Detection of code execution exploits

US 8,621,626 B2
Filed: 11/30/2009
Issued: 12/31/2013
Est. Priority Date: 05/01/2009
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable storage device comprising instructions stored thereon to cause one or more processors to:

determine where one or more candidate areas exist within an arbitrary file;

search at least one nearby area in front of or after each of the one or more candidate areas within the arbitrary file for an instruction candidate;

disassemble instructions starting at a found offset for the instruction candidate to create a disassembled instruction set, the found offset reflecting a location of the instruction candidate within the arbitrary file;

normalize at least a portion of the disassembled instruction set to create a normalized instruction set;

scan the normalized instruction set to determine if the normalized instruction set reflects that the disassembled instruction set has a probability of containing shellcode;

calculate a statistical probability that the instruction candidate is associated with shellcode for normalized instruction sets associated with disassembled instruction sets that were determined to reflect a probability of containing shellcode, wherein statistical probabilities are not calculated if the normalized instruction set reflects that the disassembled instruction set has no probability of containing shellcode;

for a given stream of instructions starting at the found offset, map an instruction-to-shellcode probability to each instruction in the given stream of instructions; and

sum the mapped instruction-to-shellcode probability for each instruction using Bayes'"'"' formula to generate an overall probability.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments include a method of detecting shell code in an arbitrary file comprising determining where one or more candidate areas exist within an arbitrary file, searching at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file for an instruction candidate, and calculating for any such instruction candidate a statistical probability based on a disassembly of instructions starting at a found offset for the instruction candidate that the disassembled instructions are shellcode.

44 Citations

View as Search Results

22 Claims

1. A non-transitory computer readable storage device comprising instructions stored thereon to cause one or more processors to:
- determine where one or more candidate areas exist within an arbitrary file;
  
  search at least one nearby area in front of or after each of the one or more candidate areas within the arbitrary file for an instruction candidate;
  
  disassemble instructions starting at a found offset for the instruction candidate to create a disassembled instruction set, the found offset reflecting a location of the instruction candidate within the arbitrary file;
  
  normalize at least a portion of the disassembled instruction set to create a normalized instruction set;
  
  scan the normalized instruction set to determine if the normalized instruction set reflects that the disassembled instruction set has a probability of containing shellcode;
  
  calculate a statistical probability that the instruction candidate is associated with shellcode for normalized instruction sets associated with disassembled instruction sets that were determined to reflect a probability of containing shellcode, wherein statistical probabilities are not calculated if the normalized instruction set reflects that the disassembled instruction set has no probability of containing shellcode;
  
  for a given stream of instructions starting at the found offset, map an instruction-to-shellcode probability to each instruction in the given stream of instructions; and
  
  sum the mapped instruction-to-shellcode probability for each instruction using Bayes'"'"' formula to generate an overall probability.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The non-transitory computer readable storage device of claim 1, further comprising instructions to cause the one or more processors to:
    - classify the arbitrary file as containing shellcode if the statistical probability exceeds a probability threshold.
  - 3. The non-transitory computer readable storage device of claim 1, further comprising instructions to cause the one or more processors to determine if the instruction candidate at the found offset is a code branching instruction or a function call.
  - 4. The non-transitory computer readable storage device of claim 1, further comprising instructions to cause the one or more processors to determine if the instruction candidate at the found offset is similar to the start of a known characteristical shellcode sequence.
  - 5. The non-transitory computer readable storage device of claim 1, wherein the instructions to cause the one or more processors to determine where one or more candidate areas exist within the arbitrary file include instructions to cause the one or more processors to:
    - scan the arbitrary file looking for repetitive constructs, the repetitive construct having a potential of overflowing a buffer in a computer memory when the arbitrary file is parsed, rendered or executed.
  - 6. The non-transitory computer readable storage device of claim 1, wherein the instructions to cause the one or more processors to search at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file include instructions to cause the one or more processors to:
    - configure a number of data blocks to be included in the at least one nearby area.
  - 7. The non-transitory computer readable storage device of claim 1, wherein the instructions to cause the one or more processors to calculate a statistical probability include instructions to cause the one or more processors to:
    - disassemble the instructions starting at the found offset by following branches and method calls dynamically.
  - 8. The non-transitory computer readable storage device of claim 1, further comprising instructions to cause the one or more processors to classify the arbitrary file as containing shellcode if the overall probability exceeds a threshold value.
  - 9. The non-transitory computer readable storage device of claim 1, further comprising instructions to cause the one or more processors to:
    - create a Markov Model for use in determining a probability of associated shellcode for a sequence of the disassembled instructions;
      
