发明名称 |
TECHNOLOGIES FOR PREVENTING HOOK-SKIPPING ATTACKS USING PROCESSOR VIRTUALIZATION FEATURES |
摘要 |
Technologies for monitoring system API calls include a computing device with hardware virtualization support. The computing device establishes a default memory view and a security memory view to define physical memory maps and permissions. The computing device executes an application in the default memory view and executes a default inline hook in response to a call to an API function. The default inline hook switches to the security memory view using hardware support without causing a virtual machine exit. The security inline hook calls a security callback function to validate the API function call in the security memory view. Hook-skipping attacks may be prevented by padding the default inline hook with no-operation instructions, by designating memory pages of the API function as non-executable in the default memory view, or by designating memory pages of the application as non-executable in the security memory view. Other embodiments are described and claimed. |
申请公布号 |
US2015379263(A1) |
申请公布日期 |
2015.12.31 |
申请号 |
US201414318215 |
申请日期 |
2014.06.27 |
申请人 |
Vipat Harshawardhan;Castelino Manohar R.;Sahita Ravi L.;Rodriguez Sergio;Gupta Vikas |
发明人 |
Vipat Harshawardhan;Castelino Manohar R.;Sahita Ravi L.;Rodriguez Sergio;Gupta Vikas |
分类号 |
G06F21/56 |
主分类号 |
G06F21/56 |
代理机构 |
|
代理人 |
|
主权项 |
1. A computing device for monitoring an application programming interface (API), the computing device comprising:
a view management module to: (i) establish a default memory view, wherein the default memory view defines a first physical memory map of the computing device and a first set of memory permissions and (ii) establish a security memory view, wherein the security memory view defines a second physical memory map of the computing device and a second set of memory permissions; and a security module to:
execute a default inline hook with the default memory view in response to a call of an API function from an application;switch to the security memory view without a virtual machine exit event in response to execution of the default inline hook;execute a security inline hook with the security memory view in response to a switch to the security memory view; andcall an anti-malware callback function in response to execution of the security inline hook. |
地址 |
San Jose CA US |