Mitigation of stack corruption exploits

US 9,870,469 B2
Filed: 09/26/2014
Issued: 01/16/2018
Est. Priority Date: 09/26/2014
Status: Active Grant

First Claim

Patent Images

1. A computing device comprising:

a memory comprising a stack, the stack including a return address location; and

a stack protection engine, implemented at least partly on a hardware platform and comprising a key array, the stack protection engine operable for;

receiving a return address;

encoding at least a portion of the return address with a cipher with a key from the key array, comprising using a portion of the return address as an index to the key array; and

placing the return encoded address in the return address location of the stack.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example, a stack protection engine is disclosed for preventing or ameliorating stack corruption attacks. The stack protection engine may operate transparently to user-space processes. After a call to a subroutine from a parent routine, the stack protection engine encodes the return address on the stack, such as with an exclusive or cipher and a key selected from a key array. After the subroutine returns control to the main routine, the stack protection engine decodes the address, and returns control. If a stack corruption attack occurs, the malicious return address is not properly encoded, so that when decoding occurs, the program may simply crash rather than returning control to the malicious code.

13 Citations

21 Claims

1. A computing device comprising:
- a memory comprising a stack, the stack including a return address location; and
  
  a stack protection engine, implemented at least partly on a hardware platform and comprising a key array, the stack protection engine operable for;
  
  receiving a return address;
  
  encoding at least a portion of the return address with a cipher with a key from the key array, comprising using a portion of the return address as an index to the key array; and
  
  placing the return encoded address in the return address location of the stack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computing device of claim 1, wherein the stack protection engine is operable for decoding the return address.
  - 3. The computing device of claim 2, wherein the stack protection engine is operable for encoding at least a portion of the return address with a cipher after a call to a subroutine by a parent routine, and is operable for decoding the return address after a return from the subroutine to the parent routine.
  - 4. The computing device of claim 3, wherein the stack protection engine is operable for assigning pseudo-random key values to the key array.
  - 5. The computing device of claim 4, wherein the stack protection engine is operable for refreshing the key array.
  - 6. The computing device of claim 5, wherein the stack protection engine is operable for refreshing the key array according to a periodic schedule.
  - 7. The computing device of claim 3, wherein the key array is write-only with respect to user-space processes.
  - 8. The computing device of claim 1, wherein the cipher is an exclusive or, and wherein encoding comprises selecting an encoding key from the key array.
  - 9. The computing device of claim 8, wherein the stack protection engine is operable for decoding the return address with an exclusive or cipher.
  - 10. The computing device of claim 1, wherein the stack protection engine operates invisibly to user-space processes.
  - 11. The computing device of claim 1, wherein the stack protection engine comprises logic encoded on a microprocessor.

12. Logic encoded on one or more tangible, non-transitory computer-readable mediums operable for providing a stack protection engine, implemented at least partly on a hardware platform and comprising a key array, wherein the stack protection engine is operable for:
- receiving a return address;
  
  encoding at least a portion of the return address with a cipher with a key from the key array, comprising using a portion of the return address as an index to the key array; and
  
  placing the return encoded address in a return address location of a memory stack.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The logic of claim 12, wherein the stack protection engine is operable for decoding the return address.
  - 14. The logic of claim 13, wherein the stack protection engine is operable for encoding at least a portion of the return address with a cipher after a call to a subroutine by a parent routine, and is operable for decoding the return address after a return from the subroutine to the parent routine.
  - 15. The logic of claim 14, wherein the stack protection engine is operable for assigning pseudo-random key values to the key array and for refreshing the key array.
  - 16. The logic of claim 15, wherein the stack protection engine is operable for refreshing the key array according to a periodic schedule.
  - 17. The logic of claim 14, wherein the key array is write-only with respect to user-space processes.
  - 18. The logic of claim 12, wherein the cipher is an exclusive or, and wherein encoding comprises selecting an encoding key from the key array.
  - 19. The logic of claim 18, wherein the stack protection engine is operable for decoding the return address with an exclusive or cipher.

20. A method for providing a stack protection engine, implemented at least partly on a hardware platform and comprising a key array, the stack protection engine operable for:
- receiving a return address;
  
  encoding at least a portion of the return address with a cipher with a key from the key array, comprising using a portion of the return address as an index to the key array after a call to a subroutine from a parent routine; and
  
  placing the return encoded address in a return address location of a memory stack.
- View Dependent Claims (21)
- - 21. The method of claim 20, further comprising decoding the return encoded address after a return from the subroutine to the parent routine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Crowe, Simon
Primary Examiner(s)
POWERS, WILLIAM S

Application Number

US14/497,789
Publication Number

US 20160092676A1
Time in Patent Office

1,208 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/54 by adding security routines...

G06F 2221/033 Test or assess software

Mitigation of stack corruption exploits

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Mitigation of stack corruption exploits

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links