Detection of unauthorized memory modification and access using transactional memory

US 9,384,148 B2
Filed: 12/17/2013
Issued: 07/05/2016
Est. Priority Date: 12/17/2013
Status: Active Grant

First Claim

Patent Images

1. A computing device for detecting unauthorized memory accesses, the computing device comprising:

a transactional execution module to (i) execute a code segment identified as suspicious and (ii) detect a transactional abort during execution of the code segment;

a security support module to (i) execute a security support thread concurrently with execution of the code segment and (ii) access, via a read instruction by the security support thread, a monitored memory location; and

an abort handler module to (i) determine whether a security event has occurred in response to detection of the transactional abort, the security event indicative of an unauthorized memory access by the code segment to the monitored memory location and (ii) report the security event in response to a determination that the security event has occurred,wherein to detect the transactional abort comprises to detect a transactional abort caused by a transactional memory conflict between the read instruction and a write instruction by the code segment to the monitored memory location.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technologies for detecting unauthorized memory accesses include a computing device having transactional memory support. The computing device executes a code segment identified as suspicious and detects a transactional abort during execution of the code segment. The computing device may execute a security support thread concurrently with the code segment that reads one or more monitored memory locations. A transactional abort may be caused by a read of the security support thread conflicting with a write from the code segment. The computing device may set a breakpoint within the code segment, and a transactional abort may be caused by execution of the code segment reaching the breakpoint. An abort handler determines whether a security event has occurred and reports the security event. The abort handler may determine whether the security event has occurred based on the cause of the transactional abort. Other embodiments are described and claimed.

58 Citations

View as Search Results

15 Claims

1. A computing device for detecting unauthorized memory accesses, the computing device comprising:
- a transactional execution module to (i) execute a code segment identified as suspicious and (ii) detect a transactional abort during execution of the code segment;
  
  a security support module to (i) execute a security support thread concurrently with execution of the code segment and (ii) access, via a read instruction by the security support thread, a monitored memory location; and
  
  an abort handler module to (i) determine whether a security event has occurred in response to detection of the transactional abort, the security event indicative of an unauthorized memory access by the code segment to the monitored memory location and (ii) report the security event in response to a determination that the security event has occurred,wherein to detect the transactional abort comprises to detect a transactional abort caused by a transactional memory conflict between the read instruction and a write instruction by the code segment to the monitored memory location.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computing device of claim 1, wherein to determine whether the security event has occurred comprises to determine whether the transactional memory conflict was caused by an attempted write to the monitored memory location.
  - 3. The computing device of claim 2, wherein to determine whether the transactional memory conflict was caused by the attempted write to the monitored memory location comprises to compare a first memory address of a conflicting data location retrieved from a performance monitoring unit of the computing device to a second memory address of the monitored memory location.
  - 4. The computing device of claim 1, further comprising a security module to set a breakpoint within the code segment at the monitored memory location, wherein to set the breakpoint comprises to insert a transactional abort instruction in the code segment;
    - wherein to detect the transactional abort comprises to detect the transactional abort in response to execution of the code segment reaching the breakpoint.
  - 5. The computing device of claim 1, further comprising a security module to wrap the code segment in a transactional envelope;
    - wherein to execute the code segment comprises to execute the code segment within the transactional envelope.
  - 6. The computing device of claim 5, wherein to wrap the code segment comprises to insert a transaction begin instruction and a transaction end instruction in the code segment.
  - 7. The computing device of claim 1, wherein:
    - the abort handler module is further to (i) increment an abort count in response to a determination that the security event has not occurred and (ii) determine whether the abort count has a predetermined relationship to a threshold abort count;
      
      the computing device further comprises a fallback security module to execute a fallback security procedure in response to a determination that the abort count has the predetermined relationship to the threshold abort count, the fallback security procedure to analyze the code segment as a function of the abort count.

8. One or more non-transitory, computer-readable storage media comprising a plurality of instructions that in response to being executed cause a computing device to:
- execute a code segment identified as suspicious;
  
  execute a security support thread concurrently with execution of the code segment;
  
  access, via a read instruction by the security support thread, a monitored memory location;
  
  detect, during execution of the code segment, a transactional abort caused by a transactional memory conflict between the read instruction and a write instruction by the code segment to the monitored memory location;
  
  determine whether a security event has occurred in response to detecting the transactional abort, the security event indicative of an unauthorized memory access by the code segment to the monitored memory location; and
  
  report the security event in response to determining the security event has occurred.
- View Dependent Claims (9, 10, 11)
- - 9. The one or more non-transitory, computer-readable storage media of claim 8, wherein to determine whether the security event has occurred comprises to determine whether the transactional memory conflict was caused by an attempted write to the monitored memory location.
  - 10. The one or more non-transitory, computer-readable storage media of claim 8, further comprising a plurality of instructions that in response to being executed cause the computing device to:
    - set a breakpoint within the code segment at the monitored memory location, wherein to set the breakpoint comprises to insert a transactional abort instruction in the code segment;
      
      wherein to detect the transactional abort comprises to detect the transactional abort in response to execution of the code segment reaching the breakpoint.
  - 11. The one or more non-transitory, computer-readable storage media of claim 8, further comprising a plurality of instructions that in response to being executed cause the computing device to wrap the code segment in a transactional envelope;
    - wherein to execute the code segment comprises to execute the code segment within the transactional envelope.

12. A method for detecting unauthorized memory accesses, the method comprising:
- executing, by a computing device, a code segment identified as suspicious;
  
  executing, by the computing device, a security support thread concurrently with execution of the code segment;
  
  accessing, via a read instruction by the security support thread, a monitored memory location;
  
  detecting, by the computing device and during execution of the code segment, a transactional abort caused by a transactional memory conflict between the read instruction and a write instruction by the code segment to the monitored memory location;
  
  determining, by the computing device, whether a security event has occurred in response to detecting the transactional abort, the security event indicative of an unauthorized memory access by the code segment to the monitored memory location; and
  
  reporting, by the computing device, the security event in response to determining the security event has occurred.
- View Dependent Claims (13, 14, 15)
- - 13. The method of claim 12, wherein determining whether the security event has occurred comprises determining whether the transactional memory conflict was caused by an attempted write to the monitored memory location.
  - 14. The method of claim 12, further comprising:
    - setting, by the computing device, a breakpoint within the code segment at the monitored memory location, wherein setting the breakpoint comprises inserting a transactional abort instruction in the code segment;
      
      wherein detecting the transactional abort comprises detecting the transactional abort in response to execution of the code segment reaching the breakpoint.
  - 15. The method of claim 12, further comprising wrapping, by the computing device, the code segment in a transactional envelope;
    - wherein executing the code segment comprises executing the code segment within the transactional envelope.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Muttik, Igor, Dementiev, Roman, Nayshtut, Alex
Primary Examiner(s)
Shepperd, Eric W

Application Number

US14/367,989
Publication Number

US 20160026581A1
Time in Patent Office

931 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 12/14   Protection against unauthor...

G06F 12/1441   for a range

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/60   Protecting data

Detection of unauthorized memory modification and access using transactional memory

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

58 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of unauthorized memory modification and access using transactional memory

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links