Methods, devices, and systems for detecting return oriented programming exploits

US 9,262,627 B2
Filed: 08/29/2014
Issued: 02/16/2016
Est. Priority Date: 11/07/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

executing a sequence of code snippets in a processing circuit, each code snippet including at least one executable instruction including a control transfer instruction, wherein one or more of the code snippets includes a modified control transfer instruction different from an unmodified control transfer instruction and at least one code snippet of the sequence is a non-cached code snippet not found in a cache memory;

detecting one or more instruction fetch cache misses in response to instruction fetches performed during execution of the sequence of code snippets, where an individual instruction fetch cache miss represents a fetched instruction absent from the cache memory for a corresponding instruction fetch of an executable code sequence;

developing an instruction loading profile by monitoring instruction fetches relative to instruction fetch cache misses; and

controlling an execution of at least one instruction based on the instruction loading profile.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, devices, and systems for detecting return-oriented programming (ROP) exploits are disclosed. A system includes a processor, a main memory, and a cache memory. A cache monitor develops an instruction loading profile by monitoring accesses to cached instructions found in the cache memory and misses to instructions not currently in the cache memory. A remedial action unit terminates execution of one or more of the valid code sequences if the instruction loading profile is indicative of execution of an ROP exploit involving one or more valid code sequences. The instruction loading profile may be a hit/miss ratio derived from monitoring cache hits relative to cache misses. The ROP exploits may include code snippets that each include an executable instruction and a return instruction from valid code sequences.

22 Citations

View as Search Results

20 Claims

1. A method, comprising:
- executing a sequence of code snippets in a processing circuit, each code snippet including at least one executable instruction including a control transfer instruction, wherein one or more of the code snippets includes a modified control transfer instruction different from an unmodified control transfer instruction and at least one code snippet of the sequence is a non-cached code snippet not found in a cache memory;
  
  detecting one or more instruction fetch cache misses in response to instruction fetches performed during execution of the sequence of code snippets, where an individual instruction fetch cache miss represents a fetched instruction absent from the cache memory for a corresponding instruction fetch of an executable code sequence;
  
  developing an instruction loading profile by monitoring instruction fetches relative to instruction fetch cache misses; and
  
  controlling an execution of at least one instruction based on the instruction loading profile.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein controlling execution of the at least one instruction based on the instruction loading profile further comprises:
    - terminating execution of at least one code snippet of the sequence of code snippets if the instruction loading profile is indicative of execution of at least one of the code snippets of the sequence of code snippets.
  - 3. The method of claim 1, wherein executing the sequence of code snippets includes utilizing a multi-level cache as the cache memory and cached instructions are instructions in a first cache level and non-cached instructions are instructions in a main memory or a second cache level.
  - 4. The method of claim 1, further comprising:
    - developing the instruction loading profile as a hit/miss ratio of fetches of cached instructions relative to non-cached instructions that is lower than a threshold selected relative to valid hit/miss ratios indicative of valid code sequences.
  - 5. The method of claim 4, further comprising:
    - determining the valid hit/miss ratios from monitoring hit/miss ratios from a plurality of executable code sequences known to be free from a return-oriented programming exploit during the monitoring.
  - 6. The method of claim 1, wherein controlling the execution of the at least one instruction based on the instruction loading profile further comprises determining if the instruction loading profile corresponds to a return-oriented programming (ROP) exploit and, if so, initiating at least one remedial action.

7. A processing device, comprising:
- a processing circuit configured to fetch and execute executable code sequences, the executable code sequences including a sequence of code snippets, each code snippet including at least one executable instruction including a control transfer instruction, wherein one or more of the code snippets includes a modified control transfer instruction different from an unmodified control transfer instruction;
  
  a cache memory system operably coupled to the processing circuit and including a cache memory wherein at least one code snippet of the sequence is a non-cached code snippet not found in the cache memory;
  
  a cache monitor configured to detect one or more instruction fetch cache misses in response to instruction fetches performed during execution of the sequence of code snippets, where an individual instruction fetch cache miss represents a fetched instruction absent from the cache memory for a corresponding instruction fetch of an executable code sequence, the cache monitor further configured to develop an instruction loading profile by monitoring the instruction fetches relative to instruction fetch cache misses; and
  
