Detection of unauthorized memory modification and access using transactional memory
First Claim
1. A computing device for detecting unauthorized memory accesses, the computing device comprising:
- a transactional execution module to (i) execute a code segment identified as suspicious and (ii) detect a transactional abort during execution of the code segment;
a security support module to (i) execute a security support thread concurrently with execution of the code segment and (ii) access, via a read instruction by the security support thread, a monitored memory location; and
an abort handler module to (i) determine whether a security event has occurred in response to detection of the transactional abort, the security event indicative of an unauthorized memory access by the code segment to the monitored memory location and (ii) report the security event in response to a determination that the security event has occurred,wherein to detect the transactional abort comprises to detect a transactional abort caused by a transactional memory conflict between the read instruction and a write instruction by the code segment to the monitored memory location.
1 Assignment
0 Petitions
Accused Products
Abstract
Technologies for detecting unauthorized memory accesses include a computing device having transactional memory support. The computing device executes a code segment identified as suspicious and detects a transactional abort during execution of the code segment. The computing device may execute a security support thread concurrently with the code segment that reads one or more monitored memory locations. A transactional abort may be caused by a read of the security support thread conflicting with a write from the code segment. The computing device may set a breakpoint within the code segment, and a transactional abort may be caused by execution of the code segment reaching the breakpoint. An abort handler determines whether a security event has occurred and reports the security event. The abort handler may determine whether the security event has occurred based on the cause of the transactional abort. Other embodiments are described and claimed.
58 Citations
15 Claims
-
1. A computing device for detecting unauthorized memory accesses, the computing device comprising:
-
a transactional execution module to (i) execute a code segment identified as suspicious and (ii) detect a transactional abort during execution of the code segment; a security support module to (i) execute a security support thread concurrently with execution of the code segment and (ii) access, via a read instruction by the security support thread, a monitored memory location; and an abort handler module to (i) determine whether a security event has occurred in response to detection of the transactional abort, the security event indicative of an unauthorized memory access by the code segment to the monitored memory location and (ii) report the security event in response to a determination that the security event has occurred, wherein to detect the transactional abort comprises to detect a transactional abort caused by a transactional memory conflict between the read instruction and a write instruction by the code segment to the monitored memory location. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. One or more non-transitory, computer-readable storage media comprising a plurality of instructions that in response to being executed cause a computing device to:
-
execute a code segment identified as suspicious; execute a security support thread concurrently with execution of the code segment; access, via a read instruction by the security support thread, a monitored memory location; detect, during execution of the code segment, a transactional abort caused by a transactional memory conflict between the read instruction and a write instruction by the code segment to the monitored memory location; determine whether a security event has occurred in response to detecting the transactional abort, the security event indicative of an unauthorized memory access by the code segment to the monitored memory location; and report the security event in response to determining the security event has occurred. - View Dependent Claims (9, 10, 11)
-
-
12. A method for detecting unauthorized memory accesses, the method comprising:
-
executing, by a computing device, a code segment identified as suspicious; executing, by the computing device, a security support thread concurrently with execution of the code segment; accessing, via a read instruction by the security support thread, a monitored memory location; detecting, by the computing device and during execution of the code segment, a transactional abort caused by a transactional memory conflict between the read instruction and a write instruction by the code segment to the monitored memory location; determining, by the computing device, whether a security event has occurred in response to detecting the transactional abort, the security event indicative of an unauthorized memory access by the code segment to the monitored memory location; and reporting, by the computing device, the security event in response to determining the security event has occurred. - View Dependent Claims (13, 14, 15)
-
Specification