Detection of stack pivoting

US 9,961,102 B2
Filed: 09/24/2014
Issued: 05/01/2018
Est. Priority Date: 07/16/2014
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory computer-readable medium comprising one or more instructions that, when executed by at least one processor, are configured to:

detect a plurality of function calls during execution of a program on a computing device;

log stack status information associated with the plurality of function calls, wherein for each function call of the plurality of function calls, the stack status information comprises a current stack pointer and a valid stack address range;

analyze the stack status information to determine whether the current stack pointer for each function call is valid;

determine that the current stack pointer for a particular function call is invalid, wherein for the particular function call, the stack status information indicates that the current stack pointer is outside the valid stack address range;

determine that the particular function call is associated with an invalid stack pivot and automatically rebuild a control flow associated with the invalid stack pivot based on an analysis of the stack status information; and

determine whether the control flow associated with the invalid stack pivot is indicative of a return-oriented programming attack.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Particular embodiments described herein provide for an electronic device that can be configured to receive a function call for a function, determine a current stack pointer value for the function call, and determine if the current stack pointer value is within a pre-defined range. The electronic device can include a stack pivoting logging module to log a plurality of function calls. The electronic device can also include a stack pivoting detection module to analyze the log of the plurality of function calls to determine, for each of the plurality of function calls, if the current stack pointer value is within a pre-defined range.

Citations

18 Claims

1. At least one non-transitory computer-readable medium comprising one or more instructions that, when executed by at least one processor, are configured to:
- detect a plurality of function calls during execution of a program on a computing device;
  
  log stack status information associated with the plurality of function calls, wherein for each function call of the plurality of function calls, the stack status information comprises a current stack pointer and a valid stack address range;
  
  analyze the stack status information to determine whether the current stack pointer for each function call is valid;
  
  determine that the current stack pointer for a particular function call is invalid, wherein for the particular function call, the stack status information indicates that the current stack pointer is outside the valid stack address range;
  
  determine that the particular function call is associated with an invalid stack pivot and automatically rebuild a control flow associated with the invalid stack pivot based on an analysis of the stack status information; and
  
  determine whether the control flow associated with the invalid stack pivot is indicative of a return-oriented programming attack.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The at least one computer-readable medium of claim 1, wherein the one or more instructions, when executed by the at least one processor, are further configured to:
    - communicate the stack status information associated with the plurality of function calls to a security server, wherein the security server uses the stack status information to rebuild the control flow associated with the invalid stack pivot.
  - 3. The at least one computer-readable medium of claim 1, wherein the plurality of function calls comprises an application program interface call.
  - 4. The at least one computer-readable medium of claim 1, wherein the current stack pointer is determined by reading an ESP register value.
  - 5. The at least one computer-readable medium of claim 1, wherein the one or more instructions, when executed by the at least one processor, are further configured to:
    - block the particular function call upon determining that the control flow associated with the invalid stack pivot is indicative of a return-oriented programming attack.
  - 6. The at least one computer-readable medium of claim 1, wherein the one or more instructions, when executed by the at least one processor, are further configured to:
    - allow the particular function call upon determining that the control flow associated with the invalid stack pivot is not indicative of a return-oriented programming attack.

7. An apparatus comprising:
- a hardware processor to;
  
  detect a plurality of function calls during execution of a program;
  
  log stack status information associated with the plurality of function calls, wherein for each function call of the plurality of function calls, the stack status information comprises a current stack pointer and a valid stack address range;
  
  analyze the stack status information to determine whether the current stack pointer for each function call is valid;
  
  determine that the current stack pointer for a particular function call is invalid, wherein for the particular function call, the stack status information indicates that the current stack pointer is outside the valid stack address range;
  
  determine that the particular function call is associated with an invalid stack pivot and automatically rebuild a control flow associated with the invalid stack pivot based on an analysis of the stack status information; and
  
  determine whether the control flow associated with the invalid stack pivot is indicative of a return-oriented programming attack.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The apparatus of claim 7, wherein the hardware processor is further to communicate the stack status information to a security server, wherein the security server uses the stack status information to rebuild the control flow associated with the invalid stack pivot.
  - 9. The apparatus of claim 7, wherein the plurality of function calls comprises an application program interface call.
  - 10. The apparatus of claim 7, wherein the current stack pointer is determined by reading an ESP register value.
  - 11. The apparatus of claim 7, wherein the hardware processor is further to block the particular function call upon determining that the control flow associated with the invalid stack pivot is indicative of a return-oriented programming attack.

12. A method comprising:
- detecting a plurality of function calls during execution of a program on a computing device;
  
  logging stack status information associated with the plurality of function calls, wherein for each function call of the plurality of function calls, the stack status information comprises a current stack pointer and a valid stack address range;
  
  analyzing the stack status information to determine whether the current stack pointer for each function call is valid;
  
  determining that the current stack pointer for a particular function call is invalid, wherein for the particular function call, the stack status information indicates that the current stack pointer is outside the valid stack address range;
  
  determining that the particular function call is associated with an invalid stack pivot and automatically rebuilding a control flow associated with the invalid stack pivot based on an analysis of the stack status information; and
  
  determining whether the control flow associated with the invalid stack pivot is indicative of a return-oriented programming attack.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method of claim 12, further comprising:
    - communicating the stack status information associated with the plurality of function calls to a security server, wherein the security server uses the stack status information to rebuild the control flow associated with the invalid stack pivot.
  - 14. The method of claim 12, wherein the plurality of function calls comprises an application program interface call.
  - 15. The method of claim 12, wherein the current stack pointer is determined by reading an ESP register value.
  - 16. The method of claim 12, further comprising:
    - blocking the particular function call upon determining that the control flow associated with the invalid stack pivot is indicative of a return-oriented programming attack.

17. A system for the detection of stack pivoting, the system comprising:
- a memory to store stack status information associated with a plurality of function calls of a program; and
  
  a hardware processor to;
  
  detect the plurality of function calls during execution of the program;
  
  log the stack status information associated with the plurality of function calls, wherein for each function call of the plurality of function calls, the stack status information comprises a current stack pointer and a valid stack address range;
  
  analyze the stack status information to determine whether the current stack pointer for each function call is valid;
  
  determine that the current stack pointer for a particular function call is invalid, wherein for the particular function call, the stack status information indicates that the current stack pointer is outside the valid stack address range;
  
  determine that the particular function call is associated with an invalid stack pivot and automatically rebuild a control flow associated with the invalid stack pivot based on an analysis of the stack status information; and
  
  determine whether the control flow associated with the invalid stack pivot is indicative of a return-oriented programming attack.
- View Dependent Claims (18)
- - 18. The system of claim 17, further comprising a communication interface to transmit the stack status information to a security server, wherein the security server is to rebuild the control flow associated with the invalid stack pivot based on the analysis of the stack status information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Li, Xiaoning, Lu, Lixin, Deng, Lu
Primary Examiner(s)
Li, Mary

Application Number

US14/495,108
Publication Number

US 20160021134A1
Time in Patent Office

1,315 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

H04L 63/1441   Countermeasures against mal...

Detection of stack pivoting

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of stack pivoting

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links