      classify the arbitrary the as containing shellcode based at least in part on the determined probability.

10. A gateway comprising:
- a memory comprising instructions stored therein; and
  
  one or more processors communicatively coupled to the memory to configure the one or more processors to operate an anti-malware engine, the anti-malware engine operable to;
  
  scan an arbitrary file and to determine if any candidate areas exist within the arbitrary file;
  
  for any given candidate area located within the arbitrary file, search at least one nearby area in front of or after the candidate area for any instruction candidates; and
  
  for each instruction candidate;
  
  disassemble instructions starting at a found offset to create a disassembled instruction set, wherein the found offset reflects a location of the each instruction candidate within the arbitrary file;
  
  normalize at least a portion of the disassembled instruction set to create a normalized instruction set;
  
  scan the normalized instruction set to determine if the normalized instruction set reflects that the disassembled instruction set has a probability of containing shell code; and
  
  calculate a statistical probability that the instruction candidate is associated with shellcode for normalized instruction sets associated with disassembled instruction sets that were determined to reflect a probability of containing shellcode, wherein statistical probabilities are not calculated if the normalized instruction set reflects that the disassembled instruction set has no probability of containing shellcode,wherein the anti-malware engine is operable to access known characteristical shellcode sequences stored in a database coupled to the anti-malware engine, and to scan the arbitrary file for the known characteristical shellcode sequences.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The gateway of claim 10, further including a configurations coupled to the anti-malware engine, the configurations operable to store one or more threshold values used by the anti-malware engine in at least one shellcode detection process.
  - 12. The gateway of claim 10, wherein the anti-malware engine is operable to output warning messages to an interface coupled to the anti-malware engine when the arbitrary file is determined to include shellcode.
  - 13. The gateway of claim 10, wherein the gateway couples at least one protected device to the Internet.
  - 14. The gateway of claim 10, wherein the anti-malware engine is operable to access known whitelisted instruction sequences and whitelisted media types stored in a database coupled to the anti-malware engine, and to bypass scanning of known code sequences that match either one of the whitelisted instruction sequences or at least one of the whitelisted media types stored in the database.

15. A non-transitory computer readable storage device comprising instructions stored thereon to cause one or more processors to:
- scan an arbitrary file to determine offset locations of one or more candidate areas that exist within the arbitrary file, the offset locations identifying starting and ending locations of each of the one or more candidate areas within the arbitrary file;
  
  for at least one of the one or more candidate areas found in the arbitrary file, first search the areas surrounding the at least one candidate area to determine if any function calls or any code branching instructions exist in the areas surrounding the at least one candidate area, wherein the areas surrounding the at least one candidate area comprise areas in front of or after the at least one candidate area;
  
  if no function calls and no code branching instructions are found, search the areas surrounding the at least one candidate area for known characteristical shellcode sequences by disassembling one or more instructions from the surrounding areas, normalizing the disassembled one or more instructions to create one or more normalized instructions, and scan the one or more normalized instructions to determine if the one or more normalized instructions reflect that the one or more disassembled instructions represent shell code; and
  
