Attack Protection for valid gadget control transfers

US 9,767,272 B2
Filed: 10/20/2014
Issued: 09/19/2017
Est. Priority Date: 10/20/2014
Status: Active Grant

First Claim

Patent Images

1. A processor comprising:

a first hardware register to store a first bound value for a stack to be stored in a memory;

a second hardware register to store a second bound value for the stack;

a checker logic to determine, prior to an exit point at a conclusion of a function to be executed on the processor, whether a value of a stack pointer is within a range between the first bound value and the second bound value;

a logic to prevent a return to a caller of the function if the stack pointer value is not within the range; and

a second logic to store a random value in a third register prior to a call to the function, and in response to a control transfer termination (CTT) instruction encountered after a control transfer instruction that returns from the function, determine whether a current value of the third register equals the random value, and if so, continue execution of the caller of the function, and otherwise to terminate execution.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a processor comprises: a first register to store a first bound value for a stack to be stored in a memory; a second register to store a second bound value for the stack; a checker logic to determine, prior to an exit point at a conclusion of a function to be executed on the processor, whether a value of a stack pointer is within a range between the first bound value and the second bound value; and a logic to prevent a return to a caller of the function if the stack pointer value is not within the range. Other embodiments are described and claimed.

68 Citations

View as Search Results

13 Claims

1. A processor comprising:
- a first hardware register to store a first bound value for a stack to be stored in a memory;
  
  a second hardware register to store a second bound value for the stack;
  
  a checker logic to determine, prior to an exit point at a conclusion of a function to be executed on the processor, whether a value of a stack pointer is within a range between the first bound value and the second bound value;
  
  a logic to prevent a return to a caller of the function if the stack pointer value is not within the range; and
  
  a second logic to store a random value in a third register prior to a call to the function, and in response to a control transfer termination (CTT) instruction encountered after a control transfer instruction that returns from the function, determine whether a current value of the third register equals the random value, and if so, continue execution of the caller of the function, and otherwise to terminate execution.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The processor of claim 1, wherein the logic is to raise an exception if the stack pointer value is not within the range.
  - 3. The processor of claim 2, wherein the exception is to indicate a stack pivot attack.
  - 4. The processor of claim 2, further comprising control logic to terminate the program responsive to the exception.
  - 5. The processor of claim 1, wherein the checker logic is further to determine, prior to a second exit point of the function, whether the value of the stack pointer is within the range.
  - 6. The processor of claim 1, wherein the first register and the second register comprise a single register.
  - 7. The processor of claim 1, wherein the checker logic is to execute at least one user level instruction to determine whether the value of the stack pointer is within the range.

8. At least one non-transitory computer readable storage medium comprising instructions that when executed enable a system to:
- store, in a first register, a first bound value for a stack to be stored in a memory;
  
  store, in a second register, a second bound value for the stack;
  
  determine, prior to an exit point at a conclusion of a function, whether a value of a stack pointer is within a range between the first bound value and the second bound value;
  
  prevent a return to a caller of the function if the stack pointer value is not within the range; and
  
  store a random value in a third register prior to a call to the function, and in response to a control transfer termination (CTT) instruction encountered after a control transfer instruction that returns from the function, determine whether a current value of the third register equals the random value, and if so, continue execution of the caller of the function, and otherwise to terminate execution.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The non-transitory computer readable storage medium of claim 8, further comprising instructions that when executed enable the system to raise an exception if the stack pointer value is not within the range.
  - 10. The non-transitory computer readable storage medium of claim 9, wherein the exception is to indicate a stack pivot attack.
  - 11. The non-transitory computer readable storage medium of claim 9, further comprising instructions that when executed enable the system to terminate the program responsive to the exception.
  - 12. The non-transitory computer readable storage medium of claim 8, further comprising instructions that when executed enable the system to determine, prior to a second exit point of the function, whether the value of the stack pointer is within the range.
  - 13. The non-transitory computer readable storage medium of claim 8, further comprising instructions that when executed enable the system to execute at least one user level instruction to determine whether the value of the stack pointer is within the range.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Shanbhogue, Vedvyas, Sahita, Ravi L., Bulygin, Yuriy, Li, Xiaoning, Brandt, Jason W.
Primary Examiner(s)
King, John B

Application Number

US14/518,507
Publication Number

US 20160110542A1
Time in Patent Office

1,065 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 9/30021   Compare instructions, e.g. ...

G06F 9/30054   Unconditional branch instru...

G06F 9/30076   to perform miscellaneous co...

G06F 9/30134   Register stacks; shift regi...

G06F 9/3861   Recovery, e.g. branch miss-...

G06F 9/4484   Executing subprograms

Attack Protection for valid gadget control transfers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

68 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Attack Protection for valid gadget control transfers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links