content contains injected machine code indicative of a code injection attack; and

generating output specifying at least one of whether injected machine code was detected, a location in the buffer where injected machine code was detected, and a log of actions performed by detected injected machine code.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one aspect, the subject matter described herein includes a method for detecting injected machine code. The method includes extracting data content from a buffer. The method also includes providing an operating system kernel configured to detect injected machine code. The method further includes executing, using the operating system kernel, the data content on a physical processor. The method further includes monitoring, using the operating system kernel, the execution of the data content to determine whether the data content contains injected machine code indicative of a code injection attack.

Citations

23 Claims

1. A method for detecting injected machine code, the method comprising:
- extracting data content from a buffer;
  
  providing an operating system kernel configured to detect injected machine code;
  
  executing, using the operating system kernel, the data content on a physical processor;
  
  monitoring, using the operating system kernel, the execution of the data content to determine whether the data content contains injected machine code indicative of a code injection attack; and
  
  generating output specifying at least one of whether injected machine code was detected, a location in the buffer where injected machine code was detected, and a log of actions performed by detected injected machine code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein the buffer is associated with at least one of a heap object, a network stream, a user file, and a multimedia platform object.
  - 3. The method of claim 1 wherein executing the data content includes initiating execution from different offsets in the buffer.
  - 4. The method of claim 1 wherein executing the data content includes utilizing hardware virtualization.
  - 5. The method of claim 4 wherein the hardware virtualization mediates processor events that cause a change in system state and allows guest instruction execution to occur directly on the processor.
  - 6. The method of claim 1 wherein monitoring the execution of the data content includes tracing specific memory reads, writes, and executions via hardware-supported paging mechanisms.
  - 7. The method of claim 1 wherein monitoring the execution of the data content includes flagging execution chains that do not cause execution faults.
  - 8. The method of claim 1 wherein the operating system kernel is optimized for detecting injected machine code.
  - 9. The method of claim 8 wherein the operating system kernel is configured to implement an arbitrary, operator defined, analysis heuristic for determining whether the instructions contain injected machine code indicative of a code injection attack.
  - 10. The method of claim 9 wherein the analysis heuristic traces memory accesses to specific predefined locations.
  - 11. The method of claim 1 comprising taking a snapshot of memory contents of processes at the time the buffer is created.

12. A system for detecting injected machine code, the system comprising:
- an operating system kernel configured to detect injected machine code, wherein the operating system kernel includes;
  
  a buffer execution module configured to extract data content from a buffer and execute, using the operating system kernel, the data content on a physical processor;
  
  an injected machine code analysis module configured to monitor, using the operating system kernel, the execution of the data content to determine whether the data content contains injected machine code indicative of a code injection attack; and
  
  wherein the injected machine code analysis module is configured to generate output specifying at least one of whether injected machine code was detected, a location in the buffer where injected machine code was detected, and a log of actions performed by detected injected machine code.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12 wherein the buffer is associated with at least one of a heap object, a network stream, a user file, and a multimedia platform object.
  - 14. The system of claim 12 wherein the buffer execution module is configured to execute the data content by initiating execution from different offsets in the buffer.
  - 15. The system of claim 12 wherein the buffer execution module is configured to execute the data content utilizing hardware virtualization.
  - 16. The system of claim 15 wherein the hardware virtualization mediates processor events that cause a change in system state and allows guest instruction execution to occur directly on the processor.
  - 17. The system of claim 12 wherein the injected machine code analysis module is configured to monitor the execution of the data content by tracing specific memory reads, writes, and executions via hardware-supported paging mechanisms.
  - 18. The system of claim 12 wherein the injected machine code analysis module is configured to monitor the execution of the data content by flagging execution chains that do not cause execution faults.
  - 19. The system of claim 12 wherein the operating system kernel is optimized for detecting injected machine code.
  - 20. The system of claim 19 wherein the operating system kernel is configured to implement an arbitrary, operator defined, analysis heuristic for determining whether the instructions contain injected machine code indicative of a code injection attack.
  - 21. The system of claim 20 wherein the analysis heuristic traces memory accesses to specific predefined locations.
  - 22. The system of claim 12 wherein the buffer execution module is configured to take a snapshot of memory contents of processes at the time the buffer is created.

23. A non-transitory computer readable medium comprising computer executable instructions that when executed by a processor of a computer control the computer to perform steps comprising:
- extracting data content from a buffer;
  
  providing an operating system kernel configured to detect injected machine code;
  
  executing, using the operating system kernel, the data content on a physical processor; and
  
  monitoring, using the operating system kernel, the execution of the data content to determine whether the data content contains injected machine code indicative of a code injection attack; and
  
  generating output specifying at least one of whether injected machine code was detected, a location in the buffer where injected machine code was detected, and a log of actions performed by detected injected machine code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
University of North Carolina At Chapel Hill (University of North Carolina System)
Original Assignee
University of North Carolina At Chapel Hill (University of North Carolina System)
Inventors
Snow, Kevin, Monrose, Fabian, Krishnan, Srinivas
Primary Examiner(s)
Brown, Anthony

Application Number

US14/115,096
Publication Number

US 20140181976A1
Time in Patent Office

1,429 Days
Field of Search

726 22- 25
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

Methods, systems, and computer readable media for detecting injected machine code

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, systems, and computer readable media for detecting injected machine code

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links