×

Detection of stack pivoting

  • US 9,961,102 B2
  • Filed: 09/24/2014
  • Issued: 05/01/2018
  • Est. Priority Date: 07/16/2014
  • Status: Active Grant
First Claim
Patent Images

1. At least one non-transitory computer-readable medium comprising one or more instructions that, when executed by at least one processor, are configured to:

  • detect a plurality of function calls during execution of a program on a computing device;

    log stack status information associated with the plurality of function calls, wherein for each function call of the plurality of function calls, the stack status information comprises a current stack pointer and a valid stack address range;

    analyze the stack status information to determine whether the current stack pointer for each function call is valid;

    determine that the current stack pointer for a particular function call is invalid, wherein for the particular function call, the stack status information indicates that the current stack pointer is outside the valid stack address range;

    determine that the particular function call is associated with an invalid stack pivot and automatically rebuild a control flow associated with the invalid stack pivot based on an analysis of the stack status information; and

    determine whether the control flow associated with the invalid stack pivot is indicative of a return-oriented programming attack.

View all claims
  • 10 Assignments
Timeline View
Assignment View
    ×
    ×