Return oriented programming (ROP) attack protection

US 9,646,154 B2
Filed: 01/20/2015
Issued: 05/09/2017
Est. Priority Date: 12/12/2014
Status: Active Grant

First Claim

Patent Images

1. A method of protecting against return oriented programming attacks, the method comprising:

initiating a compute signature hardware instruction of a computing device to compute a signature for a return address and an associated location on a stack at which the return address is stored, wherein the signature is computed using a one-time pad that is combined with a hash of the return address and the return address position of the return address in the stack, and wherein the one time pad value is stored in at least two separate hardware caches, one cache for use during compute signature as a call cache and one cache for use during verify signature as a return cache;

enforcing that before executing the return instruction using the return address on the stack, initiating a verify signature hardware instruction of the computing device to verify the signature matches the target return address; and

responding to successful verification of the signature through execution of the verify signature hardware instruction by the computing device, executing the return instruction to the return address.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Return oriented programming (ROP) attack prevention techniques are described. In one or more examples, a method is described of protecting against return oriented programming attacks. The method includes initiating a compute signature hardware instruction of a computing device to compute a signature for a return address and the associated location on the stack the return address is stored and causing storage of the computed signature along with the return address in the stack. The method also includes enforcing that before executing the return instruction using the return address on the stack, initiating a verify signature hardware instruction of the computing device to verify the signature matches the target return address on the stack and responding to successful verification of the signature through execution of the verify signature hardware instruction by the computing device, executing the return instruction to the return address.

Citations

17 Claims

1. A method of protecting against return oriented programming attacks, the method comprising:
- initiating a compute signature hardware instruction of a computing device to compute a signature for a return address and an associated location on a stack at which the return address is stored, wherein the signature is computed using a one-time pad that is combined with a hash of the return address and the return address position of the return address in the stack, and wherein the one time pad value is stored in at least two separate hardware caches, one cache for use during compute signature as a call cache and one cache for use during verify signature as a return cache;
  
  enforcing that before executing the return instruction using the return address on the stack, initiating a verify signature hardware instruction of the computing device to verify the signature matches the target return address; and
  
  responding to successful verification of the signature through execution of the verify signature hardware instruction by the computing device, executing the return instruction to the return address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A method as described in claim 1, wherein the signature is utilized to sign the return address and a combination of the return address and the associated location.
  - 3. A method as described in claim 1, further comprising responding to unsuccessful verification of the signature through execution of the hardware instruction by the computing device by blocking execution of the return instruction to the return address.
  - 4. A method as described in claim 1, wherein the compute signature hardware instruction causes the signature to be computed using a secure keyed MAC algorithm where a cryptographic key is randomly generated per boot and stored in hardware of the computing device and not exposed to software executed by the computing device.
  - 5. A method as described in claim 1, wherein the hash is universal hash and the combination is formed using an exclusive OR (XOR) operation.
  - 6. A method as described in claim 1, wherein the one-time pad is generated using a counter value and a block cipher operating in counter mode using the counter value as input.
  - 7. A method as described in claim 6, wherein the block cipher is based on the Advanced Encryption Standard (AES).
  - 8. A method as described in claim 6, wherein the counter value is included as a portion of the signature.
  - 9. A method as described in claim 1, wherein entries in the call cache are moved to the return cache upon successful usage to compute the signature.
  - 10. A method as described in claim 1, wherein entries in the return cache are removed upon successful usage to verify the signature.
  - 11. A method as described in claim 1, wherein the call cache is a LIFO queue and the return cache is a FIFO stack.

12. A computing device configured to protect against return oriented programming (ROP) attacks, the computing device comprising:
- a processing system having hardware configured to execute instructions stored in memory and having hardware configured to perform;
  
  a compute signature hardware instruction to compute a signature for a return address and an associated location on a stack at which the return address is stored, wherein the signature is computed using a one-time pad that is combined with a hash of the return address and the return address position of the return address in the stack, and wherein the one time pad value is stored in at least two separate hardware caches, one cache for use during compute signature as a call cache and one cache for use during verify signature as a return cache; and
  
  a verify signature hardware instruction to verify the signature; and
  
  the memory configured to maintain an operating system that is executable by the processing system as the instructions, the operating system configured to protect against return oriented programming (ROP) attacks through functionality to initiate the compute signature hardware instruction to compute the signature for the return address and the associated location on the stack the return address is stored and initiate the verify signature hardware instruction to verify the signature before executing the return instruction using the return address on the stack.
- View Dependent Claims (13, 14)
- - 13. A computing device as described in claim 12, wherein the compute signature hardware instruction causes the signature to be computed using a secure keyed MAC algorithm where a cryptographic key is randomly generated per boot and stored in hardware of the computing device and not exposed to software executed by the computing device.
  - 14. A computing device as described in claim 12, wherein the signature is computed using the one-time pad value that is combined with a hash of the return address and the return address position of the return address in the stack.

15. One or more computer-readable storage devices having instructions stored thereon that, responsive to execution by one or more computing devices, causes the one or more computing devices to:
- initiate a compute signature hardware instruction of a computing device to compute a signature for a return address and an associated location on a stack at which the return address is stored, wherein the signature is computed using a one-time pad that is combined with a hash of the return address and the return address position of the return address in the stack, and wherein the one time pad value is stored in at least two separate hardware caches, one cache for use during compute signature as a call cache and one cache for use during verify signature as a return cache;
  
  enforce that before executing the return instruction using the return address on the stack, initiating a verify signature hardware instruction of the computing device to verify the signature matches the target return address; and
  
  respond to successful verification of the signature through execution of the verify signature hardware instruction by the computing device, executing the return instruction to the return address.
- View Dependent Claims (16, 17)
- - 16. One or more computer-readable storage devices as described in claim 15, wherein the compute signature hardware instruction causes the signature to be computed using a secure keyed MAC algorithm where a cryptographic key is randomly generated per boot and stored in hardware of the computing device and not exposed to software executed by the computing device.
  - 17. One or more computer-readable storage devices as described in claim 15, wherein the signature is computed using the one-time pad value that is combined with a hash of the return address and the return address position of the return address in the stack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Chen, Ling Tony, Lange, Jonathan E., Zaverucha, Greg M.
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Zarrineh, Shahriar

Application Number

US14/601,122
Publication Number

US 20160171211A1
Time in Patent Office

840 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/52   during program execution, e...

G06F 21/54   by adding security routines...

G06F 2212/1052   Security improvement

G06F 2221/033   Test or assess software

Return oriented programming (ROP) attack protection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Return oriented programming (ROP) attack protection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links