  a remedial action unit configured to control an execution of at least one instruction based on the instruction loading profile.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The processing device of claim 7, wherein the cache memory system includes a data cache and an instruction cache and the cache monitor is configured to develop the instruction loading profile from the instruction cache.
  - 9. The processing device of claim 7, wherein the cache memory system includes two or more levels of cache and the cache monitor is configured to develop the instruction loading profile for at least one of the two or more levels of cache.
  - 10. The processing device of claim 7, further comprising:
    - a remedial action unit and wherein the cache monitor, the remedial action unit, the processing circuit, or a combination thereof is configured to develop the instruction loading profile as a hit/miss ratio of fetches of cached instructions relative to non-cached instructions that is lower than a threshold selected relative to valid hit/miss ratios indicative of valid code sequences.
  - 11. The processing device of claim 10, wherein the cache monitor, the remedial action unit, the processing circuit, or a combination thereof is configured to determine the valid hit/miss ratios from monitoring the hit/miss ratios from a plurality of executable code sequences known to be free from a return-oriented programming exploit during the monitoring.
  - 12. The processing device of claim 7, wherein the cache monitor is configured to suspend monitoring during a selected operational period.
  - 13. The processing device of claim 7, wherein the remedial action unit is further operative to determine if the instruction loading profile corresponds to a return-oriented programming (ROP) exploit and, if so, perform at least one remedial action.

14. A processing device, comprising:
- means for executing a sequence of code snippets in a processing circuit, each code snippet including at least one executable instruction including a control transfer instruction, wherein one or more of the code snippets includes a modified control transfer instruction different from an unmodified control transfer instruction and at least one code snippet of the sequence is a non-cached code snippet not found in a cache memory;
  
  means for detecting one or more instruction fetch cache misses in response to instruction fetches performed during execution of the sequence of code snippets, where an individual instruction fetch cache miss represents a fetched instruction absent from the cache memory for a corresponding instruction fetch of an executable code sequence; and
  
  means for developing an instruction loading profile by monitoring instruction fetches relative to instruction fetch cache misses; and
  
  means for controlling an execution of at least one instruction based on the instruction loading profile.
- View Dependent Claims (15, 16, 17)
- - 15. The processing device of claim 14, further comprising:
    - means for terminating execution of at least one code snippet of the sequence of code snippets if the instruction loading profile is indicative of execution of at least one of the code snippets of the sequence of code snippets.
  - 16. The processing device of claim 14, further comprising:
    - means for developing the instruction loading profile as a hit/miss ratio of fetches of cached instructions relative to non-cached instructions that is lower than a threshold selected relative to valid hit/miss ratios indicative of valid code sequences.
  - 17. The processing device of claim 14, wherein the means for controlling the execution of the at least one instruction is further operative to determine if the instruction loading profile corresponds to a return-oriented programming (ROP) exploit and, if so, perform at least one remedial action.

18. A non-transitory machine-readable medium having instructions stored thereon, which when executed by a processing circuit cause the processing circuit to:
- execute a sequence of code snippets, each code snippet including at least one executable instruction including a control transfer instruction, wherein one or more of the code snippets includes a modified control transfer instruction different from an unmodified control transfer instruction and at least one code snippet of the sequence is a non-cached code snippet not found in a cache memory;
  
  detect one or more instruction fetch cache misses in response to instruction fetches performed during execution of the sequence of code snippets, where an individual instruction fetch cache miss represents a fetched instruction absent from the cache memory for a corresponding instruction fetch of an executable code sequence; and
  
  develop an instruction loading profile by monitoring instruction fetches relative to instruction fetch cache misses; and
  
  control an execution of at least one instruction based on the instruction loading profile.
- View Dependent Claims (19, 20)
- - 19. The non-transitory machine-readable medium of claim 18, wherein the instructions further cause the processing circuit to terminate execution of at least one code snippet of the sequence of code snippets if the instruction loading profile is indicative of execution of at least one of the code snippets of the sequence of code snippets.
  - 20. The non-transitory machine-readable medium of claim 18, wherein the instructions further cause the processing circuit to control the execution of the at least one instruction based on the instruction loading profile by determining if the instruction loading profile corresponds to a return-oriented programming (ROP) exploit and, if so, performing at least one remedial action.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Gantman, Alexander, Rosenberg, Brian, Balakrishnan, Arun, Ge, Renwei, Rose, Gregory, Palanigounder, Anand, Komaromy, Daniel
Primary Examiner(s)
Davis, Zachary A

Application Number

US14/473,736
Publication Number

US 20140372701A1
Time in Patent Office

536 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/3037   where the computing system ...

G06F 11/3466   Performance evaluation by t...

G06F 12/0811   with multilevel cache hiera...

G06F 12/0848   Partitioned cache, e.g. sep...

G06F 12/0875   with dedicated cache, e.g. ...

G06F 12/14   Protection against unauthor...

G06F 21/52   during program execution, e...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2212/452   Instruction code

Methods, devices, and systems for detecting return oriented programming exploits

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, devices, and systems for detecting return oriented programming exploits

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links