Return-oriented programming detection
First Claim
Patent Images
1. A computerized method, comprising:
- detecting a function call by an application;
responsive to detecting the function call, capturing and preserving contents in a range of a stack of memory addresses surrounding a current stack pointer;
analyzing contents located at a first valid address within the preserved contents to detect a first gadget and contents located at a second valid address within the preserved contents to detect a second gadget, the first valid address and the second valid address being located within a portion of a region of memory allocated for the application, wherein the first gadget comprises a first sequence of a first number of instructions less than a predetermined number of instructions followed by a return instruction, and the second gadget comprises a second sequence of a second number of instructions less than the predetermined number of instructions followed by a return instruction;
assigning a first weight to the first gadget based on the first number of instructions and a second weight to the second gadget based on the second number of instructions, wherein the first weight is different than the second weight; and
determining that a return-oriented programming (ROP) exploit is present within the portion of the region of allocated memory within the preserved contents based on at least whether a combination of at least the first weight and the second weight exceeds a predetermined weight threshold.
7 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a threat detection system is integrated with at least a dynamic analysis engine. The dynamic analysis engine is configured to automatically detect a function call by an application, responsive to detecting the function call, analyze contents located at one or more addresses located within a portion of memory allocated for the application, and, based on the analysis, determine whether one or more objects included in received network traffic is associated with a return-oriented programming (ROP) exploit.
-
Citations
29 Claims
-
1. A computerized method, comprising:
-
detecting a function call by an application; responsive to detecting the function call, capturing and preserving contents in a range of a stack of memory addresses surrounding a current stack pointer; analyzing contents located at a first valid address within the preserved contents to detect a first gadget and contents located at a second valid address within the preserved contents to detect a second gadget, the first valid address and the second valid address being located within a portion of a region of memory allocated for the application, wherein the first gadget comprises a first sequence of a first number of instructions less than a predetermined number of instructions followed by a return instruction, and the second gadget comprises a second sequence of a second number of instructions less than the predetermined number of instructions followed by a return instruction; assigning a first weight to the first gadget based on the first number of instructions and a second weight to the second gadget based on the second number of instructions, wherein the first weight is different than the second weight; and determining that a return-oriented programming (ROP) exploit is present within the portion of the region of allocated memory within the preserved contents based on at least whether a combination of at least the first weight and the second weight exceeds a predetermined weight threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 24, 26, 28)
-
-
17. A system comprising:
-
one or more processors; a storage module communicatively coupled to the one or more processors, the storage module includes logic to; detect a function call by an application; responsive to detecting the function call, capture and preserve contents in a range of a stack of memory addresses surrounding a current stack pointer; analyze contents located at a first valid address within the preserved contents to detect a first gadget and contents located at a second valid address within the preserved contents to detect a second gadget, the first valid address and the second valid address being located within a portion of a region of memory allocated for the application, wherein the first gadget comprises a first sequence of a first number of instructions less than a predetermined number of instructions followed by a return instruction, and the second gadget comprises a second sequence of a second number of instructions less than the predetermined number of instructions followed by a return instruction; assign a first weight to the first gadget based on the first number of instructions and a second weight to the second gadget based on the second number of instructions, wherein the first weight is different than the second weight; and determine that a return-oriented programming (ROP) exploit is present within the portion of the region of allocated memory within the preserved contents based on at least whether a combination of at least the first weight and the second weight exceeds a predetermined weight threshold. - View Dependent Claims (18, 19, 20, 21, 22, 23, 25, 27, 29)
-
Specification