38 results about "Return-oriented programming" patented technology

Methods, devices, and systems for detecting return-oriented programming (ROP) exploits are disclosed. A system includes a processor, a main memory, and a cache memory. A cache monitor develops an instruction loading profile by monitoring accesses to cached instructions found in the cache memory and misses to instructions not currently in the cache memory. A remedial action unit terminates execution of one or more of the valid code sequences if the instruction loading profile is indicative of execution of an ROP exploit involving one or more valid code sequences. The instruction loading profile may be a hit/miss ratio derived from monitoring cache hits relative to cache misses. The ROP exploits may include code snippets that each include an executable instruction and a return instruction from valid code sequences.

A data processing system can use a method of fine-grained address space layout randomization to mitigate the system's vulnerability to return oriented programming security exploits. The randomization can occur at the sub-segment level by randomizing clumps of virtual memory pages. The randomized virtual memory can be presented to processes executing on the system. The mapping between memory spaces can be obfuscated using several obfuscation techniques to prevent the reverse engineering of the shuffled virtual memory mapping.

A combination of hardware monitoring and binary translation software allow detection of return-oriented programming (ROP) exploits with low overhead and low false positive rates. Embodiments may use various forms of hardware to detect ROP exploits and indicate the presence of an anomaly to a device driver, which may collect data and pass the indication of the anomaly to the binary translation software to instrument the application code and determine whether an ROP exploit has been detected. Upon detection of the ROP exploit, the binary translation software may indicate the ROP exploit to an anti-malware software, which may take further remedial action as desired.

The embodiment of the invention discloses a method and a device for detecting return-oriented programming attack. The method for detecting the return-oriented programming attack comprises injecting preset application programming interface (API) function monitoring programs into the process of every application program to be monitored; when the process of the application program to be monitored calls API functions inside a preset API function library, retarding the process of the application program to be monitored from calling the API functions; processing the calling-retarded API functions according to preset return-oriented programming (ROP) protecting strategies to determine whether calling the calling-retarded API functions is allowed. The method and device for detecting the return-oriented programming attack can effectively detect ROP attack and accordingly improve network security.

Embodiments of systems and methods disclosed herein relate execution of related secure code blocks on a processor. Systems and methods include techniques by which impose a “secure code entry-point” condition for the individual code blocks to stop return oriented programming (ROP) attacks. Systems and methods include techniques for creating overall AuthCodes for a function chain based on the AuthCodes of the functions in the chain, rather than on the code itself, greatly increasing performance and security.

The application provides a method, a device and a browser for protecting a webpage against a malicious attack, which aim to solve the problem that an attacker performs the Trojan horse attack on the webpage through bypassing DEP (Data Execution Protection) by the ROP (Return Oriented Programming) technology. In the application, a memory page protection attribute of a memory address to be modified by a malicious code is pre-detected when an API (Application Programming Interface) of the memory page protection attribute is transferred in the process; and the original memory page protection attribute and the modified memory page protection attribute of the memory address are distinguished through a rule, and a malicious modifying behavior is baffled or warned once found out, so that the conditions that the memory address of a data page is modified into an executable authority and the malicious code is illegally executed can be avoided.

Systems, apparatuses, methods, and computer-readable mediums for preventing return oriented programming (ROP) attacks. A compiler may insert landing pads adjacent to valid return targets in an instruction sequence. When a return instruction is executed, the processor may treat the return as suspicious if the target of the return instruction does not have an adjacent landing pad. Additionally, each landing pad may be encoded with a color, and a colored launch pad may be inserted into the instruction stream next to each return instruction. When a return instruction is executed, the processor may determine if the target of the return has a landing pad with the same color as the launch pad of the return instruction. Return-target pairs with color mismatches may be treated as suspicious and the offending process may be killed.

The invention discloses a detecting method for ROP (Return-Oriented Programming) attacks. The method comprises the following steps of obtaining a new base address of a dynamic linking library, wherein the new base address is equal to the sum of an original base address of the dynamic linking library and offset, the offset is random non-zero integral multiples of allocation granularity, and the absolute value of the offset is greater than length of the dynamic linking library; modifying base address fields of the dynamic linking library, and enabling the base address fields to point to the new base address of the dynamic linking library; increasing a code segment into the dynamic linking library, wherein the code segment is used for filling a loading position which corresponds to the original base address of the dynamic linking library with a warning instruction, the tail part of the code section has a jump instruction, and jump distance of the jump instruction is relative distance between the jump instruction and an entry function; and setting the entry address of the dynamic linking library to be the address of the code section. The detecting method disclosed by the invention can be applied to all Windows systems without causing extra burden on the systems, and can be used for detecting all ROP attacks except JIT-ROP.

Embodiments of the invention relates to utilization of Return Oriented Programming (ROP) for a non-malicious purpose i.e. code obfuscation to improve security. Program code that is associated with a designated function of sensitive nature may be hidden by creating a ROP code that performs the designated function of the original (unobsfuscated) code and constructing a ROP payload that can be loaded to execute the ROP code. The original code may be replaced by a spurious code unrelated to the designated function, and a control flow instruction is provided to load the ROP payload to execute the ROP code.

A method, apparatus, and/or system for execution prevention is provided. A state indicator for a first subset of a plurality of memory pages of executable code in a memory device is set to a non-executable state. A state indicator for a second subset of the plurality of memory pages is set to an executable state, where the second subset of the plurality of memory pages includes indirection stubs to functions in the first subset of the plurality of memory pages. Upon execution of an application, a function call is directed to a corresponding indirection stub in the second subset of the plurality of memory pages which modifies the state indicator for a corresponding function in the first subset of the plurality of memory pages prior to directing execution of the called function from the first subset of the plurality of memory pages.

The invention relates to the field of security detection, discloses an intelligent detection method and device for a return programming attack, belongs to the field of system underlying security detection, and aims to detect binary executable files of a program and process commercial software without a source code of a detected software program. According to the main scheme, the method comprises the steps that instrumentation is conducted on a tested program, the execution process of the tested program is output in the form of assembly codes through the disassembling technology, and then a program execution stream is obtained; performing real-time monitoring by utilizing the execution streams, and screening out suspicious program execution streams; according to the method, a suspicious program execution flow is subjected to secondary screening, an artificial intelligence model is utilized to accurately judge a suspicious ROP attack, whether ROP defense is started or not is determined according to a judgment result, and a time-limited alarm and active crash strategy is adopted for a program judged to be the ROP attack, so that the detected program is prevented from suffering from greater loss.

Presented herein are methods and systems for generating intermediate code files adjusted to prevent return oriented programming exploitation, comprising receiving compiled intermediate code file(s) comprise a plurality of routines and adjusting them prior to generation of a respective executable file for execution by one or more processor. The adjusting comprising analyzing a symbol table of the intermediate code file(s) to identify a beginning address of each of the routines, analyzing each of the routines to identify indirect branch instructions in the routines, and replacing each detected indirect branch instruction with invocation of a verification code segment configured to verify that the respective indirect branch instruction points to the beginning address of one of the routines. In runtime, the verification code segment causes the processor(s) to initiate one or more predefined actions in case the indirect branch instruction isn't pointing to the beginning address of one of the plurality of routines.