  scan the arbitrary file for data blocks with high information entropy compared to a threshold value when no known characteristical shellcode sequences are found.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer readable storage device of claim 15, further comprising instructions to cause the one or more processors to:
    - calculate an information entropy for a given portion of the arbitrary file when no known characteristical shellcode sequences are found for the given portion of the arbitrary file, and end processing of the given portion of the arbitrary file if the calculated information entropy for the portion of the arbitrary file is either above or below a set of configured thresholds.
  - 17. The non-transitory computer readable storage device of claim 16, wherein the instructions to end the processing of the given portion of the arbitrary file include instructions to:
    - scan another given portion of the arbitrary file,calculate an information entropy for the another given portion of the arbitrary file, and end processing of the another given portion of the arbitrary the if the calculated information entropy for the another given portion of the arbitrary file is either above or below the set of configured thresholds.
  - 18. The non-transitory computer readable storage device of claim 15, wherein the instructions to cause the one or more processors to scan the arbitrary file include instructions to scan the arbitrary file for repeated constructs that include long sequences of repeated characters.
  - 19. The non-transitory computer readable storage device of claim 18, wherein the instructions to cause the one or more processors to scan the arbitrary file for repeated constructs include instructions to cause the one or more processors to:
    - take a first character a_Nat position N in the arbitrary file;
      
      search for next occurrence of the first character, which is found at position M;
      
      use a sub-sequence (a_N, . . . , a_M−
      
      1) as a repetition pattern having a length L=M−
      
      N;
      
      compare the repetition pattern to the sub-sequence (a_M, . . . , a_M+L), and if equal, advance by L bytes and continue with this comparing until the comparison fails in order to determine a number of found repetitions; and
      
      if the number of found repetitions is below a given threshold, determine that no match is found.
  - 20. The non-transitory computer readable storage device of claim 15, wherein the instructions to cause the one or more processors to determine if any function calls or code branching instructions are found in the areas surrounding the at least one candidate area, comprise instructions to cause the one or more processors to:
    - disassemble a number of instructions starting at the function call or at the code branching instruction,calculate a probability for each of the instructions disassembled;
      
      sum each of the calculated probabilities using Bayers'"'"' formula to generate an overall probability; and
      
      determine that the arbitrary file includes shellcode when the overall probability exceeds an threshold value.

21. A computer network comprising:
- a gateway device comprising memory and one or more processors communicatively coupled to the memory; and
  
  a database coupled to the gateway device, the database including memory operable to store one or more known shellcode sequences and to provide the one or more known shellcode sequences to an anti-malware engine for comparison to instructions in an arbitrary file, wherein the memory stores instructions to cause the one or more processors to be configured to include the anti-malware engine, the anti-malware engine operable to;
  
  receive the arbitrary file;
  
  scan the arbitrary file for repetitive constructs that have a potential to overflow a buffer in a computer memory when the arbitrary file is parsed, rendered or executed;
  
  determine if any function calls or any code branching instructions exist in the areas surrounding the repetitive constructs, wherein areas surrounding the repetitive constructs comprise areas in front of or behind the repetitive constructs with respect to a location of the repetitive constructs within the arbitrary file; and
  
  generate a statistical probability representing the likelihood that the arbitrary file includes shellcode by performing a statistical analysis of the instructions starting at each found function call or branching instruction to generate an overall shellcode probability for the instructions starting at the each found function call or branching instruction, the statistical analysis of the instructions including disassembling instructions to create a disassembled instruction set, normalizing at least a portion of the disassembled instruction set to create a normalized instruction set, and scanning the normalized instruction set.
- View Dependent Claims (22)
- - 22. The computer network of claim 21, further including a configurations coupled to the anti-malware engine, the configurations operable to store one or more probability threshold settings used by the anti-malware engine in determining whether a given statistical probability generated for the arbitrary file indicates that the arbitrary the includes shellcode.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Alme, Christoph
Primary Examiner(s)
Pearson, David
Assistant Examiner(s)
CHANG, KENNETH W

Application Number

US12/627,786
Publication Number

US 20100281540A1
Time in Patent Office

1,492 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

G06F 21/563 by source code analysis

Detection of code execution exploits

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

44 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of code execution exploits

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links