Detection and mitigation of malicious invocation of sensitive code

US 9,886,577 B2
Filed: 09/26/2014
Issued: 02/06/2018
Est. Priority Date: 09/26/2014
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by at least one processor:

identify regions of code in an extended page table that includes API code pages to be monitored;

probe and lock code pages that include the identified regions of code;

remap the code pages as executable in an alternate extended page table view only;

detect a page load, wherein the page load is for a page that does not include the proper entry point of an API;

determine, based on detecting the page load of the page that does not include the proper entry point of the API, from the extended page table whether the page is to be monitored; and

generate, based on the determination that the page is to be monitored, an execution fault.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Particular embodiments described herein provide for an electronic device that can be configured to identify regions of code to be monitored, probe and lock code pages that include the identified regions of code, and remap the code pages as execute only to assist with the mitigation of malicious invocation of sensitive code. The code pages can be remapped as execute only in an alternate extended page table view to allow for the detection and mitigation of malicious invocation of sensitive code.

Citations

20 Claims

1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by at least one processor:
- identify regions of code in an extended page table that includes API code pages to be monitored;
  
  probe and lock code pages that include the identified regions of code;
  
  remap the code pages as executable in an alternate extended page table view only;
  
  detect a page load, wherein the page load is for a page that does not include the proper entry point of an API;
  
  determine, based on detecting the page load of the page that does not include the proper entry point of the API, from the extended page table whether the page is to be monitored; and
  
  generate, based on the determination that the page is to be monitored, an execution fault.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The at least one computer-readable medium of claim 1, further comprising one or more instructions that when executed by the at least one processor:
    - capture indirect virtual addressing branches and returns for the code pages.
  - 3. The at least one computer-readable medium of claim 1, further comprising one or more instructions that when executed by the at least one processor:
    - handle execution faults on the code pages with a virtualized exception handler.
  - 4. The at least one computer-readable medium of claim 1, wherein the execution fault is an extended page table fault.
  - 5. The at least one computer-readable medium of claim 1, further comprising one or more instructions that when executed by the at least one processor:
    - inspect context information related to the execution fault to determine if an entry point for the application program interface execution request is valid.
  - 6. The at least one computer-readable medium of claim 5, further comprising one or more instructions that when executed by the at least one processor:
    - map the entry offset to the stack offset if the entry point is not valid.
  - 7. The at least one computer-readable medium of claim 1, further comprising one or more instructions that when executed by the at least one processor:
    - de-privilege the identified regions of code from being executed in a default extended page table view.

8. An apparatus comprising:
- memory; and
  
  a monitoring module in the memory configured to;
  
  identify regions of code in an extended page table that includes sensitive API code pages to be monitored;
  
  probe and lock code pages that include the identified regions of code;
  
  remap the code pages as executable in an alternate extended page table view only;
  
  detect a page load, wherein the page load is for loading a page that does not include the proper entry point of an API;
  
  determine, based on detecting the page load of the page that does not include the proper entry point of the API, from the extended page table whether the page is to be monitored; and
  
  generate, based on the determination that the page is to be monitored, an execution fault.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The apparatus of claim 8, wherein the monitoring module is further configured to:
    - capture indirect virtual addressing branches and returns for the code pages.
  - 10. The apparatus of claim 8, wherein the monitoring module is further configured to:
    - handle execution faults on the code pages with a virtualized exception handler.
  - 11. The apparatus of claim 8, wherein the monitoring module fault is an extended page table fault.
  - 12. The apparatus of claim 8, wherein the monitoring module is further configured to:
    - inspect context information related to the execution fault to determine if an entry point for the application program interface execution request is valid.
  - 13. The apparatus of claim 12, wherein the monitoring module is further configured to:
    - map the entry offset to the stack offset if the entry point is not valid.

14. A method comprising:
- identifying regions of code in an extended page table that includes API code pages to be monitored;
  
  probing and locking code pages that include the identified regions of code;
  
  remapping the code pages as executable in an alternate extended page table view only;
  
  detecting a page load, wherein the page load is for loading a page that does not include the proper entry point of an API;
  
  determining, based on detecting the page load of the page that does not include the proper entry point of the API, from the extended page table whether the page is to be monitored; and
  
  generating, based on the determination that the page is to be monitored, an execution fault.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method of claim 14, further comprising:
    - capturing indirect virtual addressing branches and returns for the code pages.
  - 16. The method of claim 14, further comprising:
    - handling execution faults on the code pages with a virtualized exception handler.
  - 17. The method of claim 14, wherein the execution fault is an extended page table fault.
  - 18. The method of claim 14, further comprising:
    - inspecting context information related to the execution fault to determine if an entry point for the application program interface execution request is valid; and
      
      mapping the entry offset to the stack offset if the entry point is not valid.

19. A system for detecting and mitigating malicious invocation of sensitive code, the system comprising:
- memory; and
  
  a monitoring module in the memory configured for;
  
  identifying regions of code in an extended page table that includes API code pages to be monitored;
  
  probing and locking code pages that include the identified regions of code;
  
  remapping the code pages as executable in an alternate extended page table view only;
  
  detecting a page load, wherein the page load is for a page that does not include the proper entry point of an API;
  
  determining, based on detecting the page load of the page that does not include the proper entry point of the API, from the extended page table whether the page is to be monitored; and
  
  generating, based on the determination that the page is to be monitored, an execution fault.
- View Dependent Claims (20)
- - 20. The system of claim 19, wherein the system is configured to:
    - inspect context information related to the execution fault to determine if an entry point for the application program interface execution request is valid.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Sahita, Ravi, Deng, Lu, Shanbhogue, Vedvyas, Lu, Lixin, Shepsen, Alexander, Tatourian, Igor
Primary Examiner(s)
Parsons, Theodore C

Application Number

US14/497,745
Publication Number

US 20160094571A1
Time in Patent Office

1,229 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/10   Address translation

G06F 12/1009   using page tables, e.g. pag...

G06F 12/14   Protection against unauthor...

G06F 12/1441   for a range

G06F 12/145   the protection being virtua...

G06F 12/1458   by checking the subject acc...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

H04L 63/1416   Event detection, e.g. attac...

Detection and mitigation of malicious invocation of sensitive code

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detection and mitigation of malicious invocation of sensitive code

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links