Detection of stack pivoting
First Claim
1. At least one non-transitory computer-readable medium comprising one or more instructions that, when executed by at least one processor, are configured to:
- detect a plurality of function calls during execution of a program on a computing device;
log stack status information associated with the plurality of function calls, wherein for each function call of the plurality of function calls, the stack status information comprises a current stack pointer and a valid stack address range;
analyze the stack status information to determine whether the current stack pointer for each function call is valid;
determine that the current stack pointer for a particular function call is invalid, wherein for the particular function call, the stack status information indicates that the current stack pointer is outside the valid stack address range;
determine that the particular function call is associated with an invalid stack pivot and automatically rebuild a control flow associated with the invalid stack pivot based on an analysis of the stack status information; and
determine whether the control flow associated with the invalid stack pivot is indicative of a return-oriented programming attack.
10 Assignments
0 Petitions
Accused Products
Abstract
Particular embodiments described herein provide for an electronic device that can be configured to receive a function call for a function, determine a current stack pointer value for the function call, and determine if the current stack pointer value is within a pre-defined range. The electronic device can include a stack pivoting logging module to log a plurality of function calls. The electronic device can also include a stack pivoting detection module to analyze the log of the plurality of function calls to determine, for each of the plurality of function calls, if the current stack pointer value is within a pre-defined range.
-
Citations
18 Claims
-
1. At least one non-transitory computer-readable medium comprising one or more instructions that, when executed by at least one processor, are configured to:
-
detect a plurality of function calls during execution of a program on a computing device; log stack status information associated with the plurality of function calls, wherein for each function call of the plurality of function calls, the stack status information comprises a current stack pointer and a valid stack address range; analyze the stack status information to determine whether the current stack pointer for each function call is valid; determine that the current stack pointer for a particular function call is invalid, wherein for the particular function call, the stack status information indicates that the current stack pointer is outside the valid stack address range; determine that the particular function call is associated with an invalid stack pivot and automatically rebuild a control flow associated with the invalid stack pivot based on an analysis of the stack status information; and determine whether the control flow associated with the invalid stack pivot is indicative of a return-oriented programming attack. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An apparatus comprising:
a hardware processor to; detect a plurality of function calls during execution of a program; log stack status information associated with the plurality of function calls, wherein for each function call of the plurality of function calls, the stack status information comprises a current stack pointer and a valid stack address range; analyze the stack status information to determine whether the current stack pointer for each function call is valid; determine that the current stack pointer for a particular function call is invalid, wherein for the particular function call, the stack status information indicates that the current stack pointer is outside the valid stack address range; determine that the particular function call is associated with an invalid stack pivot and automatically rebuild a control flow associated with the invalid stack pivot based on an analysis of the stack status information; and determine whether the control flow associated with the invalid stack pivot is indicative of a return-oriented programming attack. - View Dependent Claims (8, 9, 10, 11)
-
12. A method comprising:
-
detecting a plurality of function calls during execution of a program on a computing device; logging stack status information associated with the plurality of function calls, wherein for each function call of the plurality of function calls, the stack status information comprises a current stack pointer and a valid stack address range; analyzing the stack status information to determine whether the current stack pointer for each function call is valid; determining that the current stack pointer for a particular function call is invalid, wherein for the particular function call, the stack status information indicates that the current stack pointer is outside the valid stack address range; determining that the particular function call is associated with an invalid stack pivot and automatically rebuilding a control flow associated with the invalid stack pivot based on an analysis of the stack status information; and determining whether the control flow associated with the invalid stack pivot is indicative of a return-oriented programming attack. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A system for the detection of stack pivoting, the system comprising:
-
a memory to store stack status information associated with a plurality of function calls of a program; and a hardware processor to; detect the plurality of function calls during execution of the program; log the stack status information associated with the plurality of function calls, wherein for each function call of the plurality of function calls, the stack status information comprises a current stack pointer and a valid stack address range; analyze the stack status information to determine whether the current stack pointer for each function call is valid; determine that the current stack pointer for a particular function call is invalid, wherein for the particular function call, the stack status information indicates that the current stack pointer is outside the valid stack address range; determine that the particular function call is associated with an invalid stack pivot and automatically rebuild a control flow associated with the invalid stack pivot based on an analysis of the stack status information; and determine whether the control flow associated with the invalid stack pivot is indicative of a return-oriented programming attack. - View Dependent Claims (18)
-
Specification