发明名称 |
Return-oriented programming detection |
摘要 |
According to one embodiment, a threat detection system is integrated with at least a dynamic analysis engine. The dynamic analysis engine is configured to automatically detect a function call by an application, responsive to detecting the function call, analyze contents located at one or more addresses located within a portion of memory allocated for the application, and, based on the analysis, determine whether one or more objects included in received network traffic is associated with a return-oriented programming (ROP) exploit. |
申请公布号 |
US9594912(B1) |
申请公布日期 |
2017.03.14 |
申请号 |
US201414311014 |
申请日期 |
2014.06.20 |
申请人 |
FireEye, Inc. |
发明人 |
Thioux Emmanuel;Lin Yichong |
分类号 |
G06F21/57;G06F12/02 |
主分类号 |
G06F21/57 |
代理机构 |
Rutan & Tucker, LLP |
代理人 |
Rutan & Tucker, LLP |
主权项 |
1. A computerized method, comprising:
detecting a function call by an application; responsive to detecting the function call, capturing and preserving contents in a range of a stack of memory addresses surrounding a current stack pointer; analyzing contents located at a first valid address within the preserved contents to detect a first gadget and contents located at a second valid address within the preserved contents to detect a second gadget, the first valid address and the second valid address being located within a portion of a region of memory allocated for the application, wherein the first gadget comprises a first sequence of a first number of instructions less than a predetermined number of instructions followed by a return instruction, and the second gadget comprises a second sequence of a second number of instructions less than the predetermined number of instructions followed by a return instruction; assigning a first weight to the first gadget based on the first number of instructions and a second weight to the second gadget based on the second number of instructions, wherein the first weight is different than the second weight; and determining that a return-oriented programming (ROP) exploit is present within the portion of the region of allocated memory within the preserved contents based on at least whether a combination of at least the first weight and the second weight exceeds a predetermined weight threshold. |
地址 |
Milpitas CA US |