发明名称 |
Hardware-enabled prevention of code reuse attacks |
摘要 |
Described systems and methods allow protecting a host computer system from malware, such as return-oriented programming (ROP) and jump-oriented programming (JOP) exploits. In some embodiments, a processor of the host system is endowed with two counters configured to store a count of branch instructions and a count of inter-branch instructions, respectively, occurring within a stream of instructions fetched by the processor for execution. Exemplary counted branch instructions include indirect JMP, indirect CALL, and RET on x86 platforms, while inter-branch instructions consist of instructions executed between two consecutive counted branch instructions. The processor may be further configured to generate a processor event, such as an exception, when a value stored in a counter exceeds a predetermined threshold. Such events may be used as triggers for launching a malware analysis to determine whether the host system is subject to a code reuse attack. |
申请公布号 |
US9305167(B2) |
申请公布日期 |
2016.04.05 |
申请号 |
US201414283351 |
申请日期 |
2014.05.21 |
申请人 |
Bitdefender IPR Management Ltd. |
发明人 |
Lutas Andrei V.;Lukacs Sandor |
分类号 |
G06F21/00;G06F21/56;G06F9/30;G06F9/54 |
主分类号 |
G06F21/00 |
代理机构 |
Law Office of Andrei D Popovici, PC |
代理人 |
Law Office of Andrei D Popovici, PC |
主权项 |
1. A host system comprising a hardware processor, the hardware processor including:
a branch counter register configured to store a count of branch instructions occurring within a sequence of instructions executed by the hardware processor; an inter-branch instruction counter register configured to store a count of instructions occurring between two consecutive branch instructions within the sequence of instructions; and a counter control unit connected to the branch counter register, to the inter-branch instruction counter register, and to an instruction decoder module of the hardware processor, wherein the counter control unit comprises hardware logic configured to:
perform branch monitoring, andtrigger a switch event within the hardware processor according to a value stored in the branch counter register and according to a value stored in the inter-branch instruction counter register, wherein the switch event causes the hardware processor to switch from executing the sequence of instructions to executing an event handler routine, wherein branch monitoring comprises:
determining whether a selected instruction of the sequence of instructions is a branch instruction;in response to determining whether the selected instruction is a branch instruction, when the selected instruction is a branch instruction, incrementing the value stored in the branch counter register; andin response to determining whether the selected instruction is a branch instruction, when the selected instruction is not a branch instruction, incrementing the value stored in the inter-branch instruction counter register; and wherein the hardware processor is further configured, in response to the switch event, to:
identify a target execution thread according to the sequence of instructions; andin response to identifying the target execution thread, determine whether the target execution thread is performing a code-reuse attack. |
地址 |
Nicosia CY |