公开(公告)号：US10007784B2

公开(公告)日：2018-06-26

申请号：US14670988

申请日：2015-03-27

Applicant: Intel Corporation

Inventor： Michael LeMay ,  Ravi L. Sahita ,  Beeman C. Strong ,  Thilo Schmitt ,  Yuriy Bulygin ,  Markus T. Metzger

IPC: G06F21/56 ,  G06F21/44 ,  G06F21/52

CPC classification number: G06F21/56 ,  G06F21/44 ,  G06F21/52

Abstract: Technologies for control flow exploit mitigation include a computing device having a processor with real-time instruction tracing support. During execution of a process, the processor generates trace data indicative of control flow of the process. The computing device analyzes the trace data to identify suspected control flow exploits. The computing device may use heuristic algorithms to identify return-oriented programming exploits. The computing device may maintain a shadow stack based on the trace data. The computing device may identify indirect branches to unauthorized addresses based on the trace data to identify jump-oriented programming exploits. The computing device may check the trace data whenever the process is preempted. The processor may detect mispredicted return instructions in real time and invoke a software handler in the process space of the process to verify and maintain the shadow stack. Other embodiments are described and claimed.

公开(公告)号：US20170116414A1

公开(公告)日：2017-04-27

申请号：US15398930

申请日：2017-01-05

Applicant: Intel Corporation

Inventor： Stephen A. Fischer ,  Kevin C. Gotze ,  Yuriy Bulygin ,  Kirk D. Brannock

IPC: G06F21/55 ,  G06F9/30 ,  G06F21/56

CPC classification number: G06F21/552 ,  G06F9/30145 ,  G06F21/566 ,  G06F2221/034

Abstract: In one embodiment, a processor includes at least one execution unit and Return Oriented Programming (ROP) detection logic. The ROP detection logic may determine a ROP metric based on a plurality of control transfer events. The ROP detection logic may also determine whether the ROP metric exceeds a threshold. The ROP detection logic may also, in response to a determination that the ROP metric exceeds the threshold, provide a ROP attack notification.

公开(公告)号：US20160085966A1

公开(公告)日：2016-03-24

申请号：US14960709

申请日：2015-12-07

Applicant: Intel Corporation

Inventor： Stephen A. Fischer ,  Kevin C. Gotze ,  Yuriy Bulygin ,  Kirk D. Brannock

IPC: G06F21/55 ,  G06F9/30

CPC classification number: G06F21/552 ,  G06F9/30145 ,  G06F21/566 ,  G06F2221/034

Abstract: In one embodiment, a processor includes at least one execution unit and Return Oriented Programming (ROP) detection logic. The ROP detection logic may determine a ROP metric based on a plurality of control transfer events. The ROP detection logic may also determine whether the ROP metric exceeds a threshold. The ROP detection logic may also, in response to a determination that the ROP metric exceeds the threshold, provide a ROP attack notification.

Abstract translation: 在一个实施例中，处理器包括至少一个执行单元和返回定向编程（ROP）检测逻辑。 ROP检测逻辑可以基于多个控制传送事件来确定ROP度量。 ROP检测逻辑还可以确定ROP度量是否超过阈值。 ROP检测逻辑还可以响应于ROP度量超过阈值的确定，提供ROP攻击通知。